The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. It governs a wide range of online interactions, including cookie setting, ad targeting, and data retention. Because parts of the CCPA are still in flux, we will continue to update this FAQ with important news and information as it becomes available.
If you’re looking for a guide to the best CCPA-compliant CMPs, you can find one at What’s New in Publishing.
We’re not lawyers, and this website is not intended to act as legal advice. Please consult your legal counsel to understand how CCPA compliance affects your business.
Frequently Asked Questions
What exactly is CCPA?
The CCPA takes effect on Jan 1st, 2020. It’s a California state law, but its scope affects businesses throughout the U.S. and further beyond. It applies to any business that targets California residents (legally defined as ‘consumers’).
It is being implemented to protect and uphold the rights of Californians, notably the right to know how their personal information is being collected and processed. It also allows them to object to their data being sold for commercial purposes.
What is “Personal Information?”
The CCPA defines personal information as “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
So, to be clear: the CCPA applies to entire households, not just individuals.
Is my publishing business affected?
Importantly, the CCPA does not apply only to businesses located in California. While this is a California state law, it applies to businesses located anywhere in the world. If any of the following applies to you, then yes, you’re affected:
- You do business in the state of California
- You collect personal information from California consumers
- You determine how that personal information is processed, and you satisfy one of the following requirements:
- Your business has annual revenues of $25M or more
- You process, buy, or sell data relating to more than 50,000 individuals, households or devices in one year
- Your business makes at least half its revenue from selling data.
What are the penalties for non-compliance?
The CCPA is enforced by California’s Attorney General. If you don’t rectify a breach of the law within 30 days, you face a maximum penalty of $7,500 per violation (that is, per person affected).
If a security breach exposes someone’s personal data, you can be sued for a maximum of $750 per affected individual, or for actual damages suffered, whichever is more. For example, if you have 1,000 California-based individuals in your newsletter database, that could mean you’re exposed to penalties of 1,000 x $750—or $750,000.
In short, the penalties are not insignificant.
How do I prepare?
Put simply, get a solid grip on what data you collect and what happens to that data. If possible, get all your data into one single system so you have complete control over what you have and how it’s used, with no leakage.
In addition, you must let consumers know how their information is used, and give them the ability to opt out of data collection and processing.
Importantly, you’ll need to be able to quickly fulfill consumer requests for data disclosure, which is an obligation of the new CCPA.
You’ll also have to figure out how to communicate reader data in real-time to your downstream programmatic partners. One way of doing this is through a CCPA-compliant CMP. More on that later.
What about my advertising partners?
Publishers must be careful about which third parties they are sharing data with and for what purposes. This is because the new law not only applies to the sale of data, but also to the disclosure of data for business purposes with any third party.
What can I do right now to prepare?
There are a few things that publishers can do prior to January 1, 2020:
- Implement a CCPA-compliant CMP.
On December 5th, 2019, the IAB released its CCPA Compliance Framework for Publishers and Technology Companies for industry discussion, with an updated version to be released soon. The Framework (and resulting Agreement) is intended to be used by publishers who ‘pass on’ personal information and the tech companies they sell or pass the information on to.
- Decide if you want to sign the Agreement as part of the CCPA Compliance Framework.
- Talk to your partners. Understand their implementation of CCPA, and if they ask that you sign the above agreement in order to continue serving targeted advertisements (Sovrn is not requiring a signature at this time, but will respect any US Privacy Signals received).
Consent Management FAQ
What is a CMP?
A consent management platform (CMP) is a piece of technology used to manage what data customers (in this case, California-based customers) have consented to be used and for what purposes. The CMP then sets a cookie on the browser that downstream partners can view to understand that consumer’s preferences.The basic premise is that downstream partners receive information declaring whether you’ve presented California consumers with the required opt-out notice, and what their preference was.
A number of vendors offer paid-for and free CCPA CMPs. You can read a guide to to the top CCPA-compliant CMPs at What’s New in Publishing.
The IAB CCPA signal, also known as the USP_String (US Privacy String), is the cookie set on a user’s browser for the purposes of indicating whether that user has opted out of data processing on your domain. This marker can be read by downstream partners as a way to identify a user’s data preference.
The most common and simplest way to set the IAB CCPA signal is through a CMP. Unless you are a very large publisher with engineering resources devoted to compliance, you will probably use a CMP.
I installed a CMP for Europe’s GDPR. Am I covered?
Not necessarily. There are specific differences between GDPR and CCPA that you need to be aware of, and not all CMPs support the CCPA. Both pieces of legislation have the same end goal of enhanced user privacy and data protection. However, there are subtle differences, which means that a one-size-fits-all approach won’t necessarily work.
What else should I know?
There is still a lack of clarity surrounding parts of the CCPA, including the law’s broad interpretation of what constitutes a data “sale.” We expect to see multiple changes and clarifications to the law in the coming months and years as the industry works towards compliance. To that end, you’ll likely receive a lot of communication over the next few months from all of your partners.
In addition, there are various rumblings that California’s CCPA is an indicator of nation-wide privacy legislation to come. Microsoft, for example, will honor California’s new privacy rights throughout the United States. And additional legislation is winding its way through various states, including New York’s SHIELD Act.
Ultimately, this is a complex issue, and the push towards privacy legislation shows no sign of slowing. The landscape is shifting quickly, and publishers will need to understand their obligations and adapt quickly as well.
We’ll leave the final words to our Keith Abbey, our VP of Publisher Growth
“Publishers must prepare for the arrival of the CCPA with the mindset of getting ready for the worst, and accept that taking a Band-Aid approach to compliance may not be good enough for an increasingly tough regulatory landscape.
“More than this though, privacy is essential and not going away because it’s the right thing for consumers. Audiences should have a holistic view of what happens to their data – including why it’s collected, what it’s used for, and who it’s accessed by.
“By welcoming data privacy into their business models, publishers can build a stronger relationship with consumers; one based on trust and respect.”