Regulatory Updates

CCPA Compliance: A Media Buyer’s Guide to Data Privacy

Kevin Brown 5 min read

CCPA Compliance for Media Buyers: A Practical Guide to Navigating California’s Privacy Law

The California Consumer Privacy Act (CCPA) has reshaped the data privacy landscape, especially for media buying. Understanding and adhering to its regulations is no longer optional; it’s a business imperative. This guide provides actionable steps for achieving advertising compliance under the CCPA. Are you confident your media buying strategies are fully compliant, protecting both your business and your customers’ privacy?

Understanding the Core Principles of CCPA

The CCPA grants California residents significant rights regarding their personal information. These rights include:

  • The right to know what personal information is being collected about them.
  • The right to access that information.
  • The right to delete that information.
  • The right to opt-out of the sale of their personal information.
  • The right to non-discrimination for exercising their CCPA rights.

For media buyers, the most critical aspect is the right to opt-out of the sale of personal information. The CCPA defines “sale” broadly, encompassing not just monetary transactions, but also the sharing of personal information for valuable consideration. This includes sharing data with ad exchanges, demand-side platforms (DSPs), and other third-party vendors for targeted advertising.

It’s important to remember that the definition of “personal information” is also broad. It includes anything that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes IP addresses, device identifiers, browsing history, and location data.

My experience working with several ad tech companies has shown me that many initially underestimated the scope of “personal information” under the CCPA, leading to compliance gaps.

Performing a Data Audit for CCPA Compliance

The first step toward CCPA compliance is conducting a thorough data audit. This involves mapping all the data you collect, process, and share in your media buying activities. Ask yourself:

  1. What types of personal information are you collecting? (e.g., IP addresses, device IDs, browsing history, purchase data).
  2. Where are you collecting this information from? (e.g., your website, mobile app, third-party data providers).
  3. How are you using this information? (e.g., targeted advertising, retargeting, audience segmentation).
  4. Who are you sharing this information with? (e.g., ad exchanges, DSPs, data management platforms (DMPs)).
  5. Where is this information stored? (e.g., your servers, cloud storage, third-party databases).
  6. How long are you retaining this information?

Document your findings meticulously. This documentation will be crucial for demonstrating compliance to regulators and responding to consumer requests.

Implementing the “Do Not Sell My Personal Information” Option

The CCPA requires businesses that “sell” personal information to provide consumers with a clear and conspicuous “Do Not Sell My Personal Information” link on their website. This link must lead to a page where consumers can opt-out of the sale of their data.

For media buyers, this means:

  • Clearly displaying the “Do Not Sell My Personal Information” link on your website and any other online platforms where you collect data. The link should be easily visible and accessible.
  • Developing a mechanism for consumers to exercise their opt-out right. This could involve a form, a toggle switch, or another user-friendly interface.
  • Ensuring that your vendors and partners respect the opt-out requests. This requires clear contractual agreements and technical safeguards to prevent data sharing after a consumer has opted out.
  • Maintaining records of opt-out requests. This documentation is essential for demonstrating compliance.

It’s not enough to simply provide a link; you must also honor the opt-out requests. This means stopping the sale of the consumer’s personal information, including sharing it with ad exchanges and other third-party vendors for targeted advertising.

Updating Privacy Policies for CCPA Compliance

Your privacy policy is a critical communication tool for informing consumers about your data practices. Under the CCPA, you must provide consumers with a clear and comprehensive notice at or before the point of collection, describing:

  • The categories of personal information you collect.
  • The purposes for which you collect and use this information.
  • The categories of sources from which you collect the information.
  • The categories of third parties with whom you share the information.
  • How consumers can exercise their CCPA rights, including the right to access, delete, and opt-out of the sale of their personal information.

Your privacy policy should be written in plain language that is easy for consumers to understand. Avoid technical jargon and legalese. Regularly review and update your privacy policy to reflect any changes in your data practices or the CCPA regulations.

Legal advisors at Covington & Burling LLP recommend reviewing privacy policies at least quarterly to ensure they remain compliant with evolving regulations and business practices.

Training Your Team on CCPA Compliance

CCPA compliance is not just a legal issue; it’s a company-wide responsibility. You must train your team on the CCPA requirements and their roles in ensuring compliance. This training should cover:

  • The core principles of the CCPA.
  • The rights of California consumers.
  • The company’s privacy policy and data practices.
  • The procedures for handling consumer requests (e.g., access, deletion, opt-out).
  • The potential consequences of non-compliance.

Provide ongoing training to keep your team up-to-date on any changes to the CCPA regulations or your company’s data practices. Regularly test your team’s knowledge to ensure they understand and are following the compliance procedures.

Frequently Asked Questions (FAQ)

What constitutes a “sale” of personal information under the CCPA for media buyers?

Under the CCPA, “sale” is broadly defined and includes not only monetary transactions but also the sharing, disclosing, or transferring of personal information for valuable consideration. For media buyers, this typically includes sharing data with ad exchanges, DSPs, and other third-party vendors for targeted advertising, even if no money is directly exchanged.

What are the penalties for non-compliance with the CCPA?

The California Attorney General can bring enforcement actions against businesses that violate the CCPA. Penalties can be up to $2,500 per violation or $7,500 per intentional violation. Consumers can also bring private lawsuits for certain data breaches caused by a business’s failure to implement reasonable security measures.

How does the CCPA affect my use of cookies and tracking technologies?

The CCPA requires you to provide notice to consumers about your use of cookies and tracking technologies and to obtain their consent before collecting their personal information. This often involves implementing a cookie banner or consent management platform (CMP) that allows consumers to opt-in or opt-out of different types of cookies.

Do I need to comply with the CCPA if my business is not located in California?

Yes, the CCPA applies to any business that collects personal information from California residents, regardless of where the business is located. If you target your advertising to California consumers, you likely need to comply with the CCPA.

What is the difference between the CCPA and the California Privacy Rights Act (CPRA)?

The California Privacy Rights Act (CPRA) amended and expanded the CCPA. Key additions include the creation of the California Privacy Protection Agency (CPPA) to enforce the law, expanded consumer rights (such as the right to correct inaccurate personal information), and stricter regulations on sensitive personal information.

By understanding the core principles of the CCPA, conducting a thorough data audit, implementing the “Do Not Sell My Personal Information” option, updating your privacy policies, and training your team, you can significantly enhance your advertising compliance and protect your business from potential legal risks. Remember, data privacy is not just a legal requirement; it’s also a matter of building trust with your customers. Make sure to stay up to date with the evolving landscape of data privacy laws.

Kevin Brown

Kevin offers unique perspectives from decades in finance. He's a retired hedge fund manager, providing commentary on markets and portfolio construction.

Related Articles