CCPA Regulation, SMB, and Ad Tech: How will they Co-Exist?

0
111


California became the first state that decided to tame the chaos of regulations. It standardized them into 15 pages of succinct text. It is much shorter if we compare it to hundreds of pages of GDPR. Still, CCPA is more practical and easier to grasp.

What businesses will be eligible?

The subject of CCPA compliance covers only individual shares of companies. These companies process personal data of California residents (both outside and inside the state):

  • The business should generate a minimum of $25 million annual revenue
  • Those businesses that gain less than $25 million yearly income will be compliant only if they yearly sell personal data of more than 50 thousand people of California
  • If the business obtains 50% or more revenue from the data classified by GDPR as personal

One of the most critical questions is: What can be regarded as personal data? Identifiers of various nature, biometrics, geolocation, history of activity on the Internet, information about employment, or level of education can be considered private. As well, any pseudonymous data (IP, OS, device, etc.), based on which companies can classify the user, or complete their user portraits or psychological characteristics, is defined by the regulation as personal.

Why CCPA will change the way businesses work

The notion of personal data under CCPA data regulation is truly broad. Additionally, almost every international company has information that belongs to Californians, and even more so of Europeans. In regard to this, together, GDPR and CCPA will reform the operation of myriads of small and medium-sized businesses all over the world.

Even though regulation enactment is looming close, the adoption process doesn’t show incredible dynamics. In this, it isn’t different from last year’s GDPR trend, when only 48.7% of businesses managed to abide by the deadline.

CCPA regulation makes it all the more dramatic. The Eset Survey, held on August 05, 2019, shows spreading confusion about upcoming CCPA regulations among businesses. Thus, only 11.8% of companies are preparing for CCPA. More than 44.2% never heard of the regulation. The rest, – 34% – don’t know if they are eligible at all.

As a business — do you understand this law?

Source

At this stage, it is also essential to understand the specifics of CCPA and access possible risks of delayed compliance. If GDPR obliges companies to obtain user consent prior to personal data collection, CCPA makes companies satisfy only incoming user requests that should be executed within 45 days.

If the user sends a complaint to the company about personal data violation, and it is not resolved in 45 days, the company will be fined 7.5 thousand dollars per case. The data breach is not the only incident on the list of possible penalties. If the user discovers that the company used their personal data – e.g., for advertising personalization against their permission – they will probably want to sue it.

Sure, the Californian government will revise and modify the number of fines in the future. In any case (taking into account all additional technical and legal costs), CCPA may pose damage to companies that don’t manage to comply in time.

CCPA regulation and ad tech

Digital business, like advertising, involves data at every stage of functioning. Starting from segmentation, campaign personalization, and ending with marketing analysis and beyond.The new obligations imposed by CCPA on businesses may turn very challenging for ad tech companies. They almostentirelydepend on multilayered data sets. Plus, their partnership networks are complex and interconnected.

Every user will have the right to revoke his/her consent.So, companies, as well as data controllers, will have to develop working mechanisms to execute these rights upon request.

It will be necessary for ad platforms to prove and justify why they need to process personal data of Californians. It will be a must to make sure that vendors who take part in further processing are also CCPA-compliant.

For all those companies that can’t keep up, the only way to prevent undesirable consequences will be closing the California branch.CCPA also obliged companies to make the option “don’t sell my data” visible and available on their websites.

As a result, third-party (purchased and sold) data share will shrink as users will prohibit it. In such circumstances, first-party data (collectedpersonally) will gain more significance. Advertising algorithms soon might be re-builtaccordinglyto meet this new market request.

In the end, such transformations will make the advertising ecosystem more open and transparent.Ad market participants that adopt new standards first will appear as most trustworthy to California customers who like justiceprobablyas much as they like to sue.

What we can learn fromGDPR enforcement tracker: dozens of companieswere finedlast year because they failed to comply. Many of thosesimplydidn’t interpret the legal frameworkproperly.That’s why organize preparation beforehand, while you still have time for experiments and mistakes.

The right way to CCPA compliance

You’ll need to determine what kind of information you collect and whether or not it can be considered personal data. If you have personal data of Californians, be sure you have a definite purpose for collecting it. Store, transfer or sell it in accordance with CCPA requirements. Launch an internal record of the data that you collect and requests from customers that you receive.

If third-party platforms have access to your technologies (including software), make sure you know what data they may collect. Revise your existing partners for CCPA compliance, and if they’re not ready to embrace new regulation, it is a good sign you need to start looking for more reliable collaborators.

Privacy policy update as a first step of preparation that you need to do beforehand. Afterward, when the draft is ready, try to examine your internal data collection systems and discover if they’re ready for CCPA. Don’t forget that in accordance with CCPA, your customers must have at least two ways to contact your company – a web page and a toll-free phone number.

Introduce information security standards, such as ISO 27001 or NIST or CIS frameworks. They confirm that your company has built a robust risk management system, business, and technical processes and management in accordance with international standards.

The last word

CCPA is the first step towards a completely new interpretation of data security in the U.S. It is the most sustainable modification of practices that, for many years,were consideredbasic and unchangeable.It will impact the operation of small and medium-sized companies, but if you prepare well, the adoption processcertainlywon’t be harder than one with GDPR.

In a progressive democratic society, customer rights are priority number one, and if you understand it today, your company will appear transparent and trustworthy in all business communications tomorrow.

Read More

LEAVE A REPLY

Please enter your comment!
Please enter your name here