The California Consumer Privacy Act will have a significant business impact on the digital advertising industry.
This website is a resource to educate IAB members and the broader digital advertising community about the key elements of the law impacting the media and marketing industries, and to provide information on IAB’s activities relating to the law.
About the Law
Companies that do business in California, regardless of where they are located, must comply with the law if they exceed one of the following thresholds: (i) have annual gross revenues in excess of $25 million; (ii) buy, sell, or receive or share for commercial purposes personal information gathered from 50,000 or more consumers, households, or devices; or (iii) derive 50% or more of its annual revenues from “selling” consumers’ personal information.
Some questions remain about the precise meaning of the thresholds. For example, it is not specified whether “annual gross revenues” includes global revenues or only revenues from California.
October 12, 2017
Alastair Mactaggart submits privacy ballot initiative
July 21, 2018
AB 375 introduced to replace ballot initiative
June 28, 2018
AB 375 signed into law and ballot initiative withdrawn
August 31, 2018
“Technical Corrections” amendment bill approved
January 1, 2019
Data mapping and recordkeeping requirements begin
January 1, 2020
AB 375 goes into effect
July 1, 2020
Enforcement begins, subject to adoption of regulations by the Attorney General
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The law provides 11 broad categories of data that constitute “personal information,” many of which are standard, but some of which are not common and have profound implications on the digital advertising industry. For example, the definition of “personal information” includes “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement” and “[i]nferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
As a result of this broad definition, simply disclosing data, even as part of a larger transaction involving a product or service, likely constitutes a sale. It is difficult to conceive of an activity that does not fall within this definition given that the digital advertising ecosystem is built and predicated upon utilizing consumer data for ad decisioning, reporting, and optimization.
Any business that collects a consumer’s personal information must, at or before the point of collection, inform the consumer as to (i) the categories of personal information to be collected; (ii) the purposes for which such personal information will be used; (iii) a description of a consumer’s rights under the Act, including a “clear and conspicuous” opportunity to opt out from the sale of his or her personal information; and (iv) the designated methods for submitting privacy inquiries and requests, including, at a minimum, a toll-free telephone number and a website address. These general disclosures must be made in the business’s online privacy policies and in any California-specific descriptions of a consumer’s privacy rights and updated at least once every 12 months. The clear and conspicuous opt out must be titled “Do Not Sell My Personal Information” and must be included on a business’ homepage.
A business must not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by: (i) denying goods or services to the consumer; (ii) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title; (iv) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
In essence, this prevents websites and publishers from denying consumers access to their services if they elect not to provide any personal information. IAB has strongly opposed similar provisions in the proposed EU ePrivacy Regulation.
Any business that receives a verifiable consumer request to access personal data must promptly take steps to disclose and deliver, free of charge to the consumer, (i) the categories of personal information it has collected about that consumer; (ii) the categories of sources from which the personal information is collected; (iii) the business or commercial purpose for collecting or selling personal information; (iv) the categories of third parties with whom the business shares personal information; (v) the specific pieces of personal information it has collected about that consumer. The Attorney General is tasked with promulgating to determine what constitutes a verifiable consumer request.
The information may be delivered by mail or electronically, and if provided electronically, the information must be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.
A business that receives a verifiable request from a consumer to delete the consumer’s personal information must delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
Restrictions on Sale of Data
A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information is prohibited, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.
The act generally provides for its enforcement by the Attorney General, but also provides for a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s personal information, as defined for this purpose, provided that the consumer bringing an action notify the Attorney General of the action in accordance with a specified process.
A business that unintentionally violates the law faces a maximum civil penalty of $2,500 per violation. A business that intentionally violates the law faces a maximum civil penalty of $7,500 per violation.
After several attempts by the California legislature to pass comprehensive privacy legislation, on June 28th, 2018 California Governor Jerry Brown signed in to law the CCPA - a first in the nation piece of consumer privacy legislation.
CCPA’s path to the Governor’s desk was anything but typical.
In 2017, a real estate investor named Alastair Mactaggart decided to take the issue of consumer privacy into his own hands. Despite having little knowledge of the issue, he provided the financial support for the drafting of a sweeping privacy measure to be placed on the ballot and considered in November of 2018.
Facing the prospect of a highly contentious battle over the ballot initiative, in which IAB was deeply involved, several members of the California legislature sought to take advantage of a peculiarity in the California constitution that enables the proponent of a ballot initiative to pull a measure from consideration before June 29th of an election year.
Just one week before the date the June 29 deadline, a bill similar to the initiative was introduced by state assembly member Ed Chau and state senator Robert Hertzberg, and offered to industry as a “take it or leave it” alternative to the ballot initiative. Despite virtually no input from industry, drastically overbroad definitions, and scores of drafting errors, the legislation was passed over industry objection.
A small technical amendment bill was passed in August of 2018, that extended the enforcement date to July 1, 2020. There will be also be a robust regulatory process by the California Attorney General that is expected to give further definition to the bill in 2019.
How to Get Involved
IAB Legal Affairs Committee
The IAB Legal Affairs Committee’s Privacy Working Group meets regularly to discuss guidance and solutions to privacy laws, including the California Consumer Privacy Act. IAB encourages member companies in legal and compliance roles to participate in this working group. Email Michael Hahn ([email protected]) for more information.
IAB Public Policy Council
The IAB Public Policy Council’s Federal Privacy Working Group meets monthly to provide updates and establish industry positions on federal efforts to develop a nationwide data privacy law that preempts the California Consumer Privacy Act. Email Alex Propes ([email protected]) to join this Working Group.