California Privacy Law in advertising
- California Privacy Law main points
- Who does the California Privacy Law 2020 affect?
- California Privacy Law: impact on digital advertising
- How OnAudience.com products and services comply with data privacy regulations
- Anonymizing all collected data
- CCPA vs. GDPR: main differences
California Privacy Law will take effect on Jan. 1, 2020, but what do we know about it so far? Is it the same as GDPR, but in California? Not exactly. Let’s take a closer look at the new American data privacy regulations and check the steps that OnAudience.com took to comply with privacy regulations.
California Privacy Law main points
California Privacy Law, or officially The California Consumer Privacy Act (CCPA) aims to protect a consumer’s personal information. The bill gives users more control regarding their personal data the companies collect. Also, more knowledge about what part of it is selling or sharing with third parties. CCPA works among the California residents only, although certain US states are taking similar actions in data privacy direction to follow the Golden State.
California Legislative Information defines “personal information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household, information such as:
• identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
• commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
• biometric information
• Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement
• geolocation data
• professional or employment-related information
• user’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
Note that ““personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Additionally, the interpretation of what exactly constitutes personal information is flexible and mostly depends on a context, which is the ability to identify particular persons or, in the case of the California Privacy Law - households.
Simply speaking, any data that can help companies identify a person - with or without any AI technique or just have the information encoded, will be under protection now. CCPA provides consumers with a number of solutions that enable the protection of their rights. For instance, businesses that are subject to the CPPA have to add a clear and conspicuous “Do Not Sell My Data” button on their homepage. So the companies must be ready to stop selling data on user demand, any time.
If the company intentionally breaks the privacy rules, it may be charged up to $7,500 for each intentional abuse. So the final fine calculation doesn’t depend on the company revenue, but on the number of affected records by the violation.
Who does the California Privacy Law 2020 affect?
Fortunately for the small organizations or young startups, the law relates mostly to the big organizations that offer data-oriented services. California Privacy Law anticipates 3 thresholds for the companies to be included in the list of those who are obligated to conform to new privacy regulations. Those are the companies that do business in California or have customers/potential customers in California. The criteria are:
• gross annual revenue of the company is more than $25 million
• the organization receives, shares, or sells personal information of more than 50,000 individuals
• the company earns 50% or more of its annual revenue from selling personal information of California residents
California Privacy Law: impact on digital advertising
The CCPA provides for an “opt-out” data processing model, so as long as a user doesn’t use the “Do not sell my Data” button, it’s all fine for the digital advertising market. The users also have the right to obtain information regarding data processing and sharing - just like under GDPR regulations.
In order to be able to deliver such set of information, the companies must have their system prepared for respective data filtering. The possibility of extracting particular information upon request can also bring benefits to their integrated systems. For example, to improve segmentation rules or to implement more advanced search.
Users’ withdrawal of sharing their own data makes impossible profiling within data provider or pushing forward received data to the third parties. The users' preferences, current interests, geolocation, mentioned in the law could be treated as a personal information but the final shape of California Privacy Law and what will be considered as the personal data is not clear yet. In fact, the ad tech firms proposed their corrections into the bill to keep the users’ privacy and be able to perform targeting online campaigns.
How OnAudience.com products and services comply with data privacy regulations
OnAudience.com is one of the world’s biggest data providers, and users’ privacy is a matter of strategic importance for us. That is why we implemented strict internal procedures to guarantee that stored information is safe, so that we comply with data privacy regulations. More than a year ago we took a number of steps to comply with the GDPR - privacy regulations that came into force in EU. California Privacy Law also focuses on online privacy and takes care of users’ data. What’s important, both regulations are related to personal information, which leads OnAudience.com to do not collect or store any personal data. We store and process anonymous, deidentified information only, which are not the subject of the CCPA. Let’s take a look at the steps that we took to comply with the GDPR and see what we do to make all the stored data deidentified.
1. Analysis of interior processes - we took a look at processes that could be affected by new regulations and we made sure that are conducted in compliance with the privacy law.
2. Changes in interior processes - we implemented necessary changes in our internal process where it was needed to comply with the new rules.
3. Legal analysis of our products and services - the analysis confirmed that our business model, products and services comply with the new regulations.
4. Operational analysis - which verified that we are prepared for the new regulations and our company will react fast and adequate if there will be any risk of abuse of data privacy.
5. New internal procedures - aimed at protecting users’ data.
What’s more, our company joined a few market initiatives dedicated to companies that comply with the privacy rules, for example, Transparency & Consent Framework by IAB Europe.
Anonymizing all collected data
As we mentioned, both GDPR and CCPA are focused on personal data. OnAudience.com does not store personal information and automatically anonymize all the collected data to ensure that users’ privacy is guaranteed.
We use our own Data Management Platform technology to store billions of anonymous Internet users profiles. All the stored data is subjected to the anonymization process.
Moreover, to fulfill data privacy regulations, we pay close attention to types of data we gather from our partners (publishers, media buyers, media sellers, etc.). It is highly important for us to cooperate only with publishers and companies that obey data privacy regulations.
CCPA vs. GDPR: main differences
Comparing California Privacy Law and General Data Protection Regulation, Baker and Hostetler listed the differences between both laws. The main ones are the following:
- GDPR has a broader scope and geographical reach than CCPA. Although both laws have extraterritorial effects that businesses located outside the default geographical jurisdiction must consider,
- both laws focus on information that relates to an identifiable natural person, however the definitions of personal information are different: the CCPA’s definition also includes information linked at the household or device level,
- according to CCPA, companies must satisfy a consumer’s request to opt-out the sale of personal data to third parties. Must include a “Do Not Sell My Personal Information” link in a visible place on a website homepage. The GDPR does not include a specific right to opt-out of personal information sale, however, it includes a general processing opt-out right that will lead to a similar result.
For more information, visit the report available on bakerlaw.com.
As the different sources predict different future case scenarios, it’s not clear yet how the biggest companies are going to react when the California Privacy Law will take effect. eMarketer's report from July says that 8% of companies only are ready to be checked on the CCPA requirements. 58% will not be ready by the deadline, including 11% who are currently not doing anything about it.
Most likely, it’s going to be similar to the GDPR situation from the past year - we will see the effects after the law is fully introduced. At this moment, the companies which have got implemented strict internal procedures, do protect users' privacy and do not store personal data should comply with the new law.