CCPA: What Publishers Need To Do To Comply
Publishers and advertisers should pay close attention to CCPA requirements, especially since leveraging data and consent is the key to delivering personal advertisements, increasing ad revenue, and ultimately building trust.
The California Consumer Privacy Act (CCPA) has been top of mind for the past two years since it was enacted in June of 2018. It went into effect on January 1, 2020, and legal enforcement of the Act began on July 1, 2020. The California attorney general’s office recently submitted its final draft of CCPA regulations, six months after the new legislation’s effective date and only a few weeks before its official enforcement deadline.
At a high level, the CCPA is a first state-level privacy law in the United States, and just as the GDPR did, it will lead the way for similar laws throughout the country. Similar to other global regulations that hone in on the way personal data is processed and handled, publishers and advertisers should pay close attention to requirements, especially since leveraging data and consent is the key to delivering personal advertisements, increasing ad revenue, and ultimately building trust.
There is a lot going on around the world these days, and a lot of news, especially around the CCPA. For example, this week Facebook launched a new Limited Data Use Feature to support companies with CCPA compliance and last month, IAB Tech Lab released its technical data deletion spec to help publishers signal opt-out requests downstream to third-party vendors. Moreover, the industry is already looking ahead to CCPA 2.0 (or CPRA) which is on the ballot for November 2020.
For now, let’s focus on the current enforceable version of CCPA, its implications and how we’re here to support you every step of the way in your privacy journey.
As a reminder, CCPA applies to businesses targeting residents of California, regardless of where the actual business is located. Starting July 1, the California attorney general can send notices for violations, so we recommended reviewing the recently finalized regulations and make any necessary changes. Companies that do receive a violation notice from the attorney general’s office will have 30 days to cure any noncompliance before fines are imposed.
CCPA’s Impact on Publishers
For publishers, one thing is very clear: if a business has a direct relationship with consumers and sells their personal information to third-party companies, it should provide a notice at the time of collection and include a “Do Not Sell My Personal Information” link or button on its website or in its CMP that allows California users to opt out of that sale. Addressing this core requirement should be a publisher’s first move if it hasn’t already endeavored to comply with CCPA.
Another requirement for publishers is to allow consumers to send in requests to access and delete personal information, as well as the right to opt-out of the sale of personal information. For example, this would apply to content subscribers, mobile app or OTT users, or just a regular website visitor. Publishers now need a scalable and efficient way to process and respond to consumer rights requests and must maintain detailed, ongoing records for CCPA compliance.
For publishers unsure of next steps, the IAB created the IAB CCPA Compliance Framework last year to help meet the CCPA “Do Not Sell My Personal Information” requirement. This framework creates a unified approach and contractual relationship between digital properties and the downstream framework participants to enforce limitations on the use of data and mechanisms for accountability when a consumer opts-out of the sale of their information. Last month, the IAB Tech Lab released its technical data deletion spec which allows publishers to propagate data deletion requests to their ad tech partners who then perform the deletion.
Implementing the framework and signing the limited service provider agreement are the simplest ways for publishers to pass these requests to downstream partners under a unified framework that governs how those signals should be treated.
While the publishing industry is facing a lot of different challenges, the CCPA Compliance Framework helps bridge the signaling gap between publishers and vendors.
Check out our recent webinar “CCPA for Publishers: Legal Implications, IAB CCPA Framework and CMP Best Practices”
How OneTrust PreferenceChoice is Helping Publishers
OneTrust PreferenceChoice helps publishers and advertisers implement a robust CCPA strategy with a purpose-built suite of technology solutions. Not only do we deliver easy-to-deploy products, but your team will be backed by dependable support and a team of experts to help with implementation. Use OneTrust PreferenceChoice to easily pinpoint where personal data resides and how it is used, streamline your ability to manage and respond to consumer rights and opt-out of Do Not Sell requests.
Leverage the OneTrust Preference consent management platform (CMP) to enable opt-out of sale requests using CCPA messaging and include a “Do Not Sell My Personal Information” link on web, mobile and OTT properties. Easily track do not sell requests by consumers, devices, and households. Additionally, the CMP includes support for IAB CCPA USP Consent String.
Consumer Requests & Targeted Data Discovery
The CCPA stipulates a 45-day response timeline for consumer rights requests. OneTrust Consumer Rights Management fully automates this process from intake to fulfillment. Leverage Targeted Data Discovery to automate the manual tasks required to discover, delete, redact, opt out and process access, deletion, or CCPA opt-out of sale requests – retrieving a single person’s information in relevant system.