Finding the Right Takeaways From CCPA for Brands

Consumers are fed up, and marketers need to make changes to accommodate

The California Consumer Privacy Act (CCPA) was signed by California Governor Jerry Brown on June 28, 2018. That should have been a wake-up call for the advertising industry. The CCPA officially went into effect on Jan. 1, 2020 and that should have been the next wake-up call for the industry.

Currently, we are in a pre-enforcement grace period with CCPA, which will allow for operational adjustments. Hopefully this final grace period will allow for what is really happening in this country and across the world to take root with marketers. Consumers have had enough. They do not want their personal data to be leveraged without their consent, and they want creepy advertising practices to stop.

I’m being overly dramatic for a reason. Over the past few months, I’ve been disturbed that some players in the digital advertising ecosystem are not drawing the right lessons from CCPA. I recognize that our industry has had a historical fixation with leveraging personally identifiable information (PII). It has been the bedrock from which the clever algorithms at the heart of the programmatic digital ad movement were formed, and many people seem to be having a hard time with moving on. I witnessed this separation anxiety at the most recent CES in Vegas, where some folks were having animated discussions about the best way to be compliant without compromising their existing data practices.

Most recently, the IAB announced Project Rearc, which promised to find an appropriate, responsible solution to data collection. At the annual IAB Leadership Summit, it was suggested that this new responsible direction of data collection involves hashed emails and phone numbers as identifiers. The only appropriate response to such a suggestion came from the sardonic Ad Tech Troll on Twitter.


This collective delusion by the industry, which continues to hurt the brand marketing ecosystem, is disturbing for two reasons.

Number one, it is dubious from an ethical standpoint. According to a recently cited BritePool study, 88% of consumers now place great value on how their data is used. The CCPA and GDPR are signals of this larger sea change in data use, and clever workarounds aren’t sustainable. Number two, and more significantly, applying resources—both technological and human—against gaming the system creates a harmful opportunity cost. Those same resources could rather be applied to innovating around new targeting methodologies that don’t infringe upon consumer privacy. Today, completely anonymized universal IDs are brought forward in clean rooms where data can be extracted in a manner that promotes consumer protection and comfort. In this way, car brands could still effectively reach auto intenders without having access to previous purchase data.

Our ecosystem would be better served if companies focused on building for brand marketers needs, rather than using the same mouse trap with new cheese.

So instead of trying to come up with a clever hack for CCPA, our ecosystem would be better served if companies focused on building for brand marketers needs, rather than using the same mouse trap with new cheese. It would be in the best interest of brand marketers to encourage their technology partners to embrace the true spirit of CCPA and take seriously the general public’s clarion call of not wanting their data leveraged for purposes they don’t know about.

By honoring that ethos, each and every one of us will be challenged to innovate to create new models that don’t have the stain of previously non-compliant methodology. Google’s decision to sunset cookie-based tracking on its leading Chrome browser should be interpreted as a sincere acknowledgment that consumer privacy is an important issue that should never again be taken for granted. And, of course, they will endeavor to dominate and monetize the next phase.

Digital advertising, like all industries, evolves and adapts. It’s a mistake to develop tunnel vision around the notion that PII is the end-all be-all for digital ad targeting. If you recall, at the dawn of digital advertising, we were perfectly happy with just having IP addresses and zip codes, but then we got our hands on PII, which was always controversial, thus the current backlash.

Unlike Europe, which has been historically much more sensitized to privacy concerns, the U.S. has only paid it lip service. Therefore, I can understand why voices in some quarters find it difficult to truly embrace the spirit of the regulation that has emerged. But once you make that philosophical pivot and then operationalize it in your organization, greater opportunity and progress is possible, all the while keeping consumers protected and happy about their data.

There are currently 30 state ballots with privacy regulation on tap. This movement is being driven bottom up by consumer advocacy groups and not by some opportunistic politician. For brand marketers, this marks a great opportunity to rebuild your digital strategy for today’s climate without leveraging personally identifiable information. Privacy compliance is here to stay, and it’s in everyone’s best interest to truly comply.