What is CCPA?
The California Consumer Privacy Act (CCPA) - which goes into effect on January 1, 2020 - grants California residents (“consumer”):
● Control over:
○ What entities are collecting their data
○ What type of data is being collected and for what purpose
○ Who the data is being sold to / shared with and for what purpose
● The ability to delete the consumer’s data and/or stopping any selling/sharing of data
Under CCPA, data collection and data sharing become fully transparent to the consumer, and, most importantly, companies must process opt-out requests within 45 days.
CCPA and the Future of Privacy-First Digital Advertising
1. 1
CCPA and the Future of Privacy-First Digital Advertising
There are still potential amendments to CCPA that are being discussed and we will make updates to this POV if necessary.
What is CCPA?
The California Consumer Privacy Act (CCPA) - which goes into effect on January 1, 2020 - grants California
residents (“consumer”):
● Control over:
○ What entities are collecting their data
○ What type of data is being collected and for what purpose
○ Who the data is being sold to / shared with and for what purpose
● The ability to delete the consumer’s data and/or stopping any selling/sharing of data
Under CCPA, data collection and data sharing become fully transparent to the consumer, and, most
importantly, companies must process opt-out requests within 45 days.
2. 2
What are the key components* of CCPA?
*As of 9/19/2019
● What types of companies must comply with CCPA?
(Source: Spencer Fane LLP)
● Who are the main characters?
business for-profit entity that collects personal data and determines how/why it will be used
service provider for-profit entity that processes personal data on behalf of a business. More
importantly, there must be a written contract between the two to prohibit the service
provider from “retaining, using, or disclosing personal information for any purpose
other than for the specific purpose of performing the services specified in the contract
for the business.”
Examples: The Trade Desk, Google, Facebook, DMP
third party defined as a party that is neither a business nor a service provider. There must be a
written contract between a business and a service provider (or any person) to be
considered a third party
3. 3
● CCPA is an opt-out policy, meaning consumers allow data sharing by default, and must opt out to
limit access
○ One caveat is for children who are 16 or younger: data sharing is prohibited by default and
they (or their guardians) must opt in for anyone to use data
● How is Personally Identifiable Information (PII) defined in CCPA?
○ CCPA defines PII broadly as data that, “identifies, relates to, describes, is capable of being
associated with, or could reasonably be linked” to an individual
○ In other words - IP address, physical address, phone number, and mobile ad ID - are all
direct identifiers that are covered while user personas - ‘likely to buy a car’ or ‘business
traveler’ - that are crafted from direct identifiers are also covered under CCPA
● Under CCPA, consumers have the right to make two types of verifiable requests to businesses:
○ Request 1: The types of personal information collected by the business, and the entities with
which the business shared or sold the personal information in the past 12 months
○ Request 2: Delete personal information
○ Consumers can make up to two requests within a 12-month period
● What are the penalties for non-compliance?
○ Maximum $2.5K fine per user request that was not fulfilled within 45 days
■ Companies will have 30 days to resolve the problem
■ If the issue is not resolved within the 30 day window, the California Attorney General
will pursue legal action against the business and/or service provider
○ Maximum $7.5K fine per user request that was not fulfilled if the business is found to have
intentionally violated the terms
■ Example: If Facebook’s Cambridge Analytica data breach affected around 20MM
California residents (hypothetical), they would be slapped with a maximum fee of
$50B. If Facebook was found to have deliberately shared California users’ data with
Cambridge Analytics, they would be on the hook for a maximum penalty of $300B
(Facebook’s 2018 revenue was around $55B)
● Businesses cannot refuse providing services to consumers who have opted out of data collection.
No discrimination based on opt-ins/opt-outs is allowed. However, businesses can encourage user
consent through financial incentives.
CCPA’s impact on digital advertising
● When a consumer chooses to opt out on a brand website, personalized advertising based on past
engagement will not be possible. The consumer will still have a chance to see the brand’s ad, but it
won’t be a specific creative catered to the user based on audience rules or prior on-site behavior
4. 4
○ In this scenario, the brand is the ‘business’ and the Data Management Platform (DMP) or
Dynamic Creative Optimization (DCO) platform that processes user data to inform retargeting
is the ‘service provider’. The Demand Side Platform (DSP) and Supply Side Platform (SSP)
involved in displaying the ad will also be categorized as ‘service providers’ unless a contract
specifically identifies them as ‘third parties’
○ The opt-out request must be processed between every service provider that is involved (up
to 45 days to fulfill the request)
○ Google and Facebook could technically be both ‘business’ and ‘service provider’ (more on
this later)
● Ad technologies that obtain and process third party data will be affected most by CCPA since none
of the data they handle is explicitly shared by the user for any business purpose
○ Examples: Tapad, Drawbridge, LiveRamp, Acxiom, Lotame
○ Bad actors who exploit Programmatic supply chains for monetization (i.e. fraudulent traffic,
ad farming) will face challenges, and in that regard, CCPA will have a positive effect
Image credit: Adweek
● The Walled Gardens (Google, Facebook,
Amazon) will not be affected as much since in most
scenarios, they are the ‘business’ and ‘service provider’
● Each Walled Garden is also gathering first-party user
data for specific purposes (e.g. Google Maps, Instagram,
Google Photos, Amazon Prime, etc.) and not much of it is
shared externally so it is that much easier to control
● CCPA will encourage these companies to build taller
walls and force advertisers to commit to respective
ecosystems
● Even if a user opts out on a brand’s website, if the
brand wants to use the user’s Facebook behavior to target
them with specific Facebook ads, that will still be enabled
unless the user opts out of Facebook’s personalized ads
explicitly
● There are still changes that could be made to CCPA (e.g. The Senate Bill 753 was proposed earlier
this year to exempt advertisers from CCPA) and TMK will modify this POV if the final version
changes anything that is already stated here
How will CCPA affect Ad Tech?
● What is difficult to anticipate is the opt-out rate
○ GDPR: According to Quantcast, over 90% of users opted in when visiting EU-based domains
5. 5
○ If CCPA’s consent management workflow is similar to GDPR, then we can expect ~10%
opt-outs
○ However, if the consent management workflow is neutral and opting out is a clear choice, we
expect the opt-out rate to hover around 30-40%
■ The reason we don’t believe many users will opt out is because the consent
management platforms are cumbersome when the answer is not “accept” (more on
this below)
○ For our POV on how Ad Tech will be affected, we will assume an opt-out rate of 10%
● Measurement and Attribution
○ How to gauge the impact on measurement:
■ How many visits/conversions (avg) are coming from California residents today? →
this is essentially the maximum number of users that will be impacted by CCPA
■ How many unique visitors (avg) visit the site? → number of uniques will increase from
California once users start opting out
■ How many conversions occur within the first 24 hrs of ad exposure? → more on this
below in the browser privacy section
■ How many ad touchpoints (avg per user, avg per media partner) are users exposed to
before converting? → if fractional attribution is part of your measurement solution
today, this figure will help assess the amount of credit partners could potentially lose
in California
● What types of first party targeting will be disabled if a user opts out?
○ Retargeting based on user’s prior site engagement
○ Site personalization based on user’s prior site engagement
○ Ad suppression based on user’s prior site engagement
○ Cross-device targeting by leveraging a unified device graph per user (by login or wifi access)
○ Dynamic creative / sequential creative messaging
● What about lookalike audience segments that leverage 1st/2nd/3rd party audience data?
○ Audience platforms that are not called Facebook, Google, and Amazon will need explicit
consent from the user to continue their current practices
○ Since 3rd party audience platforms do not own any of the user data, they will need to work
with publishers and brands’ consent management process/platforms to process audience
data. CCPA alone will not cripple these platforms, but they are likely weary of browser-level
privacy features along with future Federal Regulations
● Will a Data Management Platform (DMP) help in any way?
○ It could certainly help manage opt-out requests, especially if the DMP has direct integrations
with consent management platforms (CMP) or has its own CMP
○ There is very little DMPs can do to minimize opt-outs otherwise
6. 6
Consent management is biased
● Consent management tools dissuade opt-outs (or opt-ins) by nature
● When you review NYT’s GDPR consent notification, it is very clear that the easiest choice is to
accept because once you click something that is not “I Accept” or “X”, the user is met with a long list
of privacy guidelines and a lot more clicks to customize privacy settings
● This is why we believe opt-out rates for CCPA won’t be high. However, it is contingent on the
consent management experience
The future of privacy
There is an argument to be made that CCPA is not the biggest hurdle for advertisers to prepare for since
the Federal version is still a big unknown and the opt-out rates may not be problematic. The more serious
change is coming from web browsers: every major browser is in a privacy race as we speak. This is a
massive win for users who want more transparency over their personal data, and a headache to advertisers
who want to accurately measure ad lift
● Browser privacy updates - below is a simplified list of how major browsers are shaking up cookie
tracking by default
○ Safari: The latest version does not allow cookie-tracking past a 24hr window
○ Chrome: Google is giving users all of the tools to manage what types of information users
want to share. It is a passive stance that requires a lot more input from the user
○ Edge: Microsoft has a feature called “tracking prevention” that disables all third-party trackers
on a website
○ FireFox: Mozilla’s “Enhanced tracking prevention” disables all third-party tracking cookies,
and they are also testing a VPN feature that could be part of a paid subscription in the future
● Monitoring site visitors’ browser types will be important since there could be a direct correlation to
anomalies in site analytics and/or media reporting
7. 7
● CCPA will likely be used as a template for a Federal privacy bill, and that will take at least a couple
years to crystallize since there has not been much traction on this yet. Although every State is
currently working on some form of a privacy bill, it does not make sense for each State to have its
own version. That would mean companies would have to comply with 50 different bills - that is a
nonsensical approach to privacy compliance
● Each browser’s privacy feature can already cripple cookie tracking regardless of CCPA. However,
what separates CCPA from browser features is how negligence or non-compliance is treated. If
someone finds a workaround to disarm browser features, it requires a patch and maybe an apology.
If someone ignores CCPA, there could be immense financial consequences
Preparing for a privacy-first future
In short, we do not believe CCPA alone will disrupt how media campaigns are managed and measured.
Browser-level privacy features will pose a bigger threat to media strategies, and how the browser privacy
race shifts market share will be something to keep an eye on. Nobody can guarantee that Chrome will be
the most widely used application in the next five years.
This does not mean CCPA compliance can be taken lightly since users must have the ability to control how
their data is being collected and used. The status quo is shifting and we must adapt to it and respect the
changes not just as advertisers, but also as consumers.
What can we do to prepare for 2020 and beyond?
● Review data security partners/solutions that are already in place and identify areas of improvement.
CCPA is about data security as much as it is about data transparency
● Map out how user data is collected, how it is stored/secured, and how it is distributed to third parties
for what purpose today
○ This will help with understanding which partners need to be surveyed for compliance and
better organize how user data is managed internally
○ Confirm that every partner who has access to user data is compliant and how the partner is
keeping the data secure
● Review current contracts and make sure user data security / liability / purpose are clearly stated
● Make sure to partner with a Consumer Management Platform
● Work with internal team to figure out how users’ data requests are received (website, email, and/or
toll free number) and delivered - creating a repeatable process is key
8. 8
TMK is working diligently with all of our partners to ensure and enforce CCPA compliance while keeping up
with the latest on all privacy related updates. Please reach out to us with any questions and we will be more
than happy to help. Thank you!
Helpful sources:
https://www.marketwatch.com/story/a-watered-down-version-of-californias-data-privacy-law-is-a-possibility-
privacy-experts-warn-2019-06-27
https://www.adweek.com/programmatic/trade-bodies-prep-ad-tech-for-a-tougher-regulatory-climate/
https://www.lexology.com/library/detail.aspx?g=67b2af96-ef55-45ac-af23-26e8690c285d
https://www.adweek.com/programmatic/these-companies-want-to-tighten-californias-privacy-laws-even-furth
er/
https://www.mediapost.com/publications/article/337935/brands-begin-to-hit-roadblocks-with-real-time-ad-b.h
tml
https://www.adlawaccess.com/2019/07/articles/california-senate-committee-blesses-majority-of-ccpa-amend
ments/
https://www.natlawreview.com/article/proposed-expansion-ccpa-s-private-right-action-defeated-state-senate
https://www.emarketer.com/content/will-ccpa-have-gdpr-like-effects
https://www.jdsupra.com/legalnews/verifying-the-verifiable-considering-a-29537/
https://www.mediapost.com/publications/article/339517/son-of-gdpr-are-you-ready-for-the-ccpa.html
https://iapp.org/news/a/a-data-processing-addendum-for-the-ccpa/
https://www.exchangewire.com/blog/2019/06/20/browser-privacy-advertising-qa-with-jascha-kaykas-wolff-m
ozilla/
https://www.adweek.com/programmatic/googles-planned-chrome-updates-will-enhance-privacy-but-cause-c
omplications-for-ad-tech/