Though it pursued a noble cause, the California Consumer Privacy Act (“CCPA”) was passed via an undemocratic and unconventional process. A privacy-conscious California, real estate developer spent $3 million and managed to qualify a very broad data privacy regulation as a measure for the 2018 November midterm elections. If a vote by California’s general public had passed the measure, it would have been challenging to amend; thus, when a compromise was offered, the California legislature sprung into action. CCPA was enacted through a non-inclusive process in only seven days. Its first released draft was a verbose and ambiguous law. Since then, there have been several amendments to clarify vagueness and confusion. The official enforcement date for CCPA was July 1, 2020. The past year has seen several lawsuits brought to the California Attorney General.
The law's main purpose is presented as protecting the “personal information” of “consumers,” conferring a number of new rights on Californians and potentially curtailing the actions of advertisers. The Attorney General can impose fines amounting to $2,500 for each violation or $7,500 for each intentional violation of the law. A private right of action is also conferred on individuals in the context of data security breaches. The statute applies to any for-profit business conducting business in California (or conducting business with California residents) that:
- Has revenue of $25 million or in excess.
- Annually purchases, receives for commercial purposes of the business, shares or sells for commercial purposes the “personal information” of 50,000 or more consumers, households, or devices.
- Derives half or more of its annual revenues from selling the “personal information” of “consumers.”
Applicability extends to entities that exercise control over or are controlled by a covered business. There is some applicability to “service providers” as well, though they are largely exempt. Thus, many large corporations have attempted (and, up to this point, succeeded) to classify themselves as service providers to escape liability. Smaller businesses and advertisers have not been able to have this ‘luxury.’
The CCPA imposes numerous requirements on businesses and advertisers. There are several disclosure requirements: a disclosure of general practices upon initial data collection and a more robust disclosure to a consumer upon their request, which must include information on data sharing practices and beyond. Businesses must provide specific request mechanisms, including a conspicuous link on a website’s “homepage” and a toll-free number that consumers may call. Consumers must be able to opt-out of data sales through a link similar to the one previously mentioned, and the link must read “Do Not Sell My Personal Information.” Businesses are prevented from prompting consumers to opt back in for 12 months. Consumers must also be capable of opting out of third-party data resales. There is an opt-in requirement for data sales pertaining to minors.
Specifications for disclosures of opt-outs and specifications for privacy policies are enumerated in the statute. Subject to a number of exceptions, consumers may request for their data to be deleted, thus granting a very limited right of erasure. Businesses must not discriminate against consumers for exercising their rights under the statute but are allowed to provide “incentives” against them doing so.
A more in-depth overview of the CCPA’s contents and requirements can be found here.
CCPA Reception
The CCPA was widely perceived as a weaker version of the General Data Protection Regulation (GDPR), the European Union’s data protection law. However, it remains the strongest privacy law in the United States. The federal government has not yet passed a comprehensive privacy statute for the private sector, and at this point, it remains unlikely. On the state legislative side, the CCPA had almost instant nationwide influence. Within months, several states, including Maine, Nevada, Connecticut, Hawaii, Illinois, Louisiana, Massachusetts, Mississippi, New Jersey, New Mexico, New York, Pennsylvania, South Carolina, Texas, Rhode Island, and Washington, introduced privacy legislation of their own, most mirroring (similarly or exactly) the CCPA. There are currently eight states with active bills and sixteen with bills that either failed in committee or were postponed. This potential patchwork of somewhat similar but slightly different state privacy laws prevents a challenge for businesses — more so, smaller ones than the larger ones that CCPA was intended to capture. Larger tech companies have had little trouble “complying” with the CCPA. Most self-asserted as “service providers” that did not “sell” consumers’ personal information, therefore broadly exempting them from the wider reach of CCPA’s arms. Some giants, such as Amazon, refuse to even answer CCPA requests, claiming that they are already fully compliant when Amazon’s practices starkly contrast this. In fact, the practices of most large tech companies do. Many seem to have a lax attitude about the CCPA, even viewing it as an opportunity to bolster user confidence amid growing distrust. Thus, smaller businesses and advertisers have been far more severely impacted by the law than the ones at the very top, creating an even more stark divide in the Internet ecosystem.
New Changes in CCPA Enforcement
It has recently been reported that California Attorney General Rob Bonta has been sending out enforcement letters that clarify the scope of what classifies as a data sale. Though the recipients of these letters remain confidential at this time, it is estimated that at least ten and potentially more than twenty letters have been sent. The letters clarify one of the most significant ambiguities, and in fact, the one which big tech companies were relying on: data tracking for analytics and advertising, including cookie-based tracking, all fit within the CCPA’s definition of a “sale.”
Due to the technological nuances inherent in these tools, it is still challenging to create a bright-line rule. However, one thing is certain: change is coming, and big businesses may finally have to pay. Up to this point, large tech companies have circumvented CCPA liability by claiming they do not “sell” data. However, under this freshly clarified definition, that is objectively false. They were capitalizing on a grey area, and that grey area is now clear: cookies and other tracking technologies sit firmly in the crosshairs of the CCPA. The enforcement letters further clarify that general third-party opt-outs will no longer be sufficient for compliance. This may finally be a move to level advertisers' playing field, but the results are still yet to be seen.
Take a look at the privacy policy of any giant, Amazon, Facebook, TikTok - they all state that information is shared with third-party providers for advertising or analytics purposes. Amazon has said that it “is not in the business of selling our customers’ personal information.” An Amazon spokesperson stated that it complies with CCPA “fully,” adding that its “...advertising system does not rely on selling customers’ personal information to deliver ads.” Of course, these statements were made based on the grey area of the CCPA that was previously exploited. According to Amazon’s privacy policy, some information is shared with advertisers to help with targeted advertising efforts. Consumer advocates have long argued that this is one of the situations that the CCPA was intended to encapsulate, even if the relevant transaction does not involve a direct sale, in the straightforward definition of the word. It is indeed ironic that the largest tech giants suffered the least from the implementation of the CCPA when they are the exact entities that the law was drafted to affect. This is why the clarification of the grey area makes so much sense - and is long overdue.
Implications for the Data Ecosystem
Privacy concerns in the US have been steadily mounting amongst the general public. Recently published data has shown that if given a chance, users will opt-out: in the wake of iOS 14.5, Apple has found that 96% of users are opting out. Now that all analytics activity will be classified as a sale and thus subject to the CCPA and its opt-out provisions, what could this mean for publishers, advertisers, DSP providers, marketers, and the data ecosystem as a whole?
Third-party data could completely be annihilated as we know it since most people will opt out if given a chance. Coupled with Google Chrome’s upcoming phase-out of third-party cookies come 2023, the landscape is shifting significantly.
Let us take a look at a relevant case study: LiveRamp. LiveRamp is a data broker, which essentially means their entire business is buying and selling personal data for analytics and advertising purposes (which, distilled, seems to imply that their entire model is a violation of CCPA, though they do not believe this is the case). LiveRamp collects nearly everything about an individual (name, driver’s license information, home address, employment data, all Internet activity, geolocation data, and more) and obtains such data nearly everywhere (“online and offline database providers”). Of course, this is vague on purpose, as the truth would likely be far too startling for a user. If information is coming from everywhere, on everything, how would any sort of opt-out ever be fathomable? The matter is that it is not - opting out is not a reality in the current big data ecosystem and likely never will be.
This is why clarification of the definition that includes analytics as a sale could change the entire ecosystem. True opt-ins are rare and incredibly valuable — they are, in fact, the only way to be fully compliant with the CCPA. They cannot be achieved by restricting access to a service unless terms are accepted, as is presently done.
Businesses could potentially be subject to massive fines — up to $2,500 or $7,500 per violation, though it is presently unclear what would constitute a violation. Is each individual cookie a violation? Does each user qualify as one violation if a business or advertiser’s practices as a whole are violative? The answer is yet to emerge, but the fines could be record-breaking. Tech giants have millions upon millions of users and often employ many cookies per user. Though any numerical estimates are mere speculation, the outcome will be closely watched.
The Solution
So what can businesses and advertisers do? The value must be provided for opting in or allowing data to be collected and shared, because as previously discussed, most people will opt-out if they can. Consumers are not stupid - they know the reality of the world we live in and that truly opting out is unrealistic or impossible, which is why they are keen to opt-out of choice is offered. However, 79% of consumers are willing to share their personal & preference data for a reward - meaning the number of opt-outs would drastically decrease to manageable levels. Consumers will accept compensation in return for not opting out. In fact, 75% of consumers say they want to be rewarded for engagement beyond making purchases. Additionally, the value will create a more robust opt-in because users have actively chosen to opt-in rather than opt-out. Beroe, Inc. has found that investment in rewards proves to be the most effective customer acquisition strategy.
Several types of value can be offered - loyalty programs exist that offer points, cash, cryptocurrency, or other incentives. Money is an easy option, for it is a tangible and immediate benefit to a user. But cryptocurrency presents a more unique and lucrative opportunity. Over 64% of American adults are interested in cryptocurrency, with an even larger portion (some studies suggest over 90%) of the younger generations interested. Cryptocurrency is a particularly attractive method of compensation due to its ability to appreciate value over time. Furthermore, it can be converted into other nations’ currencies, making it a global solution in a very globalized world.
Furthermore, businesses should be prioritizing first-party data (meaning data they collect themselves, rather than obtain from other sources) over third-party data. In addition, 92% of leading marketers say that using first-party data is critical to growth. 81% of marketers see strong ROI from using first-party data in campaigns. First-party data is also far less likely to run against legislation like the CCPA, which of course, hinges on transferring data from one processor or controller to another.
In conclusion, for marketers, obtaining their own data from consumers and rewarding consumers for it is the best strategy forward. This will allow for a viable solution that is in line with what consumers support. It would be a choice consumers could feel good about that may keep them returning to a brand. Furthermore, it’s compliant, which is always the best choice.