CCPA: What Is ‘America’s GDPR’ & What Does It Mean for Digital Advertising?
GDPR: What Changes Did the EU Regulation Implement?
2018 was the monumental year for data protection with the GDPR introducing major changes to data privacy within the EU and EEA. The regulation granted rights for data subjects to ensure ultimate control and transparency over the processing of their personal data. (Data subjects referring to those “whose personal data is being collected, held or processed”).
One significant change was the extension of territorial scope, meaning that the regulation would apply not just to companies located in the EU, but to all companies processing personal data of those residing in the Union. The law required Data Protection Officers to be appointed and conditions for consent were clarified, among other obligations.
Hefty penalties for breaches of the law were also enforced which meant that companies could fork out fines of up to 4% of annual global turnover or €20 million – whichever amount was higher. By February of this year, imposed fines amounted to over €55 million. However, Google incurred the majority of that amount (90%) over insufficient transparency and unclear consent agreements.
California Consumer Privacy Act (CCPA): ‘America’s GDPR’
By now everyone is tired of hearing about GDPR, but what’s happening on the other side of the pond? Clearly influenced by the EU regulation, the California Consumer Privacy Act (CCPA) aims to protect consumer data and strengthen the privacy rights of consumers who are California residents.
Fuelled also by privacy controversies such as the Cambridge Analytica scandal, the CCPA is set to come into effect on January 1st, 2020, and contains many similarities to the EU regulation. Some include similar data breach reporting, data portability, and consumer rights – for example, deletion and disclosure of data. Both laws ultimately encourage transparency and give people control over their own personal data.
The CCPA will not make it mandatory to appoint a Data Protection Officer so accountability rules differ from the GDPR. The California bill also introduces “the right not to be subject to discrimination for the exercise of rights under the CCPA”, a right not specifically included in the EU legislation.
How Will the CCPA Affect Digital Advertising?
GDPR has already been whipping those in the digital advertising marketplace into shape, forcing companies to be more transparent with the way data is managed. Nonetheless, this need for transparency can be seen to positively strengthen relationships with consumers. A requirement of the EU law is that users must freely give their consent for their personal data to be used. This can be seen to negatively affect marketing strategies such as ad retargeting. However, this also results in more personalized ads as users are opting into targeted advertising.
Although the GDPR has a much broader scope and stronger penalties, the CCPA is still expected to make quite an impact on the digital advertising industry. Consumers will have the right to know exactly what information is collected about them and if that information will be sold or shared with third parties. Companies are required to insert a clear link on websites for users to opt out, which shall be titled ‘Do Not Sell My Personal Information’.
California-based companies and also those doing business with California residents need to gear up for the bill by updating their privacy policies and work practices to comply with the law once it becomes effective. With the arrival of the CCPA, AdExchanger predicts that many marketers will be bringing data and buying functions in-house. Marketing strategies will need to be a lot more consumer-oriented and businesses will need to seriously improve transparency in order to give people more control over their personal data.
It’s not just California following in the footsteps of the EU regulation as more than ten other US states have also proposed similar legislation. There still remains over eight months before the CCPA will come into effect and more amendments to the bill can be expected between now and then. Preparing in advance is essential, however, which is a clear lesson learned from GDPR to ensure that deadlines are met and companies are ready.