California: land of sun, surf, Redwoods, Hollywood and, of course, consumer privacy regulations.
The Golden State was a US pioneer when it passed the California Consumer Privacy Act (CCPA) back in 2018, giving California residents the right to know what personal information a business collects about them and how it is used and shared, the right to delete personal information collected from them (with some exceptions), the right to opt-out of the sale of their personal information, and the right to non-discrimination for exercising their CCPA rights.
But today, there’s a new regulatory act in town: the California Privacy Rights Act (CPRA). Building upon the CCPA, the CPRA adds some new rules, clarifies some old ones, and introduces dedicated resources for regulatory enforcement to help ensure California consumers’ control over their personal data. The CPRA also ushers in a year that will see five new state-level data privacy acts take effect, with regulations also debuting in Virginia, Colorado, Connecticut, Utah.
To get a better understanding of the latest laws and see how they could impact the digital advertising industry, we spoke with Derek Zolner, General Counsel at Basis Technologies, about the CPRA—the most expansive of the acts.
Here are some highlights from that conversation, including how the CPRA builds off the CCPA, what companies have to do to comply, and how it will impact the programmatic advertising industry:
California’s initial foray into the world of consumer privacy regulation was 2018’s California Consumer Privacy Act (CCPA). That was really the first stake in the ground for privacy legislation here in the US. Prior to that, we had some self-regulation for our industry, and good citizens were already doing a lot of the stuff that the CCPA required—for example, in our ads and on our website, we have long allowed people to opt out of targeted ads based on cookie use—but the CCPA requires you to give people a right to opt out.
And now we have the CPRA, aka the California Privacy Rights Act, and that does a couple of things. One, it gives California some broader enforcement rights, creating a California Privacy Protection Agency that's dedicated to (and responsible for) enforcing the act. That, to me, indicates we're probably going to see more enforcement actions coming down the pike.
But it also builds upon the foundation laid by the CCPA in a few ways. The biggest part for our industry? The CCPA had a requirement that if you were selling data, then you had to have an opt-out on your website that said “Do Not Sell My Personal Information.” A lot of people in the digital advertising industry read this definition of “sale” very technically, arguing that if you weren't actually bundling up data, giving it to somebody, and saying “Pay me for this data,” then it wasn't a sale. At Basis, we didn't take that point of view, electing instead to honor the spirit of the law—i.e. giving consumers the right to opt out of things like what we do with cookie data, mobile ID data, and IP address data.
But the CPRA eliminates any ambiguity around how to interpret this aspect of the law by now requiring companies to give consumers the opportunity to not only opt out of the sale of their personal information, but also of giving or sharing that data with someone else, including a third party that might use it for cross-context behavioral advertising.
Essentially, the CCPA, CPRA, and the other data privacy acts that are popping up around the US are establishing legal enforcement mechanisms around personal control of one’s personal data and codifying many of the core principals of our industry—namely, transparency, notice, and the right to opt out. Only now, instead of the industry self-regulating these matters, state governments are intervening to take control of that enforcement.
The aforementioned opt-out message (ex. “Do Not Sell or Share My Personal Information”, “Opt Out”, “Your Privacy Rights”) has to be conspicuous on a company’s website and easy for consumers to access/use. Since any company currently operating in California should already have a “Do Not Sell” option on their site, many are choosing to simply add “or Sell” to the same link and give consumers the option to do both on the same page.
At Basis, we made updates to our website so that visitors from California have enhanced opt-out rights. One of the main thrusts of CCPA and CPRA is that California consumers can come to organizations like Basis and say, “Hey, what personal information do you have about me? What are you doing with it? And, if I want you to, please delete it or correct it or limit your use of it.” So we offer that to visitors from California through a link on our website, and then we then have 45 days to respond and let them know we're doing so. Additionally, for CPRA, there are some enhanced requirements for contracts between parties that clarify what their relationship is, and so we've retooled some of our contracts with customers and vendors to include what we believe to be those necessary requirements. It’s all about being clear, accurate, and truthful about what your relationship is.
But even with any of the minor changes that we might have to make, I don't view them as changing anything core or fundamental to how we operate, nor do I view it as unnecessarily burdensome for to us to allow people to have access to information about what's going on with personal data for them.
When CCPA came into effect, there was some concern that the sky was going to fall. The fear was that everybody was going to click on that “Do Not Sell My Personal Information” link and that cross-contextual behavioral advertising was going to go kaput—at least as it related to California consumers—because everybody was going to opt out.
In fact, that's not been the case. The opt-out rates are very, very low, because (and this is not a legal explanation, but just sort of my intuitive opinion) people tend to take the easy way. What people want when they visit a website is the content, and whatever they think is the easiest way to get to that content, they're going to do. I think people are conditioned to just click accept on the website or whatever it is they need to get to the page they want so they can either watch the video that they're looking for or read the article or whatever it is. And so I don't perceive that these requirements are going to have a significant impact on our ability to continue to conduct cross-contextual behavioral advertising with programmatic buying.
If anything, I think the main impact of this is on compliance teams and lawyers, in that everybody that operates a website in California with any amount of volume is going have to do some compliance work to make sure they're adhering to the regulations. But beyond that, I don't think it's going to result in a in a meaningful economic change to how our business operates and works.
Until you have a fundamental change like you have in the EU, where you require “Opt-In” consent (vs. somewhere like California that only requires an “Opt-Out”), I don't think it's going to have a material impact on the amount of data that companies can use for behavioral advertising. What's likely to have a much greater impact is a technical change, like if third-party cookies ever go away from Google Chrome. That, in my opinion, would be a much more significant event than this legal change.
Generally speaking, at Basis, we we're in favor of anything that gives consumers more control of their personal data. Personally, I would be strongly in favor of having one point of reference for that—namely, a federal act—rather than 50 state acts that set up this sort of regional patchwork of compliance, and I think that aligns with where we sit as a company.
Looking for guidance on how to effectively connect with consumers while respecting their privacy rights? Check out Beyond Third-Party Cookies: Your Guide to Overcoming the Identity Crisis.