An Update on the California Consumer Privacy Act (CCPA)

Tim Sleath, VP, Product Management,

If you’ve been following the latest on the California Consumer Privacy Act (CCPA), you might know there have been a few significant updates in recent months. Since September, proposed regulations with guidelines for implementation have been published by the California Office of the Attorney General, and seven outstanding amendments were signed into law by California Governor Gavin Newsom. There has been the inevitable criticism that there is still a lot of ambiguity here, but plenty has been cleared up.

With 2020 on the near horizon, are you prepared for the upcoming changes to privacy law? Not to worry, we are dedicated to educating our clients and partners and ensuring we are on track towards compliance with the new laws. Below we’ve recapped some of the most important updates to know!

Subject Access Requests

We’re already compliant on the subject access request process thanks to GDPR, which is comparable to consumer requests under CCPA. We don’t need to modify it for CCPA.

Aggregated data is not within CCPA

This removes a bit of a headache. So, let’s say we’ve defined a behavioral segment of people reading online about bathroom mirrors, that segment itself would have been classed as personal data. The latest amendments mean it won’t be, which makes a lot more sense – whose personal data would it have been?  We can continue advising our brands that, for example, people interested in bathroom mirrors were 3.6x more likely to convert, we can do so without worry that this insight is infringing CCPA.

Third Parties, Service Providers and Data Brokers

The CCPA requires affected businesses to define what they are in terms of how they process personal information. Essentially, the concepts are not far off the GDPR’s terms of Data Controller and Data Processor. Let’s look at how these break down:

Third PartyData ControllerAn entity which receives personal information and makes its own decisions about what to do with it, including with whom to share it.
Service ProviderData ProcessorAn entity which receives personal information and processes it according to a strict agreement with a Third Party.

So, most firms in AdTech proper will likely be Third Parties, let’s be clear. If the firm is able to decide to, for example, integrate with a new partner which involves a cookie sync, then it ain’t no Service Provider. We’ll certainly be assuming we’re a Third Party for CCPA purposes unless further developments require otherwise.

There is another term floating around, “Data Broker,” which could be expected to be a tiny subset of AdTech firms, save for the use of this overstretched term “Sell”. As a Data Broker in California is any firm that knowingly collects and “sells” data, then that potentially is a very large overlap of all CCPA Third Parties. The Attorney General’s office may be getting a lot of unnecessary registrations for firms that really aren’t Data Brokers yet find themselves falling under the legal definition. (Things would be much clearer, IMHO, if the words “sell” and “sale” related to Data Brokers, whereas the broader concept was kept as “share”, e.g. “Do Not Share My Data”.) We’re expecting to register as a Data Broker as a precautionary measure.

“Do Not Sell My Data” Frameworks

The self-regulatory bodies within the Ad Tech space have scrambled to provide a solution for the “Do Not Sell My Data” (“DNSMD”) requirement of CCPA.

IAB has made progress developing a framework to pass the DNSMD signal between vendors via OpenRTB and using contracts to change the state of a vendor from a Third Party to a Service Provider in the event of a user triggering DNSMD. It is however a bit complicated and involves building a whole new system for what is basically an opt-out. It seems this mechanism will be mainly used by data brokers or companies with more complex business models, with Google having committed to the initiative.

In parallel, the DAA has been considering how their existing AdChoices mechanism could be leveraged to satisfy CCPA. They have now finalized this approach, and we intend to support this approach as it is more suited to our data usage scenario.

Microsoft’s CCPA Stance, Federal Law?

Microsoft announced it will honor CCPA requirements US-wide, which is both a shot in the arm for a future federal privacy law and also an example for other vendors to follow. We certainly intend to apply the same CCPA provisions across the US as a starting point and review any individual state laws as they develop. On the subject of a federal law, one such has been proposed, which does go further than CCPA (notably creating a new federal agency, and tightening opt-in consent requirements for machine learning and profiling purposes). We’ll see how this develops, though enforcement and/or application may not be clear for 12-24 months at the earliest.

Our Brand

Exponential is now doing business as, reflecting the importance of tailor-made video experiences in the value we bring to our clients. In other respects, including what data we use and how we use it, the situation hasn’t changed. The Exponential legal business entity still exists and will still be referred to in contracts, privacy policy etc.

What’s on our to-do list?

It seems clear to me that we will need to ensure that the brands we work with understand their responsibility to feature a “Do Not Sell My Data” link on any pages which include our pixel code. Probably that needs to take the form of revised Ts & Cs, Privacy Policy, a new Data Protection Agreement, or perhaps a separate “pixel placement agreement” to ensure CCPA compliance.

Our privacy policy will also be revised before year-end to ensure all the CCPA points are clearly covered.


DISCLAIMER: The information provided in this blog does not, and is not intended to, constitute legal advice; instead, all content in this blog are for general informational purposes only!

Subscribe below to stay on top of the latest updates!