The California Consumer Privacy Act (CCPA), which takes effect on January 1, will give Californians the right to see, delete and stop the sale of the personal information that companies have compiled about them.
Who Is Affected?
Companies that do business in California, regardless of where they are located, must comply with the law if they exceed one of the following thresholds:
- Have annual gross revenues in excess of $25 million.
- Buy, sell, receive or share personal information gathered from 50,000 or more consumers, households, or devices for commercial purposes; or
- Derive 50% or more of its annual revenues from “selling” consumers’ personal information.
The CCPA stipulates the following (for California residents):
Consumers Are Granted:
- The right to know what information is collected on the individual, the purpose for which it was collected, where the company got that information, how the information is being used, whether the information is being disclosed or sold and to whom the information is being disclosed or sold.
- The right to access that information.
- The right to deletion of their data.
- The right to opt out of the sale of their data.
Businesses Are Prohibited from:
- Discriminating against a consumer because the consumer exercised any of the consumer’s rights under this title (for example: denying goods/services, charging different fees, providing different levels of quality of experience).
- Selling personal information of consumers under the age of 16 without explicit consent.
- The Governor signed amendments into law, and the AG released draft regulations the week of October 7, 2019.
- The IAB Tech Lab Released technical specs for the CCPA Compliance Framework November 18, 2019.
- The IAB’s Limited Service Provider Agreement (to become a Signatory to the Framework) was available December 5.
- ER signed the agreement December 11, 2019.
- The CCPA goes into effect January 1, 2020.
Personal information is anything that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household which includes:
- Real name or alias, physical address, biometric information.
- IP address, email address, unique personal identifier, online identifier (incl. device ID and user agent).
- Account name, driver’s license number, passport number.
- Records of purchasing history or tendencies.
- Internet browsing or search history, information related to web site interactions, geolocation data.
- Employment or education data.
The selling of data under the CCPA is defined very broadly. Think of it more like sharing data. Per the IAB,
“Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. Simply disclosing data, even as part of a larger transaction involving a product or service, likely constitutes a sale, [so] it is difficult to conceive of an activity that does not fall within this definition given that the digital advertising ecosystem is built and predicated upon utilizing consumer data for ad decisioning, reporting, and optimization.”
For digital video ad serving and analytics, ER only collects IP address, device ID (if sharing is enabled by the web publisher/device), user agent string, and geo-location (inferred by the IP address).
When a Consumer Opts Out on a Publisher’s Website
- As a signatory to the IAB CCPA Compliance Framework, if a consumer on a publisher’s website opts out of having their personal information collected and shared, the publisher will pass this signal to ER in real time on every ad call and viewing session via a privacy macro.
- When ER receives notice that a consumer has opted out, (a) those users can no longer be geo-targeted via ER and (b) we can no longer share their personal information with our advertising clients via custom, log level reports. All fields in custom reports that have personal information - IP address, device ID, user agent - will be replaced with “CCPA”.
When a Consumer Contacts ER Directly
- If a consumer contacts ER to have their personal information deleted, we will acknowledge the request within 10 days, and act on the request within 45 days.
- We will also share these requests with any ER advertising clients who have received this personal information via our custom reports, so they may take action to delete data within their systems.