Marketers and publishers are less than three months away from dealing with a new law that could have the largest impact on digital advertising since the introduction of the iPhone.
The California Consumer Privacy Act, or CCPA, takes effect Jan. 1, bringing a host of new regulations to the nation’s largest state that will significantly restrict how brands collect and manage the consumer data that has fueled digital advertising for years.
The law, for instance, will require an “opt out” button on every page of every website, allowing consumers to easily tell companies they do not want any of their data to be collected or sold.
Consumers can also tell tech companies, publishers or brands to delete their data. People may also opt out from a company’s terms of service without losing access to its offerings.
Companies are also barred from selling data on anyone under the age of 16 without explicit consent. Industry players could face even stricter rules as a result of a new proposal that could be headed for the November 2020 ballot.
California’s attorney general won’t enforce CCPA until July, but can punish those found to have violated the law at any point after Jan. 1.
The law applies to any business in California that generates at least $25 million in revenue. Companies that make 50 percent of their revenue from buying, selling or gathering consumer data from at least 50,000 California residents are also included. (Blazon Editor’s note: you must be a business AND meet any one of the other 3 thresholds in order for CCPA to apply – 1) $25M in global revenue, 2) 50% of your revenue comes form the sale of data, or 3) you maintain more than 50,000 CA resident files.)
Lawmakers in other states are pursuing similar legislation—Nevada’s law already took effect on Oct. 1. But CCPA stands out due to the Golden State’s sheer size, as well as how it’s influencing other states to adopt similar privacy frameworks.
“California is the largest state in the country; 40 million people live there,” says Eric Shih, global senior VP of business development at Teads, which works with publishers in filling video ads. “It has the biggest economic impact. Most of the large tech providers are based in California, so there is significant influence.”
California’s privacy law comes into play following previous scandals such as Cambridge Analytica or targeting that many consumer advocates feel is borderline creepy. “I sincerely believe that the aftermath of the 2016 election, the Mueller report, Cambridge Analytica, the scandal-after-scandal involving Google and Facebook, that the general public has had enough,” says David Carroll, the associate professor at Parsons School of Design who filed a lawsuit against Cambridge Analytica to gain a better understanding of what data the company has about him. “Lawmakers detect the sentiment of the general public, and that has given them a chance to stand up to the lobbyists because they now have voter support to go hard on privacy issues.”
The problem with patchwork
As brands brace for the sweeping changes, industry trade bodies are intensifying their lobbying for a single national data privacy law to avoid a nightmare scenario of having to deal with a litany of differing state regulations. “A patchwork of laws will be very damaging to advertisers who collect and use data,” as they would have to abide by different sets of rules, says Daniel Jaffe, group VP of government relations at the Association of National Advertisers, which is lobbying alongside the Interactive Advertising Bureau. But Jaffe says passing a federal law will be “tremendously difficult because of the conflict in Washington,” including the impeachment drive and trade war with China. “All of that is taking a tremendous amount of time and bandwidth.” Jaffe, who spent 11 years working for House and Senate staffs before joining the ANA in 1985, says the only thing the trade bodies can do “is to push very hard and see what you get. I wouldn’t rule out a federal law, but it’s going to be an uphill battle.”
Fragmentation, or a patchwork of laws, he says, “is likely if I had to bet.”
Hawaii, for example, is pushing for a bill similar to CCPA, as are Massachusetts, New Jersey, Pennsylvania, Rhode Island and Washington (the last of which is said to be broader than CCPA). Even Puerto Rico is using CCPA as a framework for its own privacy law. In total, 27 states are in the early stages of setting some sort of privacy laws, and not all are similar to CCPA, according to Chris Babel, CEO of TrustArc, which consults on, and provides tools for, privacy compliance.
Nevada’s law is being closely watched since it is the first one to take effect. Unlike CCPA, where companies must meet a financial threshold in order to be found in violation, Nevada’s law applies to businesses that specifically target its residents, regardless of their revenue. It’s similar to CCPA, but the fines are significantly steeper, as the state will hit companies with a $5,000 fine for each violation. The privacy regulation endgame could well result in a scenario where brands, ad tech companies and others must comply with 52 different sets of laws—if you include Puerto Rico and Washington, D.C. That’s on top of dealing with the European Union’s Global Data Protection Regulation, which took effect in May 2018.In California, “it’s extraordinarily complex, and even chaotic at the moment,” Jaffe says. “If I’m a consumer and on Jan. 1, 2020 I demand a brand to send all its information on me, I better be able to do that.
That means companies must keep track of all the information coming in, put it in a format to provide to the consumer and make sure they are giving it to the right consumer—because there are fines” for giving it to the wrong consumer, as it would be considered a data breach. Babel makes an analogy to how the security industry has dealt with a patchwork of data breach laws. The industry was watching states one-by-one adopt their own laws for what happens when a company has a security breach. Like the ANA and IAB, security trade bodies pushed lawmakers to adopt a federal standard. “That was 10 years ago,” Babel says. “And they’re still fighting for a federal law today.”
Patchwork quilt: A look at 27 states (and Puerto Rico) with privacy laws on the books or in effect…