In an era of increasing digital privacy concerns, the California Consumer Privacy Act (CCPA) is a significant regulation that protects California consumers while obliging businesses to take measures to protect their personal information. Understanding and complying with the CCPA is not just a legal requirement for publishers in the rapidly evolving field of online advertising, but also an essential stage toward gaining trust with the audiences.

In this article, PubPower will give a detailed understanding of CCPA and how to prepare and implement it.

What is the California Consumer Privacy Act (CCPA)?

The CCPA law gives California consumers more control over their personal information and how businesses use it. It applies to any company that collects, sells, or shares personal information from California residents and meets certain requirements, such as having a net revenue above $25 million or collecting information for more than 50,000 consumers, households, or devices.

Publishers are businesses that operate websites, apps, or other online platforms that provide content to consumers. Publishers often collect personal information from their users, such as IP addresses, cookies, device identifiers, browsing history, and preferences. Publishers may also sell or share this data with third parties, such as for marketing purposes, data suppliers, or data brokers, to increase profits or improve their services.

What kind of information is protected by CCPA?

Personal information under the CCPA is broadly defined and includes:

• Identifiers: This includes traditional identifiers such as name, postal address, email address, social security number, driver’s license number, passport number, or other similar identifiers.
• Biometric Information: Characteristics of an individual’s physiological, biological, or behavioral traits, such as fingerprints, faceprints, voiceprints, or iris or retina scans.
• Internet Activity: Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
• Geolocation Data: Precise location information about a person or device.
• Professional or employment-related information: current or past job, including employment history, performance evaluations, or disciplinary records.
• Commercial Information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Financial Information: bank account number, credit or debit card number, or other financial information.
• Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information: This includes recordings of phone calls, video recordings, or other forms of audio, visual, or sensory information.
• Biographical Information: Information describing or reasonably capable of being associated with, directly or indirectly, a particular consumer or household.

What does CCPA require publishers to comply with several obligations?

The CCPA requires publishers to comply with several obligations, such as:

Providing notice to consumers about what personal information they collect, how they use it, and with whom they share it. This notification should be clear, obvious, and easily accessible, with a link to the publisher’s privacy policy.

Responding to consumer requests to access, delete, or correct their personal information or to opt-out of the sale or sharing of their personal information. Publishers should have a strategy for consumers to submit these requests, such as a mobile number, an e-mail address, or a web form.

Verifying the identity of consumers who make requests and providing them with the requested information or action within 45 days, unless an extension is necessary.

Does business outside California have to comply with the CCPA?

The CCPA applies to for-profit businesses that collect or sell the PII of CA residents (or have others collect personal information for them), determine why and how the information will be processed, do business in California, and meet any of the following thresholds:

• Have a gross annual revenue of over $25 million for the preceding calendar year;
• Buy, sell, or share the personal information of 100,000 or more California residents or households; or
• Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.”

This means that any companies that are collecting California residents personal information and meet one of the three criteria above have to comply with CCPA.

The CCPA is enforced by the California Attorney General, who can impose civil penalties of up to $2,500 per violation or up to $7,500 per intentional violation. Consumers can also sue businesses for statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater, if their personal information is subject to unauthorized access, theft, or disclosure due to the business’s failure to implement reasonable security measures.

What should publishers do to prepare for CPPA?

Publishers should not discriminate against consumers who exercise their CCPA rights, such as by charging them a different price, providing them with different quality of services, or denying them access to their content. They must provide equal treatment to all consumers, regardless of whether they choose to exercise their rights under the CCPA. This ensures that consumers feel empowered to exercise their privacy rights without fear of facing negative business consequences.

Publishers should also be aware of the commitments of their service providers and third parties who get individual data from them. Publishers should guarantee that they have contracts or agreements with these entities that indicate the purposes and restrictions of the information processing, which forbid them from selling or sharing customers’ information without their agreements.

The CCPA is a complex and evolving law that may affect publishers in different ways, depending on their business model, data practices, and audience. Publishers should consult with legal counsel and privacy experts to understand and comply with the CCPA requirements and regulations.

How Pubpower is helping its publisher partners prepare for CCPA

Seeing that this may be a problem for publishers, PubPower provides tools and features for publishers to manage user consent regarding data collection and processing. This involves obtaining explicit consent from California residents before collecting their personal information for targeted advertising purposes. We assist publishers in developing and implementing data handling policies that align with CCPA requirements, including data minimization, purpose limitation, and data retention policies. In addition, we also keep our publishers up-to-date by sending mail to provide you with the best possible solutions.

The webmaster’s satisfaction is our priority. If publishers have any problems with the CCPA policy, they can directly contact their PubPower account manager to discuss and receive advice if those changes affect their revenue.

You can see the instructions for consent compliance here

For more detailed information about CCPA, you can check it out here!

FAQ

What companies must comply with CCPA? 

“The CCPA applies to for-profit businesses including businesses outside of California that collect or sell the PII of CA residents (or have others collect personal information for them), determine why and how the information will be processed, do business in California, and meet any of the following thresholds:

• Have a gross annual revenue of over $25 million for the preceding calendar year;
• Buy, sell, or share the personal information of 100,000 or more California residents or households; or
• Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.”

Does GDPR cover CCPA?

No, these are 2 different companies that are not related in any way. 

GDPR is a comprehensive data protection regulation enacted by the European Union (EU) and applies to businesses that process personal data of individuals within the EU, regardless of where the business is located. It sets forth stringent requirements for data protection, including principles such as data minimization, purpose limitation, and accountability.

CCPA, on the other hand, is a state-level privacy law in California, United States, and applies to businesses that collect personal information of California residents, regardless of where the business is located. It primarily focuses on regulating the sale of personal information and grants California residents specific rights over their personal data, such as the right to know, the right to opt-out, and the right to delete.

While GDPR and CCPA have similarities in their goals of enhancing data privacy and protecting consumers’ rights, they are separate legal frameworks with different scopes, requirements, and jurisdictions. However, some businesses may need to comply with both regulations if they process the personal data of individuals in both the EU and California.