What new data regulations in California mean for publishers
The California Consumer Privacy Act (CCPA) has been touted as a kind of GDPR-Lite. And while the powers of this regulation may not be as forceful, or as far-reaching as GDPR, the CCPA is still the first official privacy legislation in the United States. CCPA is a major indicator of a wider sea-change regarding data-collection and privacy within the United States. The strongest sign yet that US publishers should start planning for regulation now, rather than later.
The demands of CCPA are relatively simple. Companies must have clear and understandable information regarding their data collection and use and give people the right to restrict their personal information from being sold. The regulation was passed earlier this year and will come into effect as of January 1st, 2020.
Who is affected?
Unlike GDPR, which affects any business in the EU or that comes into contact with the user data of any EU citizen, CCPA legislation is limited to all companies doing business in California that also meet one of the following requirements:
- Gross revenue of over $25 million
- More than 50% of their revenue is obtained from the sale of personal information
- Has access to the personal data of more than 50,000 consumers, devices, or households annually, and buys, sells, shares, or uses this information for commercial purposes.
What does CCPA cover?
If you’re fluent in dense legalese, the full text of the CCPA can be found here. But essentially, CCPA gives Californians the right to:
- Know what personal information is being collected
- Know whether their personal information is sold and to whom
- Say no to the sale of personal information
- Access their personal information
- Equal service and price, even if they exercise their privacy rights
It also gives the rights for Californians to seek damages in case of the loss or theft of their data. If data is lost, breached, or compromised, California residents now have the right to take civil action against your company.
Here’s what publishers need to know and what they need to do to stay compliant:
Know your customer, know your data
Regulation like this highlights the number of companies that really don’t know the data they are collecting or how they use it. If CCPA achieves anything, it may be to make companies take a more proactive approach to track how they track and use user data.
Track how your website visitors interact with adverts and, according to CCPA, you are using personal information. Collect device data, household data, addresses, and more and CCPA will likely affect your current business model. Even if you think CCPA doesn’t apply to you, it’s a timely reminder to do a ‘data-audit’ in order to see where your current data practices lie.
- Know the data you collect
- Know how and where you store it
- Know who has access to it
- Know where your vulnerabilities lie – ie how possible is it that someone might email your entire database to the wrong address accidentally?
With this information, you can cross-check your current processes with the CCPA and make changes if required. If CCPA legislation affects you, there are some actions you will need to take.
Offer an opt-out
Under CCPA, users must be given the option to withdraw consent from having their data collected, used, sold, or stored. If this consent is withdrawn publishers are blocked from making further data requests for 12 months.
Be prepared to export your user data
CCPA gives users the right to request access to their own data. This means you need a system to provide it. Keep logs of all collected data. The system should also give you the option to classify, export, and share data upon request
Offer equal service to every user
Essentially, this means that that you can’t refuse to sell goods or services to users that opt-out of sharing data. Companies are able to create financial incentives for sharing data, but, this incentive must be “reasonably related” to the value of the product offered. This prevents companies from hiking prices for users that choose not to share data.
Get parental consent
Finally, under CCPA, companies are required to seek parental consent for personal data from children.
Today California, tomorrow the world
The CCPA regulation is only state-level at the moment. But, it’s likely that California will be the testing ground for wider regulation. The foundation for other states and quite possibly, federal privacy regulation will be based on CCPA.
So, even if the privacy constraints are not as stringent as GDPR, publishers with a global audience can have three levels of privacy practices to deal with, and the potential for many more. This means three different systems in place for visitors from California, Europe, and then the rest of the world.
Microsoft has been the first major tech company to announce that it will honor the new regulation throughout the US, not just limited to California residents. Following examples set by Microsoft and offering every visitor the same GDPR and CCPA-compliant privacy settings may be the smart play in the long term.
A blanket approach to user data gives you a single process to manage and a single way to store and use visitor data. A single process reduces management costs, potential liability, and overhaul costs in the future as other states start to follow suit.
Even if CCPA doesn’t affect your site directly it is advisable to know who is visiting your site, know what data you collect and how it is used. Have secure and clear storage of your user data, with the option to provide records and a history of consent if required. Have a system for users to opt-out and regularly review your user data. Regulation is in its early stages and will only be extended to more areas.
For publishers the advice is simple: act now. Create a system to give users control over their data rather than waiting for more countries and states to implement differing definitions of privacy legislation.