The California Consumer Privacy Act (CCPA) will begin being enforced in a few weeks. The implications for advertisers and publishers run deep. Brian Wilson, Director of Product Management at Kochava argues that it’s not an insurmountable task when you organise your data and tap the right tools.
In spite of the COVID-19 crisis and the uncertainty of the world this year – CCPA – the California Consumer Privacy Act will begin enforcement as of July 1. The regulations have been revised several times since the law went into effect January 1 with the most recent revision submitted at the beginning of June.
With so many changes in the economy and our lives, businesses may have put compliance on the back burner. We’re here to tell you that it’s entirely possible to be ready for the deadline, and here’s what you either need to do or ensure that you have to be ready.
What does the CCPA cover again?
CCPA gives California residents the right to opt-out of having their data sold, request to have their data deleted, know and receive what data has been collected by an organization, and receive information about their request in an accessible way and reasonable timeframe.
With California having the nation’s largest population, how this law is enforced will likely set a precedent in pending and existing state regulations as well as at the federal level.
If you haven’t done so already, talk to your legal counsel about compliance with the law. As it states, businesses that fall into the following categories must be in compliance:
● Annual revenue in excess of $25M
● Obtain information from more than 50K consumers, households, or devices
● Derive more than 50% of their revenue from the sale of consumer data
Chances are, at some point, your business will face compliance with data privacy regulations of some kind, and with CCPA’s broad scope, compliance with this set of regulations will help with others, too.
Understand your data flow
The main goal of the CCPA is to protect personal identifiable information (PII) and empower consumers to keep organizations from selling and/or reselling that data. In addition to talking to your legal counsel, familiarize yourself with what data you are collecting.
Even though you may not be requesting PII from your consumer directly, you may be tracking other data points that are considered PII under the law, such as IP address or geo-location. Knowing about the data that you, your partners, and other third-party vendors collect from your app are essential in understanding your data flow. The work you do here applies to all properties on which you gather consumer data across platforms (websites, mobile apps, over-the-top devices/connected TV, gaming consoles, etc.)
To better understand what data is being collected, ask the person in your organization closest to the data – a compliance officer or senior engineer. Understand what information you request from your consumers and what information is collected by your app. Compliance isn’t going away, so you should have a person dedicated to it.
Next, compile a list of partners and vendors that receive your data for various reasons, be it for measurement and analytics purposes, retargeting, etc., and learn what information each one is receiving. Familiarize yourself with what other SDKs are integrated within your app and what data each is collecting and sending as well.
Divide and conquer
Once you know the pieces of your data flow, you’re ready to devise your compliance strategy. Is it possible to request consent and manage in-house? Do you have a system as to how to handle requests when they come in? These are questions to consider.
Let’s start with how you will request consent from your users. Do you have the resources to handle this in-house? If this is the case, keep in mind that the law may change in addition to other state regulations that may emerge. You will need to stay abreast of the law and make changes to your system accordingly.
Your other option is to implement a consent management tool. A good tool implements the IAB CCPA Compliance Framework for Publishers. The IAB is the industry’s governing body and devised a standardized framework to meet the compliance regulations. In doing so, they have removed the risk and resources advertisers and publishers would be responsible for.
Kochava’s Intelligent Consent Manager determines when consent is required and implementation is fairly simple. Existing Kochava customers can update with our latest SDK, and non-customers can implement the SDK with consent as a standalone feature.
If you consider the measures outlined above, you’re already prepared to implement it. (Note: On your end, you will still need to devise internal policies as to how to handle consumer requests for their data, including whether to honor requests outside of California too.)
The CCPA is forcing advertisers and publishers to know what data is being collected and be transparent about it with their consumers. At a minimum, map out your data and see which aspects are considered PII under the regulations. If you aren’t aware of what data you are collecting and which partners receive it, after July 1st, you’re not flying under the radar—you’re taking a risk.
Brian Wilson, Director of Product Management, Kochava