There are a lot of questions swirling around California's new Consumer Privacy Act (CCPA), which was enacted on January 1st, 2020. The good news is that enforcement action under the CCPA cannot be enforced until July, so brands still have some time to ensure compliance.
Essentially, this is California’s version of the EU’s GDPR (General Data Protection Regulation), however there are some major differences in implementation.
And while this new law legally only impacts California residents, the regulations will likely impact many websites in the US, and possibly others overseas. If a company has clients in California than they need to comply with the CCPA, and for many, it'll be easier to make one update to their website/s to cover new laws like this, rather than output a patchwork of IP-driven geo updates for every state or country that decides to produce a new online privacy framework.
The CCPA states that any business which collects, shares or sells the consumer data of more than 50,000 people, or produced revenue of more than $25 million in the previous year, must comply with the new law. This means that not every company needs to worry about it, for now.
Here's an overview of some of the key CCPA considerations.
What’s the difference between GDPR and CCPA?
At a high-level, the biggest difference between these laws is that:
- GDPR is opt-in for consumer data protection
- CCPA is opt-out for consumer data protection
European consumers must agree to data tracking, generally via a notification pop-up that they can click on on any given website. Since it was enacted in 2018, 95% of consumers have opted in to relevant data tracking via these notifications - that means that only 5% of European Internet traffic isn’t being tracked under this law.
In addition, the GDPR also allows European consumers to have their data wiped and/or provided to them on request.
CCPA, on the other hand, is an opt-out law, which means that the same type of popup a consumer might see under a GDPR compliant website will instead ask if the consumer wants to opt-out of being tracked via cookies. In addition, under the CCPA, consumers are supposed to be given the option to deny companies the ability to sell their data as they see fit. It’s anticipated that this will see a rise in “don’t sell my data” buttons built into the footers of business websites.
“Even when there’s the option to say no, maybe 10% of the people say no” to having their data sold to third parties, says Ben Barokas, CEO of SourcePoint.
Based on the opt-in data from the GDPR, my guess would be that the opt-out will likely see similar take up to the numbers from Europe – 5% of consumers will likely take action as a result of having the option readily available.
Why is Internet tracking of consumers so important to business?
To cut a long story short, tracking consumers’ online behavior enables companies to deliver the right content to the right person at the most optimal time. This is good for both the business and consumer - the business only wants to invest in advertising for true prospects at the right time, and by doing this correctly, it can have a big impact on ROI.
At the same time, according to research by Adlucent, seven out of 10 consumers want personalized ads.
Four out of five consumers say that they’re more likely to make a purchase when given a personalized ad by a brand, and 71% of consumers get frustrated when their online shopping experience is too impersonal.
The stats above make the estimates of a 5%-10% opt-out rate under CCPA palatable for our purposes. Most consumers actually don't want to opt-out for these reasons, and many of the rest are likely too lazy or aren’t knowledgeable enough to do so.
Why are these new Internet laws are being enacted?
A couple of years ago many, including myself, predicted the death of cookies for tracking folks online. And while this hasn’t happened as yet, it certainly seems like cookies are nearing the end of their life span.
“Proprietary HTTP cookies were (and remain) the core mechanism for distinguishing one consumer from another, and each cookie may only be read by the party that sets it. There is no standardized, centralized mechanism for consumers to convey their interests or privacy preferences, which can then travel with them and be reliably broadcast to the right parties as consumers surf the web or hop from app to app on their mobile devices.”
~Jordan Mitchell, IAB Tech Lab
The above describes the consumer privacy problem that led to Europe’s GDPR and the new CCPA in California, while the privacy controls of most browsers have now made cookies less effective at tracking, anyway.
As a result, we're gradually moving towards a singular identifier across the entire web, rather than private cookies from every website and app used. This will demand that our technology stacks evolve and innovate on this new standard - which, it's worth noting, will also be opt-in.
Content marketers need to educate themselves on consumer privacy and tracking technology, because one way or another, they will need to adjust.
The end result?
Cookies are eventually going away, and consumer privacy protection laws will grow globally. The replacement of the cookie will likely be a “global” one-click opt-in or opt-out for all websites and apps bound by these laws.
This will impact real-time bidding advertising online, but based on consumer input, that impact will be limited.
Most consumers like personalization online, and that’s not likely to change anytime soon. The balance then lies in ensuring the safety of the data you collect, maintaining consumer trust, while also utilizing relevant, valuable insights to underline the inherent value of such processes.