Should Ad Tech Panic Over The California Privacy Protection Act Now Or Later?

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Gary Kibel, a partner in the digital media, technology and privacy practice group at Davis & Gilbert.

When the EU’s General Data Protection Regulation (GDPR) was passed and enacted, US ad tech companies at least had the comfort of the Atlantic Ocean. Hungry EU regulators chomping at the bit to enforce the burdensome requirements and extract GDPR’s significant fines did not sit in our backyard ready to pounce.

That didn’t stop companies from enacting processes and controls to comply with the GDPR, even though there was not the immediate fear of a regulator’s knock on the door.

Things are about to change. Get ready for a big fist pounding on the door.

On June 28, the California Legislature hastily passed the California Consumer Privacy Act of 2018 (CCPA). The law, which takes effect in less than 1 ½ years, Jan. 1, 2020, ushers in a GDPR-light approach here in the United States. No more buffer. No more distant regulators unable or unwilling to reach US companies on their home turf. If they haven’t already done so, the time for ad tech companies to change the way they store and process data is fast approaching. 

The CCPA contains a long list of requirements that will take time for organizations to digest, analyze and apply to their unique services and operations. Some will be familiar to companies who have already put in place GDPR compliance processes, specifically, how to deal with requests from individuals to access their data, request deletion and exercise a right to retrieve and port their data.

If you’ve already solved these challenges in your GDPR compliance efforts, then good for you.  If you thought you could avoid these requirements by hiding from EU regulators in the US, then it’s time to come out of hiding and comply.

Like the GDPR, the CCPA contains a no-discrimination clause to ensure consumers are not denied access to a service merely because they will not share their data, though there are exceptions, including if the access is tightly linked to the value of the data, which the industry would hope would include ad-supported publisher sites.

Given that nearly every online business requires data to thrive, this exception will be important to analyze and use.

In some respects, the CCPA goes further than the GDPR. One instance is the definition of personal information. While it includes comparable broad language, it also defines personal information to include browsing and search history, as well as inferences drawn from certain data. Inferences? Oh boy.

A primary focus of the CCPA is to allow consumers to control the sale of their personal information. If a company is going to sell a consumer’s personal information, the company is required to give the consumer an opt-out. But what constitutes a sale that triggers this obligation? Will buying a consumer segment in a demand-side platform require an opt-out notice?

How this will all play out remains to be seen. The California Legislature will go through a technical corrections process and further clarify what will hopefully be coming from the left coast.

2019 promises to be the year of California, so get ready.

Follow Gary Kibel (@GaryKibel), Davis & Gilbert LLP (@dglaw) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Ken Dreifach

    Excellent and concise summary of the key issues!