With the European Union passing the General Data Protection Regulation (GDPR) in 2016, and events like the consumer data misuse of Cambridge Analytica, there’s an upward trend of governments taking action to protect users’ data.
Additionally, recent Pew statistics show that roughly 6 in 10 Americans believe it is not possible to go through daily life without having their data collected, by both companies and the government.
So what happens now? Some may interpret governments creating legislation to protect consumer data privacy as reactive, especially after events like Snowden’s whistleblowing of the NSA’s surveillance practices in 2013. Others see legislation like GDPR as proactive, and an effective measure to take. With the EU leading the global stage for consumer data privacy, California has followed suit in the U.S.
In June of 2018, California passed the California Consumer Protection Act, a sweeping regulation that created new requirements for managing consumer privacy information. Today I’m going to walk you through the complete CCPA guide with everything you need to know.
Below is a table of contents to navigate directly to certain sections of the CCPA guide:
1. What is the CCPA?
2. When does the CCPA go into effect?
3. Who must comply with the CCPA?
4. Who is exempt from the CCPA?
5. What are the CCPA amendments?
6. How is the CCPA different from GDPR?
7. CCPA privacy notice examples
8. How does the CCPA affect digital publishers?
9. How does the CCPA define “Personal” information?
10. How to be CCPA compliant while using AdSense, AdX, or third-party monetization partners
11. CCPA Penalties
Disclosure: This blog post is for educational purposes only, and is not a substitute for legal advice. If you need an analysis of your business’ CCPA compliance, seek the advice of legal counsel.
What is the CCPA?
The California Consumer Privacy Act (CCPA) was passed by the California State Legislature on June 28th, 2019. It dictates requirements for identifying, managing, securing, tracking, producing and deleting consumer privacy information.
When does the CCPA go into effect?
The original legislation called for the Act to go into effect on January 1, 2020. A later September 2018 amendment said that the Act will be in effect immediately but be enforced no earlier than January 1, 2020.
There have been some changes to these guidelines that will impact the timelines, and California won’t enforce provisions of the Act until six months after the adoption of those implementation regulations, on July 1, 2020.
The Attorney General’s guidelines are not meant to be the end-all-be-all for the CCPA. It’s meant to serve as a tool to help you analyze your own legal requirements to comply with the act.
Who must comply with the CCPA?
To put it simply, the CCPA applies if you’re a for-profit business that collects and control California resident’s personal information or do business in the State of California.
It also applies as a threshold. If you’re a for-profit business that collects and controls California resident’s personal information, do business in the State of California, and you meet one of these three requirements:
- Have annual gross revenues in excess of US$25 million; or
- Receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or
- Derive 50 percent or more of your annual revenues from selling California residents’ personal information.
Who is exempt from the CCPA?
Organizations exempt from the CCPA include:
- Small companies that do not meet any of the three requirements in the section above
- Public agencies
- Non-profit organizations
- Any information collected while conducting business that takes place outside of California
- Any entity that controls or is controlled by a covered CCPA-applicable business or shares common branding with a covered business, such as a shared name, service mark, or trademark
What are the CCPA amendments?
There are 5 general CCPA amendments that the state of California refers to as “rights”. These include:
- To know what personal information is collected about them
- To know whether and to whom their personal information is sold/disclosed, and to opt-out of its sale
- To access their personal information that has been collected
- To have a business delete their personal information
- To not be discriminated against for exercising their rights under the Act
How is the CCPA different from GDPR?
Europe’s General Data Protection Regulation (GDPR) requires consumers to opt-in for the use or sale of their personal data. These GDPR popups (shown below) have become more prominent across the web.
Google now displays the cookie notices above to users that reside in the 28 countries that make up the EU. Google commented that the change is because of its commitment to privacy transparency for its users. Additionally, Google has a detailed page of information on EU user consent policy and how they comply with GDPR in addition to applying to the cookie consent law.
Important: If you want to be GDPR compliant, you must obtain end users’ legally valid consent to:
- the collection, sharing, and use of personal data for personalization of ads.
When seeking consent you must:
- retain the records of consent given by end-users; and
- provide end-users with clear instructions on how to revoke consent.
Also, if you are a publisher that uses Ezoic, we have a GDPR Consent Management platform to help you be GDPR compliant with ease.
In contrast, the CCPA does not require consumers to opt-in for the sale or use of their personal information through the use of a pop-up notice when a visitor arrives at a site.
That being said, the CCPA requires specific privacy notices as well as providing the right to opt-out of the sale or use of personal information. Businesses are also prohibited from discriminating against consumers in the event they exercise these opt-out rights.
Important: If you want to be CCPA compliant, you must create a privacy notice to:
- Inform consumers about what personal information categories will be collected
- The intended use or purpose for each category.
- Third parties must also give consumers explicit notice and the ability to opt-out before re-selling personal information that the third party acquired.
- Allow a place for the user to request the deletion of the data collected.
- Indicate a non-discrimination clause for those users who either opt-out of data collection or choose to delete their data.
CCPA privacy notice examples
As a California resident, I have been receiving a lot of these notices in the past few days. Most of them are via email and from large companies that I buy products from online, social media applications I use, and big publishers I subscribe to.
Take my notice from Instagram this afternoon as an example. I got an in-app notification that the CCPA took effect on Jan 1st, 2020.
There is also a link that offers users the ability to exercise your “right to know” or “your right to deletion.” These privacy notices along with the acknowledgment and adherence to the CCPA amendments makes Instagram CCPA compliant.
CCPA email examples
Since most publishers may not have an app for their visitors, the majority of CCPA notices would probably be delivered through emails. Here are some actual CCPA email examples from businesses that have to comply with CCPA.
What these three privacy notices have in common is that they both go over a general summary of the CCPA and link to their updated privacy policies.
How does the CCPA affect digital publishers?
As a digital publisher, there are two questions you need to ask yourself regarding whether you have to comply with the CCPA:
- “Do any of the conditions in section 3 apply to me?”
- “Do any of the exemptions in section 4 apply to me?”
If the answer is no to section 3, OR yes to section 4, then you’re in luck. You don’t have to worry about complying with the CCPA.
For reference, the questions to ask yourself about the exemptions in section three are:
1. Have annual gross revenues in excess of $25 million U.S. dollars
Do you earn more than this amount? Most publishers earn well under this amount.
2. Receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis
How many visitors from California come to your site per year? You can find this data in Google Analytics from clicking the tabs Audience > Geo > Location > Click on USA > Click on California. Do you receive or disclose personal information from these visitors?
Important: make sure to put your date range in Google Analytics for the entire year!
3. Derive 50 percent or more of your annual revenues from selling California residents’ personal information.
Do you earn 50% or more of your annual revenue from selling California residents’ personal info? If you are earning money through a sketchy ad network, you might be held liable if that network is cookie-ing “personal” data, or retargeting that data for malicious purposes. If you are using Google Adsense, or a Google Certified Publishing Partner like Ezoic, you aren’t selling or collecting any “personal” data.
Note: for publishers using Ezoic’s Big Data Analytics, you can see how many of your annual site visitors come from California, and you can also tie that geographic data to ad revenue, a feature that isn’t available in Google Analytics. It’s only available through Google AdX at a whopping price tag of $150,000. You can also tie revenue to category data, author metrics, UX metrics, and more.
How does the CCPA define “Personal” information?
The CCPA defines personal information in broad terms as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Examples of personal information that is covered and protected by the CCPA include:
- Name, address, phone number, email address, social security number, driver’s license number, etc. This is considered personally identifiable information.
- Biometric data. I.E. DNA or fingerprints.
- Browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Employment-related information.
- Education information, defined as information that is not publicly available.
- Inferences drawn from any of the above examples that can create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
While most publishers aren’t collecting this type of “personal” information, it’s good to know the fine print of what it includes. Especially if you begin to work with third-parties. There might be hidden clauses or shady practices you are agreeing to in a contract that could make you noncompliant with the CCPA and other consumer data privacy regulations like GDPR.
How to be CCPA compliant while using AdSense, AdX, or third-party monetization partners
There are many ways to monetize a website: sponsored content, affiliate revenue, and ad revenue. A lot of content-based sites that provide users relevant information for free make their money from programmatic ad revenue, most popularly through Google AdSense or AdExchange.
With the rollout of the CCPA, Google has published numerous support articles that help give publishers information on how to comply with the CCPA and other privacy regulations. There are two I have found to be the most helpful for those publishers monetizing through Google or Google’s certified publishing partners.
Helping advertisers, publishers, and partners comply with the California Consumer Privacy Act (CCPA): this article covers a general overview of the CCPA and also introduces Google’s restricted data processing to help better meet compliance needs.
How is Google’s restricted data processing used for CCPA?
Restricted data processing is defined by Google as:
Restricted data processing is intended to help advertisers, publishers, and partners meet their CCPA compliance needs. With restricted data processing, Google restricts how it uses certain unique identifiers, and other data processed in the provision of services to you, to only undertake certain business purposes.
Google lists a large number of their products and services that already operate using restricted data processing. These include Google Analytics, Ad Manager, Google Tag Manager, Google Optimize, the “360” versions of these same products, and many more. But, there are a few Google products that require action to enable restricted data processing. These include:
When restricted data processing is enabled on these products, they will operate differently than normal. For example, take this description below of how AdSense functionality works with restricted data processing.
When a publisher enables restricted data processing, Google will limit how it uses data and begin serving non-personalized ads only. Non-personalized ads are not based on a user’s past behavior. They are targeted using contextual information, including coarse (such as city-level, but not ZIP/postal code) geo-targeting based on current location, and content on the current site or app or current query terms. Google disallows all interest-based audience targeting, including demographic targeting and user list targeting when in restricted data processing mode —Google
How to implement restricted data processing for CCPA
Google gives two scenarios on how to implement restricted data processing for CCPA. They urge publishers to consider their own compliance obligations and legal analysis. If necessary, they recommend seeking the advice of legal counsel.
For publishers who do not want to display a “Do Not Sell My Personal Information” link on their properties:
- These publishers can choose to turn on restricted data processing for all of their programmatic traffic for users in California through a network control. If this option is selected, Google will use visitors’ IP addresses to determine locations and enable restricted data processing mode for any users Google can detect have a California IP address.
For publishers who choose to display a “Do Not Sell My Personal Information” link on their properties:
- These publishers can choose to send a restricted data processing signal on a per-request basis once a visitor has opted out of the sale of their personal information.
How to be CCPA compliant with third-party monetization partners
While there are a vast number of third-party monetization partners, all going by a wide variety of names—ad networks, ad-ops shops, adtech, monetization platforms, etc., they all have their own privacy policies.
Many of these privacy documents might read differently, but it’s important that you read them. The fine print is important and not reading it can cost you money, headache, and even legal trouble if their business practices are shady.
Luckily for publishers that partner with Ezoic, we aren’t an ad partner. We are an intelligent platform for publishers that offers a suite of tools to help you with everything from increasing ad revenues, improving UX, increasing site speed, data analytics and more.
If you’re found in non-compliance with the CCPA, the good news is the Act grants the party at fault 30 days to cure violations. Consumers are able to seek $100-$750 per incident for actual or statutory damages.
Fines for violations include:
- $2,500 for unintentional and $7,500 for intentional violations of the Act.
- US$100-$750 per incident, per consumer- or actual damages, if higher – for damage caused by a data breach.
- As currently written the law states that businesses shall only be in violation of the CCPA if it fails to cure any alleged violation of the CCPA within 30 days after being notified of alleged noncompliance.
If you’ve read this blog in its entirety, take a deep breath. You made it!
Consumer data privacy and compliance are no joke. In reality, having to go through this guide and see whether you need to comply with the CCPA is just another line item from a long laundry list of things publishers have to do to keep up in the evolving landscape of digital publishing.
This is generally why I say the more regulation that directly or indirectly affects publishers, the more complex a publisher’s operation will become. The CCPA wasn’t the first data privacy regulation, and it surely isn’t the last. The most important thing is to be aware of any regulatory compliances you may need to adhere to.
Whether you do it individually, with a plugin, or through your monetization partner, just get it done. The time it takes to implement is much smaller than the headache that will come from penalties, fines, or legal trouble of not complying.
Do you have any questions on the CCPA guide? I’ll answer them below.
Allen is a published author and accomplished digital marketer. The author of two separate novels, Allen is a developing marketer with a deep understanding of the online publishing landscape. Allen currently serves as Ezoic’s head of content and works directly with publishers and industry partners to bring emerging news and stories to Ezoic publishers.