Click here to get this post in PDF

As a publisher, you probably rely on targeted ads to attract traffic and boost the visibility of an advertiser’s message. But for this strategy to work, you often need to collect user data and find out what your target audience likes.

With more publishers and advertisers collecting personal information, the concern surrounding data security has increased. User data that ends up in the wrong hands may be used to hack personal devices and accounts. Such data may also pose a security threat, where a user’s address could end up in possession of bad actors.

To respond to these risks, CCPA was introduced. CCPA is a data security framework that stipulates how advertisers, publishers, and other for-profit companies should handle user data. But what’s this new law, and how does it apply to ad publishers?

What is CCPA?

The California Consumer Privacy Act (CCPA) is a new piece of legislation aimed at protecting consumer information. At its core, the law gives consumers in California a right to know how their data is being used. It also stipulates guidelines that control how California businesses handle such data.

For many years, companies have been collecting user data behind the scenes, without informing their customers how this information is being used. CCPA was introduced to increase the level of transparency that surrounds user data. Businesses will be required to disclose what information they’re collecting from California-based consumers and how such data will be used/shared.

There are glaring similarities and differences between CCPA and GDPR. While both apply to consumer data protection, CCPA follows a more specific approach to governing personal information. For example, CCPA regulations apply to any piece of data that can identify, relate to, describe, or associate with a person, household, or device.

This means that CCPA covers both persons and households within the same law. For example, all persons living in a particular home (and are using the same device) will be protected by the CCPA legislation. On the other hand, GDPR mostly covers personal data that can be tied back to a specific person (or entity) within the EU.

How CCPA affects publishers

CCPA will affect publishers in 3 main ways:

1. Data Collection and Usage

Publishers regularly collect data from their users to track ad performance. For example, if you monitor how your website visitors interact with ads, you may be using personal information as defined by the CCPA. Activities such as gathering device data, household data, addresses, and other similar information will put publishers under the spotlight when CCPA comes into effect in 2020.

When CCPA comes into effect, publishers will have to reveal the type of data being collected, how it’s being used, and how it’s being stored. And upon request by a consumer, you’ll have to provide this information in a portable and easily usable format. The request must be carried out within 45 days, but you’ll only have to fulfill two requests from the same customer within 12 months.

Publishers must also be aware that any collected data should only be used for the purpose that was specified. 

2. Opting Out

As a publisher, be prepared to give consumers an opt-out option for the data you collect. When it comes to opting out, CCPA has important differences from GDPR. GDPR doesn’t have a specific opt-out framework that gives consumers the option to withdraw consent from their data being collected. However, businesses are required to fully disclose their data collection and usage framework as it pertains to consumer information.

Under CCPA, there’s an entire section dedicated to opting out. Consumers should be allowed to withdraw consent from having their data collected, used, sold, or stored. And if consent is withdrawn, publishers can’t make any further requests until after 12 months.

3. Offering Financial Incentives For Disclosing data

Publishers should also be aware of what CCPA specifies in terms of financial incentives. While the advertiser provides a particular product/service, publishers may also be directly involved in promoting specific discounts.

According to the new CCPA law, publishers can’t deny a customer from purchasing goods/services after they (the customer) refuse to disclose personal information; however, consumers exercising their right to privacy may be charged a different price based on the value that such data might provide.

If you’re offering a financial incentive to consumers who share their data, the incentive must be “reasonably related” to the value of your advertised product/service. You can’t simply offer a different price to a consumer just because they opted out.

How Publishers Can Remain Compliant

The million-dollar question that publishers ask is how they can remain compliant in this new data environment. When it comes to collecting and using personal information, publishers will need to implement more robust processes for keeping track of data use. Consider using a system that can keep logs of all collected data. The system should also categorize, export, and share consumer data upon request.

Furthermore, publishers should be capable of providing evidence when deleting consumer data or fulfilling an opt-out request. On your website, be prepared to provide clear information to users regarding how their data will be collected. Similar to how other websites comply with GDPR by providing a disclaimer, you may need to craft microcopy (or messaging) that discloses such information.

The California Consumer Privacy Act (CCPA) will affect many different entities upon its introduction in 2020. As a publisher, you can expect to adjust how you collect, use, categorize, and store data (especially pertaining to targeted ads).

You should also be prepared to share your data collection procedures- so that customers thinking of opting out will have the information necessary to make a decision. And if you’re involved in pricing, any financial incentives offered to buyers must be reasonably tied to the data being collected.

You may also like: The Differences Between CCPA and GDPR

About the Author

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.  Learn more at ReciprocityLabs.com.