Think the CCPA Is Just GDPR 2.0? Think Again
Mark your calendar for Mediaweek, October 29-30 in New York City. We’ll unpack the biggest shifts shaping the future of media—from tv to retail media to tech—and how marketers can prep to stay ahead. Register with early-bird rates before sale ends!
With the effective date of the next major piece of data protection legislation – the California Consumer Privacy Act (CCPA) – less than a month away, many media owners are overwhelmed. Though 40% of publishers in a July 2019 survey predicted that CCPA would be the legislation that affected their businesses the most for the foreseeable future, 40% also indicated they had yet to start their CCPA preparations.
Much of the uncertainty surrounding CCPA seems to be related to another data protection framework – the EU’s General Data Protection Regulation (GDPR). One in five publishers believe that the measures they adopted for GDPR less than two years ago will render them compliant with CCPA come Jan. 1, 2020. Unfortunately, that’s not the case.
While GDPR and CCPA have many similarities, there are also many differences. A “one-size-fits-all” approach to privacy is insufficient to meet compliance requirements and – importantly – to demonstrate the respect necessary to earn and retain consumers’ trust. With CCPA fast approaching, publishers need to get to work on updating their data practices.
What’s Behind the Confusion?
It’s not hard to see why many publishers assume the CCPA and GDPR are made from the same mold. In addition to sharing a fundamental goal – providing better data protection for consumers – there are significant overlaps between the two, including key terms, the obligations of parties that collect data, and the rights of data subjects.
For example, both GDPR and CCPA govern the protection of a much broader scope of information than the “personally identifiable information” (PII) that’s historically been the primary focus of privacy regulation in the US. Significantly, the definitions of both “personal data” (GDPR) and “personal information” (CCPA) expressly reference an “online identifier,” which, unlike PII, is understood to include both a cookie ID and a mobile advertising ID.
In addition, the CCPA follows the GDPR in giving data subjects a substantial set of rights with respect to their data, including the right to learn what personal information is collected about them, and to receive a copy of that personal information.
Much the Same, but Crucially Different
Despite their similarities, GDPR and CCPA represent two distinct frameworks with different obligations. One obvious difference is with respect to user consent.
Under GDPR, processing of personal data is considered lawful only if done in accordance with one of several very specific legal bases. In the context of targeted advertising, the most generally accepted legal basis under GDPR is “opt-in” consent. While CCPA does not follow an opt-in model (except in limited circumstances with respect to users under the age of 16), it creates a specific “opt-out” right that is actually quite different from the online advertising industry’s traditional third-party cookie “opt-out.”
The new opt-out under CCPA provides California residents with the right to direct a business not to “sell” their personal information. Seems simple enough, right?
Except that CCPA defines “selling” as not just selling, but also “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating…a consumer’s personal information…to another business or a third party for monetary or other valuable consideration.” Which activities in the online advertising ecosystem constitute a “sale”? The answer likely depends on who you ask.
To comply with the CCPA’s new opt-out obligations, publishers must post a “Do Not Sell” link on their “homepage.” However, “homepage” means not only the introductory page, but also “any page where personal information is collected.”
Putting aside consent and opt-outs, both GDPR and CCPA impose significant requirements with respect to the notices and disclosures that parties – such as publishers – collecting personal information must provide to users; however, those requirements are not identical. Similarly, both GDPR and CCPA impose substantial record-keeping obligations; unfortunately, those obligations pertain to very different types of records. And remember the overlap between “personal data” and “personal information?” While both definitions include information that relates to a particular individual, the CCPA’s definition also includes information that relates to a particular household.
When it comes to legal and regulatory compliance, the devil is in the details.
Next Steps, Part 1: Operation CCPA
With so much complexity, publishers shouldn’t rely solely on their existing data protection frameworks. While many GDPR measures may provide a foundation for CCPA compliance efforts, the unique elements of CCPA make custom implementation essential, especially in a complex online advertising ecosystem that is largely fueled by personal information.
Next Steps, Part 2: Looking Forward
While there are numerous differences between GDPR and CCPA, the new California statute may actually signal a seismic shift toward a more European approach to data protection. While, from a legislative perspective, the US has historically focused on the “security” element of data protection, in Europe the focus has been more on the right to “privacy,” which applies specifically to personal data under the EU Charter of Fundamental Rights.
With CCPA, California may be tilting toward the EU focus by specifically expanding its constitutional right to privacy (one of only 11 states with such a constitutional right) to give its residents a “way to control their personal information”. As California is often the US’s legal bellwether, it is not unreasonable to expect CCPA to be the first of many state general data protection laws that not only focus on user privacy but also treat it as a fundamental right. As more states follow California’s lead, and more countries follow a GDPR model, the resultant regulatory patchwork will be significantly larger and more complex than the one GDPR sought to eliminate.
Next Steps, Part 3: Long-term Viability
While all publishers should undertake efforts to meet legal and regulatory compliance, those efforts may not be sufficient to ensure access to the categories and quantities of data that have historically enabled effective monetization of their digital properties. Faced with a spate of new legislation that affords consumers additional rights and choices, publishers need to ensure that they give a good reason for consumers to share their personal information.
Publishers can accomplish this by leaning into the challenge and providing positive user experiences underpinned by a transparent and fair value exchange. Consent requests and other elections must be understandable, friction-free, and genuinely flexible, to provide consumers with genuine choices as to how they want to support content, including by allowing their data to be shared or by signing up for a subscription.
Apart from being the right thing for publishers to do, practices that emphasize transparency, fairness, and empowerment should generate the user trust that drives consent. In turn, those consents should generate a consistent and substantial flow of data that helps drive monetization.
A significant challenge for those publishers that have yet to complete (or start!) their CCPA preparations is that this law isn’t a duplicate of GDPR. However, by coming to grips with the key differences now, publishers may have just enough time to come into compliance prior to the CCPA effective date.
As publishers update their data protection practices, it will be important to focus on more than doing just enough to avoid violations and penalties. While CCPA and the rise of privacy legislation present compliance challenges, they also offer an opportunity for forward-looking publishers to improve engagement with their audiences and build long-lasting, trusted, and profitable relationships.
