Bracing for sweeping new data privacy law

How brands are preparing as the California Consumer Privacy Act becomes a reality in 2020
By George P. Slefo Illustration by Tam Nguyen. Published on October 14th, 2019
Marketers and publishers are less than three months away from dealing with a new law that could have the largest impact on digital advertising since the introduction of the iPhone. The California Consumer Privacy Act, or CCPA, takes effect Jan. 1, bringing a host of new regulations to the nation’s largest state that will significantly restrict how brands collect and manage the consumer data that has fueled digital advertising for years.

Marketers and publishers are less than three months away from dealing with a new law that could have the largest impact on digital advertising since the introduction of the iPhone. The California Consumer Privacy Act, or CCPA, takes effect Jan. 1, bringing a host of new regulations to the nation’s largest state that will significantly restrict how brands collect and manage the consumer data that has fueled digital advertising for years.

The law, for instance, will require an “opt out” button on every page of every website, allowing consumers to easily tell companies they do not want any of their data to be collected or sold. Consumers can also tell tech companies, publishers or brands to delete their data. People may also opt out from a company’s terms of service without losing access to its offerings. Companies are also barred from selling data on anyone under the age of 16 without explicit consent. Industry players could face even stricter rules as a result of a new proposal that could be headed for the November 2020 ballot.

California’s attorney general won’t enforce CCPA until July, but can punish those found to have violated the law at any point after Jan. 1. The law applies to any business in California that generates at least $25 million in revenue. Companies that make 50 percent of their revenue from buying, selling or gathering consumer data from at least 50,000 California residents are also included.

Lawmakers in other states are pursuing similar legislation—Nevada’s law already took effect on Oct. 1. But CCPA stands out due to the Golden State’s sheer size, as well as how it’s influencing other states to adopt similar privacy frameworks.

“California is the largest state in the country; 40 million people live there,” says Eric Shih, global senior VP of business development at Teads, which works with publishers in filling video ads. “It has the biggest economic impact. Most of the large tech providers are based in California, so there is significant influence.”

California’s privacy law comes into play following previous scandals such as Cambridge Analytica or targeting that many consumer advocates feel is borderline creepy. “I sincerely believe that the aftermath of the 2016 election, the Mueller report, Cambridge Analytica, the scandal-after-scandal involving Google and Facebook, that the general public has had enough,” says David Carroll, the associate professor at Parsons School of Design who filed a lawsuit against Cambridge Analytica to gain a better understanding of what data the company has about him. “Lawmakers detect the sentiment of the general public, and that has given them a chance to stand up to the lobbyists because they now have voter support to go hard on privacy issues.”

The problem with patchwork

As brands brace for the sweeping changes, industry trade bodies are intensifying their lobbying for a single national data privacy law to avoid a nightmare scenario of having to deal with a litany of differing state regulations.

“A patchwork of laws will be very damaging to advertisers who collect and use data,” as they would have to abide by different sets of rules, says Daniel Jaffe, group VP of government relations at the Association of National Advertisers, which is lobbying alongside the Interactive Advertising Bureau. But Jaffe says passing a federal law will be “tremendously difficult because of the conflict in Washington,” including the impeachment drive and trade war with China. “All of that is taking a tremendous amount of time and bandwidth.”

Jaffe, who spent 11 years working for House and Senate staffs before joining the ANA in 1985, says the only thing the trade bodies can do “is to push very hard and see what you get. I wouldn’t rule out a federal law, but it’s going to be an uphill battle.” Fragmentation, or a patchwork of laws, he says, “is likely if I had to bet.”

Hawaii, for example, is pushing for a bill similar to CCPA, as are Massachusetts, New Jersey, Pennsylvania, Rhode Island and Washington (the last of which is said to be broader than CCPA). Even Puerto Rico is using CCPA as a framework for its own privacy law. In total, 27 states are in the early stages of setting some sort of privacy laws, and not all are similar to CCPA, according to Chris Babel, CEO of TrustArc, which consults on, and provides tools for, privacy compliance.

Nevada’s law is being closely watched since it is the first one to take effect. Unlike CCPA, where companies must meet a financial threshold in order to be found in violation, Nevada’s law applies to businesses that specifically target its residents, regardless of their revenue. It’s similar to CCPA, but the fines are significantly steeper, as the state will hit companies with a $5,000 fine for each violation.

The privacy regulation endgame could well result in a scenario where brands, ad tech companies and others must comply with 52 different sets of laws—if you include Puerto Rico and Washington, D.C. That’s on top of dealing with the European Union’s Global Data Protection Regulation, which took effect in May 2018.

In California, “it’s extraordinarily complex, and even chaotic at the moment,” Jaffe says. “If I’m a consumer and on Jan. 1, 2020 I demand a brand to send all its information on me, I better be able to do that. That means companies must keep track of all the information coming in, put it in a format to provide to the consumer and make sure they are giving it to the right consumer—because there are fines” for giving it to the wrong consumer, as it would be considered a data breach.

Babel makes an analogy to how the security industry has dealt with a patchwork of data breach laws. The industry was watching states one-by-one adopt their own laws for what happens when a company has a security breach. Like the ANA and IAB, security trade bodies pushed lawmakers to adopt a federal standard. “That was 10 years ago,” Babel says. “And they’re still fighting for a federal law today.”

Patchwork quilt: A look at 27 states (and Puerto Rico) with privacy laws on the books or in effect

More than half of U.S. states, from Arizona to Washington, have privacy legislation pending or in place—which advertisers say will make it nearly impossible to navigate individually. But ad groups fear a single national law will be all but impossible, due to political conflict inside the Beltway.

TapClick the lock to reveal more.

Hard to comply

California’s law arrives as brands grapple with other forces that complicate consumer-tracking efforts. For instance, following consumers online via cookies has already become significantly more difficult, thanks to changes made by browsers including Apple’s Safari, Google’s Chrome and its updated incognito mode, Firefox’s Mozilla and others such as Brave. While those changes were made in the interest of consumer privacy, their implementation actually makes it harder for companies to comply with the California law. For instance, publishers such as Tribune Publishing—whose holdings include the Chicago Tribune, Baltimore Sun and New York Daily News—must remember when a user opts out from having data collected.

“We have to ask the consumer if it’s OK to sell their data,” says Grant Whitmore, chief digital experience officer at Tribune Publishing, who jokes that CCPA and other regulations “fill me with tears.” He says that “once CCPA takes effect­—and Safari is already retiring a person’s cookie after 24 hours—what happens if we don’t see you again? We don’t know who you are anymore without cookies.”

If someone in California visits a Tribune site using a Safari browser, for example, and opts out from having data collected, then Tribune has no idea what to do when that person revisits their website in the future, because they won’t know who they are.

nts to use its first-party data to target a Tribune Publishing reader, but that person has opted out from data collection, then the Tribune cannot make that match for Macy’s. Instead, Whitmore says the company will offer readers who are “likely Macy’s shoppers” for the retailer to target, resulting in less precision than in pre-CCPA days.

There are other hurdles, like dealing with consumers who use multiple devices. “You can’t ask a user each time they come to your site on a different device, like mobile in the morning, desktop later in the day and maybe a tablet at night, for permission,” Whitmore says. “Managing consent across devices, coupled with the changes browsers have made with cookies, has created a scenario where it feels like we’re walking in a minefield.”

Additionally, many in the industry are unsure what to do when someone from California visits another state, making it hard for them to determine his or her home state and therefore apply California rules.

For companies such as retailers and airlines that rely on rewards programs to generate first-party data, CCPA presents both challenges and ambiguity. Under CCPA, a person cannot be discriminated against if they choose not to provide their information. A brand can collect personal information for loyalty programs as long as value is being provided, but what “value” is remains unclear, says Jaffe. He says the trade body and others are still waiting for clarification from the California attorney general.

“There is no cut-and-dry answer,” Jaffe says. “It might get too complicated, so brands may decide to cut their loyalty programs and get out.”

In the midst of the chaos, agencies are providing support, but they’re also being careful not to overstep, says Rachel Glasser, chief privacy officer at Wunderman Thompson. “There’s a difference between providing a service and offering legal advice,” Glasser says.

“For us, and a lot of other agencies, we need to make sure that data partners are buttoned-up,” Glasser says. “We need to make sure we are getting kosher datasets, make sure the right disclosures are being made for our clients."

Allison Pepper, senior VP of government relations for the 4A’s, says “agencies are in a unique position, but they are more back end."

She elaborates: “They don’t have the direct-to-consumer relationships, but what they are doing right now—and it’s something we always recommend—is data mapping: Look at how your data is being shared through every campaign. Where are you buying it? Where are you selling it, and where is it going?”

Babel of TrustArc says it’s critical for brands to look under the hood and see who they are working with, but he adds that brands should also purge any data they don’t use. “Only keep what you need,” Babel says, adding that first-party data is critical in this new era of consumer privacy regulation.

Preparing for the unknown

The law has forced organizational changes inside companies as they race to comply. Tribune hired its first VP of privacy last week, and began working with several third-party vendors such as TrustArc to help it navigate the regulation minefield. Tribune has looked under the hood of its websites to see who it was working with, where its data was going and which of that data would be under compliance. Issues arise, however, when two different types of data are compliant on their own, but not when mixed together, says Whitmore. Although he declines to cite how much it has cost Tribune Publishing to hire several third-party vendors, he says, “the cost is not insignificant.”

Ultimately, however, Whitmore says the company has put itself in a position to adapt quickly to any regulation changes that arise as more states pass privacy laws. But other companies might not be so lucky. Whitmore predicts small and medium-sized publishers that do not have the financial resources to navigate privacy regulation such as CCPA will likely die off “in the next 12 to 18 months.” Adage End Bug

Web production by Corey Holmes