“The Sell Sider” is a column written by the sell side of the digital media community.
Today's column is written by Julie Rubash, vice president of legal at Nativo.
The California Consumer Privacy Act (CCPA) has significant ramifications for publishers and their handling of consumer data, not just in California but across the country and the world. Similar to the EU-wide General Data Protection Regulation, CCPA is the first overarching state-level privacy law in the United States and will likely give way to similar laws across the country and eventually at the federal level.
The California attorney general’s office recently submitted its final draft of CCPA regulations, six months after the new legislation’s effective date and only a few weeks before its official enforcement deadline of July 1.
Let’s assess the risk publishers run if they choose to eschew the attorney general’s final CCPA regulations, precautions they should take for protection and the potential impact enforcement could have on publisher business models.
The enforcement deadline is here
The California attorney general now has every right to send notices for violations dating back to Jan. 1. While the AG is unlikely to enforce technical violations of CCPA retroactively, publishers would be wise to review the recently finalized regulations and the attorney general’s statement of reasons and polish compliance efforts to ensure they’re prepared for an inquiry.
There are certainly some remaining ambiguities in the law, even with the regulations and statement of reasons, but if a company has invested good-faith efforts into interpreting and complying with the law to the best of its ability, it's likely safe from enforcement as long as it’s willing and able to actively fix any violations that come to light as we learn more about how the law will be applied. Companies that do receive notice of a violation from the attorney general’s office will have 30 days to cure any noncompliance before fines are imposed.
For publishers, one aspect of CCPA remains clear: If a business has a direct relationship with consumers and sells their personal information to third-party companies, it should provide a notice at the time of collection and include a “Do Not Sell My Personal Information” button on its website that allows California users to opt out of that sale.
Addressing this core requirement should be a publisher’s first move if it hasn’t already endeavored to comply with CCPA. If it has, now is the perfect time to confirm its solution meets the regulation’s latest requirements.
For publishers unsure of next steps, the IAB created the IAB CCPA Compliance Framework to help meet the CCPA “Do Not Sell My Personal Information” requirement. This tool creates a consistent, unified approach. Implementing the framework and signing the limited service provider agreement are the simplest ways for publishers to pass these requests to downstream partners under a unified framework that governs how those signals should be treated.
Impact on publisher business models
If publishers implement the IAB CCPA Compliance Framework and sign the limited service provider agreement, it is unlikely that the impact on their business models will be significant. Of publishers in the Nativo marketplace that have implemented the IAB CCPA Compliance Framework, only 0.91% of their inventory contains an explicit opt-out.
Technology companies might be restricted by downstream partners from further “selling” the information if it is passed outside the scope of the IAB framework and limited service provider agreement. If so, this could limit publisher access to certain demand.
The biggest potential threat
The biggest potential threat of CCPA to the digital advertising industry is Section §999.315(d) of the regulations, which requires businesses to treat user-enabled global privacy controls that signal the consumer’s choice to opt out of the sale of personal information as a valid “Do Not Sell My Personal Information” request.
If a user has a global privacy setting with their browser to never allow for the sale of personal information and a separate business-specific privacy setting that allows for a sale, such as at the publisher level, the global privacy setting would govern unless the publisher reconfirms user intent.
This would move a user’s well-informed publisher-by-publisher decision (“I don’t want this publisher to sell my data”), in response to privacy notices disclosing what type of data is collected by the publisher and with whom it is shared, to a global decision (“I don’t want any website to sell my data”) without any understanding of what type of data is involved or with whom it would be shared. This would put power in the hands of browsers and remove power from users to make informed decisions about how their data is collected and shared.
It doesn’t appear that any browsers have implemented such settings yet. But such a setting could significantly impact publisher ad revenue, since publishers will no longer be able to provide personal information of California users with global “Do Not Sell My Personal Information” browser settings to digital advertising providers for any purpose that constitutes a “sale” without reconfirming the user’s publisher-specific intent.
While the publishing industry is facing more than a challenge over user privacy concerns, including the impending deprecation of third-party cookies, publishers should be doing everything they can to comply with CCPA.
The California attorney general has expressed his intention to penalize businesses that fail to comply, and publishers that have avoided compliance measures will be ripe pickings. Publishers that abide by the law and align with the industry are better positioned in a post-CCPA world.