Imagine being stuck in the path of a storm. From the meteorologist on TV, what you've read online, maybe even what you feel in your arthritic knees, you know the storm is heading your way. At this point, it's simply an inevitability. The particular form the storm takes, however, is still in question. Do you prepare for high winds? Torrential rain and floods? Or maybe all of the above?
That's precisely the predicament the digital advertising industry finds itself in regarding the California Consumer Privacy Act (CCPA). We know landfall occurs in January 2020, with enforcement beginning the following June. But exactly how CCPA impacts the ecosystem is still up in the air as legislators continue to fine-tune its scope and verbiage. However, that uncertainty doesn't mean that companies should delay preparations – at least in broad terms – for its arrival.
Given the notoriety that GDPR continues to garner, perhaps the best way to view what we know about CCPA thus far is through a GDPR prism. Where GDPR is more of a blanketing regulation that prohibits tracking the personal information of any data subject that hasn't completed an opt-in to share data, CCPA operates in a grayer area.
First of all, CCPA only impacts for-profit entities with annual revenues greater than $25 million, handles the data of at least 50,000 California residents, and derives at least 50% of their revenue from selling that data. In this respect, GDPR is a stricter regulation, at least given what we know about CCPA so far.
In terms of penalties, legislators have designed CCPA to be reactionary, where violations are only triggered upon the event of a breach. In contrast, GDPR is preemptive and doesn't need a data breach to trigger violations. However, that's not to say that CCPA doesn't wield a potentially devastating economic impact for data privacy violations.
Depending on the circumstances, CCPA can carry just as mighty a sword as its EU-based older cousin. When a breach occurs, pre-existing violations are swept into consideration, with maximum penalties of $2,500 for each unintentional violation and $7,500 for intentional ones.
To put those fines in perspective, let's say a hypothetical business has 100,000 customers in California and is the target of a data breach. Investigators discover that the company had inadvertently collected, processed, and sold the personal data of 20,000 California customers who had opted out of data sharing.
If, for instance, this hypothetical company had been working with a third-party data source that was the actual source of the violations, the company is still liable. Under maximum penalties, these inadvertent violations would still amount to $50 million in fines, which, obviously, can quickly dismantle even large enterprises. Also, under CCPA, it's important to note that the "sale" of a Californian's consumer data doesn't necessarily have to involve actual payment. Only the exchange of valuable consideration is required to meet CCPA's definition of a sale.
While it's true that, at its heart, regulators intend for CCPA regulations to curtail the unregulated use of third-party data sources, the extreme popularity of such sources makes the entire digital ad ecosystem susceptible. To that point, just look at how reliant programmatic is on third-party data sharing across countless participants and tools. Consumer data is what allows today's digital ad industry to message the audience with such precision.
Therefore, under CCPA, making sure your own house is both in-order and compliant isn't enough to protect your interests. CCPA compliance must also include all third-party service providers that have access to protected personal data, extending to IP addresses, search history, browsing history, geolocation data, and interactions with websites and ads.
Further, a ubiquitous practice like retargeting might also be in the CCPA crosshairs, depending on the final verbiage of the regulation. Taking a worst-case scenario for the industry, even the legitimate use of pixels, cookies, data syncs, and other acceptable forms of tracking can be potentially be violations. When factoring in the extensive use of third-party data sources and susceptible ad tech, CCPA can drive fundamental changes in the way programmatic functions from here on out.
Thankfully, the industry seems to understand just how critical the impact of CCPA and similar data protection acts might be for the ecosystem. In our recent report, The 2020 State of Ad Quality, we found that data compliance surpasses auto redirects and malware as the top priority for industry participants in 2020, up over 70% from 2019 figures.
Preparation for CCPA really amounts to a two-step process, where the first involves educating yourself on the nuances of the regulations, and the second is taking effective action. Granted, this isn't entirely possible yet since we don't fully understand the scope and intricacies of CCPA. However, this doesn't mean that the industry should sit on its hands while waiting for the final verbiage.
At Ad Lightning, we're already actively designing mechanisms that will help protect our clients from CCPA violations. One of the solutions we're pursuing is an audit tool that will provide visibility for companies across the digital ad supply chain. This tool will integrate audience profiles that keep track of user preferences, storing any opt-out information that a company can actively monitor for compliance.
From a broader perspective, we'll be able to customize this type of tool for CCPA, GDPR, and future privacy laws, providing a single solution that protects for different regulations with varying jurisdictions and guidelines. This approach empowers the digital advertising ecosystem with a proactive tool that allows it actively gauge compliance, identify potential weak points, and quickly take action.
Of course, we'll have more to say once we fully understand CCPA later in 2020, but, for the time being, it's time for the industry to educate itself and embrace tools that will help it traverse these new and powerful regulatory forces.