The California Consumer Privacy Act is officially in effect, but many publishers and vendors still aren’t taking preparations seriously, as the Attorney General’s office won’t begin enforcement for another six months.
Some will take a last-minute, band-aid approach, doing the bare minimum to ensure they are compliant by July 1, but this strategy does a disservice to consumers who have a right to data privacy and will force publishers to revisit their own data practices each time new regulations are enacted. Additionally, it poses the of risk missing out on the business benefits that compliance can bring.
Consumer respect is paramount
In today’s digital-first world, consumers deserve to understand what happens to their personal information, including what it is used for and who it is accessed by. Individuals should be able to choose whether or not their data is collected and processed, and to determine who it is shared with. Many within the digital publishing industry are trying to find the path of least resistance and get around privacy laws simply due to bandwidth, or to maintain the status quo, but this isn’t the best approach. Embracing privacy is essential because it does right by consumers in the long run.
A patchwork of data laws
The privacy landscape is continually evolving, with Nevada and Maine currently enacting their own laws and other states sure to follow. U.S. publishers have already had to act on data privacy laws, such as the EU’s General Data Protection Regulation (GDPR) and might assume they are well prepared for CCPA. But despite all regulations having broadly the same goal—to give consumers more control over their personal data—each one has specific terms that lack consistency.
To begin, there are significant differences in who the laws apply to. With the CCPA currently only applying to businesses that make over $25 million gross revenue, some smaller publishers may be exempt, but the Nevada bill signed into law last October will apply to all website operators and online services.
There are also key differences in the requirements of the laws. GDPR requires publishers to gain explicit consent from consumers to collect their information, while both the California and Nevada laws work with opt-out mechanisms. However, Maine’s Act to Protect the Privacy of Online Consumer Information does require Internet Service Providers to gain affirmative consent before selling consumer data, which indicates further state regulation could follow the same path and require consumers to opt-in, rather than simply allowing them to opt-out.
For publishers, there are important nuances around automated decision-making, which is regularly used to target messaging in programmatic advertising. GDPR specifically references profiling, and regulators such as the UK’s Information Commissioner’s Office are working with the advertising industry to help it comply with the law. Other laws may not directly regulate profiling but, with inferred information classed as personal data by the CCPA, the practice may still cause compliance issues.
Solutions are emerging to help publishers meet the requirements of the California act, including the IAB’s CCPA Compliance Framework for Publishers and Technology Companies. While this is a valuable initiative, it focuses too narrowly on a single regulation and misses the opportunity to take a wider approach to data privacy. Treating traffic differently depending on which state it originates from simply isn’t viable for most publishers, logistically or financially.
To comply with the whole spectrum of regulations, publishers should assume a worst-case scenario in which data laws apply to all businesses, explicit consent to data use is required, and the profiling used in programmatic advertising is regulated.
Business benefits of compliance
In addition to doing the right thing by consumers and being well prepared for whatever shape the evolving regulatory landscape takes, robust data privacy strategies can bring other benefits.
First, they will uphold the principle of a free and open internet, accessible to all, not restricted by the individual data laws of states or countries.
Second, they will be able to build stronger, more trusting relationships with their audiences by demonstrating that they take privacy and data protection seriously, which will inevitably translate into tangible business benefits such as customer loyalty.
Finally, there is an opportunity for publishers to boost advertising revenues by increasing the value of their inventory. Since the enforcement of GDPR, it has become clear that advertisers are willing to place higher bids on programmatic inventory that contains a consent string in the bid as they know the user has actively agreed to their data being used for targeted or personalized advertising—and are therefore more likely to be receptive to messaging.
There may be a six-month window before the CCPA can be enforced, but cutting corners and doing the bare minimum required to be compliant by July is a dubious strategy. Publishers should review and revise their data practices with an eye to the worst-case scenario to ensure they do right by consumers and meet the obligations of changing data laws, potentially strengthening audience relationships and increasing ad revenues into the bargain.
