“It will be those first enforcement actions that give us an eye to what this law really looks like..”
– Jessica Lee, Attorney, Loeb and Loeb
Do you know according to a poll conducted by the International Association of Privacy Professionals (IAPP), 55% of US privacy professionals have planned to be CCPA-compliant before January 2020?
Even though the data privacy laws have started gaining momentum with GDPR from 2018, surprisingly there are still many publishers who need a better understanding of the upcoming privacy laws. So, this article aims to clear one of such laws – CCPA (California Consumer Privacy Act) which is going to take effect in less than a week.
Table of Contents
- What is the California Consumer Privacy Act (CCPA)?
- But, does that mean CCPA will only be applied to Businesses in California?
- Will CCPA Impact Your Publishing Business?
- Steps to make Google Analytics Comply with CCPA
- What Happens If a User Opts-out of Selling Data?
- Steps to Make Google Ad Manager Comply with CCPA
- Prebid Compliance with CCPA
- Conclusion:
What is the California Consumer Privacy Act (CCPA)?
We’ll start with the basics. CCPA is a comprehensive privacy law that enables California residents to enforce companies to tell them what personal information they have collected and sold about them.
Although the law was passed in June 2018, it will be going into effect from January 2020 and gives consumers the authority to delete or forbid the companies from data sharing with third parties.
CCPA grants the following rights to its residents:
- Right to access information – A resident can ask the companies about the categories of his/her information that has been collected and sold, with whom the information has been shared or sold, and why they have done so.
- Right to data deletion – If a company has collected the personal information of a consumer, then the person can request the company to delete all such data.
- Right to opt-out – With this right, the consumer can ask the company not to sell the information/data it has collected by any means. A business has to wait 12 months before asking the consumer to opt back in.
- Right to equal price and service – If a resident performs CCPA rights, a business cannot discriminate against the person in any way and should provide the goods and services for the same price/quality.
So, what do we mean by “information” here?
- Biometrics,
- Internet browsing information,
- Products purchased or considered for purchase,
- Geolocation data,
- Employment and academic data, or
- And other inferences that are drawn to create a profile about the California individuals.
But, does that mean CCPA will only be applied to Businesses in California?
It is apparent that data privacy law applies to California residents. But, the catch here is – CCPA also applies to all those out-of-state companies(and publishers) who sell to Californians. And yes, even if you run a business in any other state but you’re displaying a website in California, then CCPA is applicable for you as well. The law is applied to three types of business entities that fall under any of the following:
- Companies with more than $25 million annual gross revenue,
- Companies that collect/process data on more than 50,000 consumers per year, and
- Companies that derive 50% of the revenue by selling consumers’ data.
Sidenote: If you’re a publisher having annual gross revenue of less than $25M but have 134 daily visitors to your site, then also you fall under the eligibility criteria. So, you’re likely to be affected by CCPA law.
So, what happens when a company violates privacy law? Although you will get 45 days to respond to a CCPA “Data Subject Request”, if not taken care of, an individual can sue you for at least $100, for international penalties you may have to pay up to $7,500 for violating CCPA (Src).
Sounds similar to GDPR? It is. Although the motive of both the data privacy laws is the same, they have a few differences.
- While GDPR affects companies that collect/store data from European citizens, CCPA affects companies that buy, share, or sell the data from California residents.
- Moreover, GDPR is an opt-in law whereas CCPA is an opt-out law. As per CCPA, a business entity must provide a “Do Not Sell My Personal Information” option to the consumers and consumers can opt-out from third-party information sharing.
- According to CCPA, for a child under 13 browsing a website, a company must obtain parental consent before collecting their child’s data. Whereas GDPR requires parental consent for children under age 16.
Besides the above-mentioned key differences, there are a few minor variations in the way GDPR and CCPA offer transparency to digital consumers.
Will CCPA Impact Your Publishing Business?
Yes. If you’re a publisher with annual revenue of more than $25 million or have 50,000 users/year from California, then you must have to ensure that you are complying with the privacy law. Also, the penalty may increase in terms of legal and other fees if you’re considering the ‘wait and see’ approach.
With all that in mind, having a CCPA-compliance management system in place is necessary and can make it easy for you to store and manage the visitors’ data.
How publishers can prepare for CCPA Regulations?
Publishers of all sizes must act now to safeguard their business from any undesired consequences. To maintain CCPA compliance, a publisher needs to:
- Understand the data collection practices: When publishers understand how data is processed by various platforms (Google Analytics, AdSense, or Ad Manager) or any other third-party company, it becomes easier to inform the online consumer about their collected personal information and give them an option to opt-out. You can use Consent Management Platforms to do so.
- Embrace the CCPA compliance solutions: To enable the digital publishers to comply with the data privacy law, these days various solutions are being created. Also, IAB has released a framework for publishers to help them comply with CCPA. These frameworks and solutions help publishers to explain their data practices to the consumers and ensure that their personal information will not be used for ad targeting purposes (provided the users opt-out).
- Explore new revenue opportunities: To follow the CCPA regulations, publishers have reduced their reliance on the audience’s data and started exploring alternatives such as native advertising or contextual advertising.
But, these are theoretical. In practice, for a publishing company, what matters is how to make their main revenue generation tools (i.e Analytics, Ad Manager, header bidding wrapper) compliant with CCPA. So, here we are going to summarize Google Analytics and Ad Manager data practices to protect consumers’ data.
As we know Analytics collects consumers’ data anonymously via first-party browsers’ cookies, the first step is to understand what data the tool has aggregated and sent to Google. Since you have the choice regarding the personal information Google collects, update your privacy controls in Analytics.
Steps to make Google Analytics Comply with CCPA
As you might be aware of the fact that Analytics uses a JavaScript tag (gtag.js, analytics.js, and ga.js) to store first-party browser cookies (via User-ID and Client-ID). These are the cookies that identify the users’ behavior across browsing sessions. So, the first step is to:
#1. Understand what kind of information Analytics is collecting via cookies and delete if there is any PII. To do that, you can ask the visitors to check their GA cookies in the browsers’ settings. A GA cookie looks like the below:
The number following “GA” is the Client ID. Collect the Client IDs for all GA cookies and use Google’s User Explorer tool to aggregate the users’ data. Once you pull out the data via reports and find any data related to consumers’ PII, you can delete the user from the report by clicking on the Client ID but it could take up to 72 hours.
Also, user data can only be deleted if you have the Edit permission from the admin.
#2. Update and publish a Privacy Policy. Also, ensure that the Privacy Policy should be directly accessible to your visitors. For example, you can add a footer link with the “Privacy Policy” name and ensure the readers that their PII will not be used for selling or advertising purposes.
#3. Also, give the website visitors the ability to opt out. Suggest the Google Analytics Opt-out Browser Add-on to your readers. This will automatically prohibit the Analytics to collect or share information about their visit activity.
What Happens If a User Opts-out of Selling Data?
As we have mentioned before, CCPA is an opt-out law that implies if the user doesn’t opt-out of its data, then you can collect, share and sell the data legally. Now, the question is – what happens if the user opts out of data selling? Do you have to stop tracking them?
The answer to these questions depends on the way you define and understand what “data selling” means. As per Section 1798.140(t)(1) of the CCPA, “selling” or “sale” means renting, releasing, disclosing, transferring users’ data to another business for monetary or other valuable consideration.
Hence, if you aren’t making money in exchange for selling PII (that is usually an anonymous ID or IP address), you can continue using Analytics without worrying about policy violations.
Steps to Make Google Ad Manager Comply with CCPA
Did you know that Google, by default, doesn’t limit how users’ data is processed? So that means, a publisher must ensure that the ad server is following the privacy regulations. However, with the CCPA coming into effect from 1st January, Google Ad Manager has enabled publishers to restrict data processing via two methods:
Method #1: Making Changes in the Google Ad Manager Account Set-up.
To comply with CCPA, Google Ad Manager updated the interface a few days back and now it enables the publishers to define whether to restrict the data processing or not. Follow the steps given below to make the changes in your account:
- Go to the Ad Manager home page, and then Admin > CCPA settings.
- Select Restrict data processing if you want to stop users’ data processing.
Method #2: Making Changes in the Google Publisher Ad Tags.
As you could see, Method #1 restricts GAM from serving interest-based (non-personalized) ads to all the users from California. What if you only want to serve non-personalized ads to those who opted out under CCPA?
Then, you can do so by instructing the ad server on a per request basis.
To make the ad server operate in the restricted data processing mode via GPT, the publisher has to pass the following snippet:
googletag.pubads().setPrivcaySettings ({
‘restrictDataProcessing’:true
});
Here’s an example of a GPT tag that processes a non-personalized ad requests and complaint with CCPA:
<script async src=”https://securepubads.g.doubleclick.net/tag/js/gpt.js”></script>
<div id=’gpt-passback’>
<script>
window.googletag = window.googletag || {cmd: []};
googletag.cmd.push(function() {
googletag
.googletag.pubads().setRequestNonPersonalizedAds (1)
.defineSlot(‘/123/sports’, [300, 250], ‘gpt-passback’)
.addService(googletag.pubads());
googletag.pubads().setPrivcaySettings ({
‘restrictDataProcessing’:true
});
googletag.pubads().set(‘page_url’, ‘mydomain.com/mypage.html’);
googletag.enableServices();
googletag.display(‘gpt-passback’);
});
</script>
</div>
Prebid Compliance with CCPA
To support data privacy laws, Prebid introduced a new module – Consent Management. However, to utilize the module, a Consent Management Platform (CMP) has to be integrated into the site. Also, a publisher has to upgrade the Prebid library to 2.43.0 to comply with the data privacy laws.
The CMP will provide you with a code that you need to place before the Prebid.JS code in the header part of the page. This ensures that the CMP framework is loaded before the Prebid code executes.
If the CMP implementation is done, you can include the Consent Module and a consentManagement object in the setConfig() call.
An example from Prebid:
pbjs.setConfig({
consentManagement: {
gdpr: {
cmpApi: 'iab',
allowAuctionWithoutConsent: false, // suppress auctions if there's no GDPR consent string
timeout: 3000 // GDPR timeout 3000ms
},
usp: {
timeout: 100 // US Privacy timeout 100ms
}
}
});
The CMP will fetch the encoded string that represents the users’ choices and pass it to adapters (demand partners). Note that not all the adapters are supporting it now. So, you may have to ensure your demand partners are updating their adapters to support the US privacy string.
Online Privacy laws are one of the raising concerns for the publishers. If you’re curious to know more about how you can deal with different upcoming and existing Privacy Laws, we have made a guide for you!
Conclusion:
As there are just a few days remaining in 2020, publishers must prepare them for the CCPA, assess their data, and embrace compliance solutions. It is important to take responsibility for consumers’ information while generating revenue. Recently, IAB has released version 1.0 of the CCPA compliance framework for publishers. However, if you’re still confused with CCPA and figuring out how to proceed with it, get in touch with us today.