It’s exactly a month since the California Attorney General finalized and submitted the proposed regulations to the California Consumer Privacy Act (CCPA) to the state’s Office of Administrative Law (OAL). Tomorrow, on 1 July, the OAL is expected to review the recommendations and approve the CCPA final regulations. In the midst of the COVID-19 pandemic, the California Governor passed the EO N-40-20 that allows the OAL to take an additional 60 days to complete the review process. To simplify things for CCPA compliance, the AG has requested OAL to complete the process as per norm, and not delay the process any further despite the Executive Order.
What is CCPA?
On June 28, 2018, CCPA was signed to be enacted into a law. On 1 January 2020, CCPA came into effect, empowering California citizens with complete control of their digital data and personal information. Thanks to CCPA, California consumers have robust privacy rights that prevent online businesses from asking, collecting, requesting and/ or selling Personal Information without consent.
According to a survey, 32% of financial organizations have already seen an increase in data subject access rights requests (DSARs) since the CCPA came into force on January 1, 2020. The majority of respondents (73%) stated that manual processing of these requests puts significant or moderate pressure on their IT teams. Every fourth organization (27%) noted that rising interest in execution of privacy rights has increased their expenses.
Hours before the CCPA final regulations is expected to come into full force, we spoke to business leaders what they think about the proposed regulations package submitted to OA, and how they are preparing for the post-CCPA finalized era.
The participants include:
- Alexander Igelsböck, CEO, Adverity
- Ivan Ivanov, COO, PubGalaxy
- Filippo Gramigna, Strategic Advisor, Audiencerate
- Ian Lowe, VP Marketing, Crownpeak
- Michael Korsunsky, CEO of MGID
Let’s find out what they said.
The Big GDPR - CCPA Divide
By, Alexander Igelsböck, CEO, Adverity
“Since its introduction, the CCPA has inevitably drawn comparison to GDPR. However, there are key differences between the regulations, one of which being that CCPA includes data that is not specific to an individual, categorizing it as household data, while GDPR remains exclusively individual. In addition, unlike GDPR, the CCPA does not require businesses to have a ‘legal basis’ for the collection and use of personal information, nor does it restrict the transfer of personal information outside of California.”
“Clearly, GDPR compliance does not equal CCPA compliance, but while some interpretive aspects remain unresolved, for example the application of the CCPA to IP addresses, two years of GDPR at least gives businesses an example to draw from, even if vicariously, to prepare as best as possible for the start of CCPA enforcement. Data continues to appreciate as a valuable asset and is ever-increasing in quantity, with some key details regarding how the regulation will be interpreted and applied still to be determined by the California Attorney General it is important businesses track the latest updates on CCPA carefully.”
Making Sense of Digital Economy: The Use of First-Party Data
Ivan Ivanov, COO, PubGalaxy
“The industry is evolving at a rapid pace but, with the CCPA having been in effect for six months now, companies should be well on their way to compliance as the enforcement period begins. Issues around how consumer data is processed within different parties aren’t going away, so those publishers and advertisers that incorporate data privacy into their business models will be the ones set up for long-term success.”
“One of the more promising options is through the use of first-party data, and by establishing stronger, more direct relationships across the advertising ecosystem; a practice that will enable both publishers and advertisers to use personalization methods to drive engagement and revenue opportunities.”
“But more than this, with ad spend currently unstable, and the end of third-party cookies in sight, compliance with the CCPA – and other data privacy laws – is vital if companies want to continue to be part of the evolving adtech landscape, and come out the other side stronger, and more trusted.”
Is CCPA an Obstacle to Data Economy?
Filippo Gramigna, Strategic Advisor, Audiencerate
“Following on from the implementation of GDPR in Europe, the CCPA is a natural development in regulating the industry on a wider scale. While some may consider it another obstacle to data collection, it should be seen as an important step towards a more compliant and transparent digital ecosystem.”
“Data will only ever increase in value and importance, as it is a great asset to inform better decision-making. The companies that utilize its power, and use it correctly, will be the ones to reap its rewards. Now at the final stage of implementation, the CCPA will reignite the spotlight on the highest quality data providers – those that already follow the stringent guidelines of industry bodies such as the Network Advertising Initiative (NAI) – and put them on the must-have partner list for marketers looking to balance consumer privacy and personalized communication.”
Compliance Isn’t Just About Ticking Boxes to Avoid Penalties!
Ian Lowe, VP Marketing, Crownpeak
“As we enter the enforcement period of CCPA, brands should understand that compliance is not just about ticking boxes to avoid penalties. It’s about developing a future roadmap for better user privacy experience. To go beyond compliance and engage consumer trust, businesses need to be doing the right thing in the right places – policy, law and tech; which includes having the tools to understand all parts of the data flow, including on the live-side of your sites.”
“Today, positive user experience leads to trust, and customer trust is just as valuable as data. Organizations now have the opportunity to take a proactive approach to managing privacy experience. As new policies, industry challenges and customer expectations emerge, it is a matter of adapting to the new normal – and privacy should be core to this.”
CCPA will Have Minimal, If Any, Impact on the Publishers
Michael Korsunsky, CEO of MGID
“With a year to prepare for the final implementation of the CCPA on July 1st, publishers shouldn’t be finding themselves scrambling to ensure compliance. While the upcoming regulation, which will impact over 40 million California residents, may devalue some data sets, this will only be the case for specific sectors that require precise user matching to reach audiences such as automotive, insurance, real estate, and some other “premium” priced verticals.”
“If a particular user doesn’t give consent for their personal data to be used, the user matching capabilities in programmatic buying will no longer be possible, meaning the value of impressions and CPMs will drop significantly. This will undoubtedly affect DMPs as they rely on providing audience segments to advertisers, based on the CPM pricing model. However, publishers will be able to offset the negative impact of users’ opting out of data sharing by increasing spend across non-user match reliant advertising.”
“We expect the CCPA will have minimal, if any, impact on publishers’ revenues, this being the case for two main reasons. Firstly, many publishers don’t focus on California-based audiences only. Secondly, many advertising campaigns don’t require user matching in the first place and instead, rely on contextual, GEO, devise, language and some other anonymous system profile signatures.”
