As companies work towards compliance with the California Consumer Privacy Act (CCPA), questions continue to arise regarding how to fully comply with the many new requirements. The CCPA is in effect, the Data Broker Registration website is live and industry organizations have responded to CCPA and other privacy trends.

CCPA Generally

As discussed in our prior alert, the California Attorney General released the much anticipated draft regulations in October 2019. The regulations have yet to be finalized but when they do get finalized this year, the hope is that they will provide companies with more clarity as to what CCPA compliance means for them. In the meantime, companies have no choice but to consider implementing compliance programs based on the draft regulations.

Despite the fact that the Attorney General will not begin enforcement until July, 2020, CCPA compliance should be made a priority. Consumers are already exercising their "Right to Know," "Right to Delete" and "Right to Opt-Out of Sales of Personal Information" under CCPA.

Covered "businesses" should:

  1. Continue to review (and update as necessary) their external privacy disclosures;
  2. Develop and implement internal compliance processes to respond to consumers exercising their CCPA rights;
  3. Review their vendor, customer and other third-party relationships to understand who is considered a "service provider" under the law and who is considered a "third party" since different requirements apply in each case and contracts may need to be executed or amended accordingly; and
  4. Consider if they are engaging in "sales" (as defined under CCPA) of personal data and are required to implement a "do not sell" mechanism.

Industry Response

The ad tech industry has been faced with the challenge of enabling consumers to exercise these new CCPA rights inside of an ecosystem that does not easily lend itself to such processes. Larger platforms, such as Google and Facebook, as well as industry trade organizations, have responded to the consumer "opt-out" complexity under the CCPA by implementing processes intended to streamline data transactions as well as deal with consumer requests.

Some platforms have made available new data sharing options in order to help their customers avoid the categorization of certain transactions as "sales" or have otherwise explained why data transfers to them should not be deemed a sale.

In order to help offer and process the right to opt-out of the sale of personal information in the retargeting industry, the Interactive Advertising Bureau has launched the IAB CCPA Compliance Framework and the Digital Advertising Alliance has launched its CCPA Opt-Out Tools.

Google Chrome to Phase Out Third-party Cookies

On the heels of the CCPA effective date, but not as a direct response to the CCPA, Google Chrome has announced its plan for phasing out and then eliminating third-party cookies in two years' time. This news reflects a growing trend in the United States towards enhanced consumer privacy protections. Third-party cookies have been the backbone of the digital media industry for quite some time.

Google acknowledged that the loss of third-party cookies could materially endanger the business of online advertising (particularly targeting and measurement), but it is confident that another of its products, Sandbox, will provide a substitute without the loss of functionality. In its place, Google will build out its recently announced Privacy Sandbox to enable programmatic targeting in a privacy-friendly way. Meanwhile, publishers and advertisers are exploring other means of acquiring first-party user data given the expectation that third-party cookies will become obsolete over time.

Data Broker Registration

In order to provide greater transparency to consumers, companies that are considered "data brokers" pursuant to the new California law, must register themselves as such on the state registry. The registration page is now live and registration must take place on or prior to January 31st of every year.

Under the law, a data broker is "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship". Any business that is a "data broker" but fails to register faces potential penalties. Given that the registry is now available (and since the Attorney General's office recently released a statement about the registration requirement), companies should assume that if it meets the criteria of being a "data broker" as a result of its activities in 2019, registration is required in 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.