Businesses have had to comply with the California Consumer Privacy Act (CCPA) since it became law on July 1, 2020.
Created in 2018, the CCPA aims to better protect people’s data privacy and give California residents more control over how businesses track and use their information online.
Still, it is tough to discern exactly what the CCPA is, to whom it applies, and how it impacts ad strategies going forward.
Here we answer all the questions advertisers have about the CCPA.
What Is the CCPA?
According to the State of California Department of Justice, the CCPA “gives consumers more control over the personal information that businesses collect about them. This landmark law secures new privacy rights for California consumers.”
Under the CCPA, California residents have the right to:
- Be informed about which data companies collect from them and how that data is used
- Request that personal data be deleted
- Deny companies the right to sell their personal data
Who Does the CCPA Apply To?
The CCPA only covers California residents, but that doesn’t mean only California businesses are held liable under the CCPA. Any business that collects information from consumers in California must adhere to this law, as long as that business:
- Has a gross annual revenue of over $25 million
- Collects or sells information from at least 50,000 California residents
- Or earns at least half of its annual revenue from selling the information of California residents
So, for example, if you run your $30 million business out of the UK, but you have online customers in California, you must handle those customers’ information in accordance with the CCPA.
Non-profits and government organizations are not liable under the CCPA.
How Does the CCPA Define Personal Data?
According to the CCPA website, personal data includes:
- Names
- Email addresses
- Social security numbers
- Purchase histories
- Browsing history
- Location information
As the CCPA website states: “Personal information is information that identifies, relates to, or could reasonably be linked with you or your household.”
How Does the CCPA Impact Advertisers?
Advertisers must reevaluate how they approach data collection, including how they notify users, decide which data to collect, and share that data with third-party platforms.
Since the CCPA gives people the right to delete their personal data and opt-out from selling that data to third parties, businesses should clearly outline the value they’ll provide customers by gathering that data. Otherwise, they risk losing a lot of important data that could affect their ad targeting and engagement strategies.
This isn’t a punishment for advertisers. It is a vital opportunity for brands to improve transparency and build trust among their audiences.
What’s the Difference Between the CCPA and the GDPR?
Called “the toughest privacy and security law in the world,” the General Data Protection Regulation (GDPR) is the European Union’s (EU) version of the CCPA. Passed in 2018, the GDPR applies to all businesses that collect data from EU residents, regardless of their size or revenue.
Both the CCPA and the GDPR uphold consumers’ data privacy, but there are a few major differences between them. According to the GDPR, businesses must invite consumers to opt into data collection, while the CCPA only requires businesses to provide opt-out options. The GDPR is also unique in upholding businesses to regular assessments and compliance reviews to ensure they’re meeting the standards of the law.
What if Advertisers Don’t Comply With the CCPA?
Each unintentional violation of the CCPA can cost businesses up to $2,500, while each intentional violation comes with a price tag of $7,500. Once a business is notified of its violation, it has 30 days to fix it before being fined.
According to the CCPA website, consumers can also sue businesses for up to $750 if their “non-encrypted and non-redacted personal information” is leaked during a data breach.
How Can Advertisers Ensure They Comply with the CCPA?
There are many strategies advertisers can use to ensure their data collection practices comply with the CCPA, including:
- Providing information about how and why consumer data is collected – Make this information readily available at the point-of-collection and state if and how that data is shared with third-party services.
- Allowing people the ability to opt-out of data resale – Make this visible at the point-of-collection, such as with a link or call-to-action.
- Having a comprehensive system for storing people’s data – Advertisers must have that data on-hand since users can request it be deleted at any time.
- Working with third-party partners to improve data collection and resale processes – The CCPA is a great excuse for brands and adtech platforms to strengthen their relationships and streamline their value exchanges.
What is Taboola’s position under the CCPA?
Taboola is a limited service provider of any personal information that we collect from California consumers on your landing pages.
This means that we will use this data only for your specific business purposes: to provide you with campaign analytics, conversion tracking, and retargeting.
This also means that we will not use any personal information collected from your sites to supplement Taboola’s unique user profiles or improve algorithm.
Do advertisers need to pass Taboola any “Do Not Sell” signals?
Nope, as your limited service provider, our use of any personal information from your landing pages falls outside the definition of a “sale” under the CCPA.
How can advertisers share consumers’ deletion requests with Taboola?
Should you receive an access or deletion request regarding a California consumer’s personal information as processed by Taboola, we ask that you direct the consumer to Taboola’s Subject Access Request Portal. This real-time portal allows the consumer to delete or access their personal information, thereby helping you comply with your CCPA obligations as a business.
Do current customers need to update our contracts with Taboola?
Nope. We’ve provided online terms which govern Taboola’s use of California residents’ personal information collected from your landing pages and outline our role as your limited service provider. Otherwise, your contract should already be governed by “Applicable Data Protection Law,” which, for advertisers with California visitors, includes the CCPA.
The Future of Data Privacy Rights
The CCPA seems less threatening than the GDPR, because it only applies to California residents. Advertisers should understand, however, that California is the most populated state in one of the most financially powerful countries. The introduction of the CCPA sets a precedent for other states and nations, proving the importance of data security and holding businesses accountable for their actions.
In fact, the California Privacy Rights Act (CPRA) already passed at the end of 2020, but it won’t be enforced until July 2023. The CPRA promises even tighter restrictions for how businesses collect and sell personal information. It, for example, limits the use of “sensitive personal information” about people’s health, sex, religion, and ethnicity.
Even if companies aren’t liable under the CCPA or the GDPR, they should improve their data practices by making them more transparent and giving consumers increased control over how their information is used. It is not the law everywhere yet, but it is good business and, most importantly, it shows customers that you care about their security and value their exchange of data.