CCPA Compliance: What Digital Marketers Need to Know
Cybersecurity and online privacy is a growing concern among many Americans. Between the rapidly-evolving internet and the lethargic process of enacting laws, the balance between businesses’ legal access to users’ information and consumers’ right to privacy is prone to large swings one direction or the other. The latest swing comes out of California in the form of CCPA, a law that has long-lasting implications for the digital marketing landscape. Anyone who works in this field needs to pay attention, or else face being buried in fines and lost business.
In This Article:
- What is CCPA & What Defines “Personal Data”?
- What Does CCPA Mean for Businesses?
- What Types of Businesses are Affected by CCPA?
- Facebook Ads and CCPA
- Google Ads and CCPA
- What’s Next for Digital Marketing & CCPA?
What is CCPA?
The California Consumer Privacy Act (CCPA) is a state-level law that holds international implications. CCPA is an effort to protect California residents’ online privacy and increase the transparency around when personal data is being collected and used. Through this act, California residents now have the legal right to:
- Know what personal data is being collected
- Know if their data is being sold
- Know who is buying their data
- Opt-out to their data being sold
- Personally access their data
- Force businesses to delete their personal data
- Not be discriminated against for exercising their online privacy rights
- Extra protections from data collection if they are a minor
This may seem like a sudden and drastic shift to online business and privacy rules, but this bill was signed into law in 2018 and had a two year grace period for businesses to prepare before going into full effect at the end of June 2020.
What Defines “Personal Data” to CCPA?
“Personal Data” may sound like a vague and broad term because it was designed to be vague and broad. CCPA is written to be encompassing and adaptive as the digital landscape changes. The bill’s exact wording of what constitutes personal data or information is,
The bill continues to list examples of personal data but specifically states that this list isn’t all-encompassing. These examples include the expected terms (name, address, social security number, etc.), more online privacy-focused terms (IP address, browsing history, search history, etc.), and a few terms the average consumer might not think to protect (biometric data, inferences made about them based off of collected data, and even olfactory information).
There are some specific exclusions from the protected data list, but this mostly centers around information that’s legally publicly available. The bill does clarify that “publically available” does not include data collected without the consumer’s knowledge nor aggregated, deidentified data.
For a full list of what is specifically included and the exact wording of the law, read through the bill yourself, but you are going to want to Ctrl + F what you are specifically looking for as it is a detailed, legal document.
What Does CCPA Mean for Businesses?
So how does a law in California affect businesses across the globe? CCPA is a consumer-focused law, meaning businesses need to conform to the consumers’ rights, not the other way around. If a business interacts in any capacity with the citizens of California, that business needs to comply with CCPA. Short of banning all interactions with California residents, which would mean giving up on the state with the highest population and GDP, anyone who targets California residents with digital marketing now needs to play by CCPA rules.
Businesses’ Responsibilities with CCPA
At the core of CCPA, businesses and digital marketers cannot gather and use California residents’ personal data without their consent. This is the businesses’ responsibility to carry out and while most of the exact details on how to do so are up to the specific business, there are a few specific practices that need to be implemented in order to be CCPA compliant.
Businesses are responsible for implementing:
- Processes to obtain data sharing consent from parents or guardians for minors under 13 and affirmative consent for minors between 13 and 16
- A “Do Not Sell My Personal Information” link on their homepage
- This directs users to a page where they can opt-out of data sharing
- Designated methods for submitting data access requests
- At the minimum, this means a toll-free number to call in
- Policies to limit requesting opt-in consent within the 12 months after the initial opt-out
Failure to comply with CCPA can lead to hefty fines for the culpable business. Each and every intentional violation can be hit with a fine as high as $7,500 while unintentional violations can only reach $2,500 each. These are stacking amounts, so with the sheer volume of data being collected, these fines can quickly grow. The exact method for how intentional and unintentional violations will be determined and how the fines will be enforced has not been made clear, but the precedent will be set on early offenders. Businesses do have the option to fix the violations within 30 days of receiving notice of the infractions. If this is possible and completed on time, the penalties may be waived.
Between CCPA and the precedent from a recent lawsuit against Minted, businesses are also vulnerable to class-action lawsuits from the people of California in relation to data security breaches or theft. While not a direct and intentional violation of users’ privacy, this brings emphasis to how important of a responsibility it is to protect people’s personal data.
What Types of Businesses are Affected by CCPA?
Technically, not every business interacting with California residents is subject to CCPA guidelines. The rule of thumb is that they have to meet at least one of the following criteria:
- An annual gross revenue of over $25 million
- Buying, receiving, or selling the personal info of 50,000 or more consumers or households
- Earning more than half its annual revenue from selling consumers’ personal information
Smaller businesses are given some flexibility with CCPA as they are not the major offenders and have limited resources to dedicate to complying with the guidelines. That being said, since it only takes hitting one criteria to qualify, it is easy to meet CCPA requirements without realizing (collecting too many California shipping addresses for example) and becoming subject to fines. So even though a business might not technically qualify at the moment, the only way to avoid any surprises is to comply with CCPA as much as possible.
Facebook Advertising and CCPA
With Facebook’s recent issues with data privacy, they took no chances with CCPA. Once CCPA came into full, punishable effect on July 1, 2020, Facebook automatically toggled on a Limited Data Use setting for all advertisers on the platform. This automatic setting acted as a “Transition Period” for businesses and digital marketers to ensure they were in compliance with CCPA, forcing individual accounts to manually opt-out and washing Facebook’s hands of responsibility. On July 31st, Facebook ended its Transition Period for those who did not already opt-out, automatically turning off the Limited Data Use setting. Accounts do have the option to extend the transition period to October 20th, but Facebook intends to completely remove itself from the issue by passing the responsibility of CCPA compliance to the businesses using the platform.
How to Find Facebook’s Limited Data Use Setting
Where do your ad accounts stand with Facebook’s Limited Data Use? If you are in any doubt of your or your clients’ CCPA compliance, it is wise to extend the Transition Period until everything is taken care of.
To find this setting you will first open your Facebook Ads Events Manager then go to your main pixel Settings. The Limited Data Use options will be at the top of this page, below the Details section. From here you can end or extend your Transition Period and learn more about what Facebook is doing in regards to CCPA directly from them.
Google Advertising and CCPA
While Google has faced their fair share of scrutiny surrounding data privacy, they haven’t been at the forefront of the discussion like Facebook and Mark Zuckerberg, so their policy changes haven’t been as dramatic. Since the bill first passed in 2018, Google has been implementing updates and building features to restrict data processing. For digital marketers using Google Ads, advertisers can now enable restricted data processing when setting up their Google site tags. When you enable restricted data processing, it limits Google’s use of unique personal identifiers, stopping your ability to serve personalized ads.
According to Google:
“…there are two options to enable restricted data processing in Google Ads.
- A “restricted_data_processing” parameter which can be set in your global site tag in Google Ads or Tag Manager, to enable restricted data processing for particular users on your site.
- A checkbox in Audience Manager where you configure your Google Ads remarketing tag to enable restricted data processing for all users located in California.”
Note: The restricted_data_processing parameter is not specific to only California residents and can be configured to restrict data on other users, as well.
But, since this is a post about CCPA, let’s first look at how to restrict data collection for California residents specifically. To do this, you will need to edit your site tag in Google Ads:
1. From the Audience Sources tab in Audience Manager, click to edit your Google Ads tag:
2. You will not be able to change the type of data source, but that’s ok, because there’s a nifty little checkbox to “Exclude California users from remarketing lists.” This will restrict California users from being added to your remarketing audiences.
3. Click “Save and Continue,” and you’re done! You do not need to reinstall the tag on your site.
Restricting Data for Select Users
If you do not want to blanketly restrict data for all California users, you can restrict data on a per-user basis by using the restricted_data_processing parameter in your global site tag. For example, let’s say you only want to restrict data for your site visitors that opt-out on your “Do Not Sell My Personal Information” link.
How you set this data restriction up will depend on whether your site tag is hardcoded on the site or you use Google Tag Manager to manage your tags.
1. Follow the same instructions above to edit your audience source in Google Audience Manager.
2. In this instance, however, you’ll want to leave the box unchecked next to “Exclude California users from remarketing lists,” because you’ll be configuring this directly in your tag code in a later step.
3. Click Save and Continue, and then the updated site tag will look something like the below, with the restricted data processing parameter included. You’ll need to reinstall the updated code on your site and configure the parameter based on which users you want to exclude from your data collection.
The GTM method
If your tags are managed in Google Tag Manager, edit the tag in GTM. Select “True” under the dropdown for “Enable Restricted Data Processing” to disable all personalized ads, or configure at the data layer.
What’s Next for Digital Marketing and CCPA?
Digital marketing has always been a field of adaptation. Between the many and quick changes online or the fewer but larger changes in law, any digital marketer knows that what works today could be obsolete tomorrow. Where CCPA stands out is its wide-reaching implications and the domino effect it most likely started.
CCPA’s Wide Reach
CCPA was built to protect the citizens of California with the responsibility placed on the businesses collecting their data. Legally, individuals from California can continue to navigate the internet how they want with complete certainty about how and where their data is being used. Since the internet isn’t a geographically-based entity, that means any online business needs to either instill policies to protect the rights of users living in California or completely stop serving them. Even if the business doesn’t actively market to California, all it takes is a California user visiting their site to become subject to CCPA fines. With the size and spending of the California population, most businesses have no other option but to comply with CCPA’s restrictions.
CCPA’s Domino Effect
Even if a business doesn’t service California and is able to stop users from visiting their site, that doesn’t mean they are in the clear. CCPA is most likely just the first step to national restrictions, with Nevada already enacting similar rules and other states predicted to follow suit. With any state-level policy, the first state to pass them is typically the most difficult, followed quickly by other states’ leadership using the first state’s example for themselves. As more states adopt similar policies, businesses trying to avoid complying will see their customer pool shrink and shrink until they are left with no other option. At that point, they’ll have lost market share in those states and will be behind the early-adopting businesses.
With CCPA being passed two years ago, it’s less likely it’s going to be repealed, so digital marketers should strongly consider setting themselves up for the future of CCPA-like laws as they spread across the US market.