The California Consumer Privacy Act (CCPA) becomes effective January 2020, yet many marketers and advertisers are uncertain as to how the data privacy legislation will impact their company’s web properties.
In this step-by-step article, we’ll outline the initial actions your company should be taking now to prepare for the new privacy requirements.
A quick note: The discussion here will be specific to the data collection happening on your web applications via analytics, marketing, and advertising platforms being loaded on your site(s). The CCPA will also be applicable to your internal data collection practices and any place where you are collecting Personal Information about your consumers.
With that lens set, let’s dive into the 5 steps your company should be taking well in advance of January 2020.
1. Check Whether or Not the CCPA Applies to Your Business
All California residents are protected under the California Consumer Privacy Act. This means that if your business serves any consumers—or website users in the case of your web applications—that are California residents, these rights and protections are afforded to them.
The CCPA applies to businesses with consumers in California that meet any one of the following three thresholds:
- Annual gross revenues exceed $25 million;
- Annually buys, receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
If your business meets any one of these requirements, proceed to Step 2. If your business does not meet a single one of the three thresholds (even if your company is based in California), your business won’t be affected by the law and legally does not need to adhere to the requirements. It is important, however, to keep the requirements and consumer privacy in mind with all digital activities. After all, once your business grows to a point where the law applies, you will be on the hook for these requirements.
2. Understand What Platforms Are Loading Across Your Web Properties
Under the CCPA, the owner and operator of a website on which consumers are visiting and where data is being collected is responsible for all Personal Information collected, shared, and sold from the site. This includes the actions of third-party platforms that may be piggybacking or loading in through other third parties. It is not enough to say that you were unaware of certain Personal Information collection activities, including those carried out by third-party platforms your web property (and business). Your business is still liable.
As a result, it’s imperative for your business to audit its web applications to understand what platforms are loading across every page of your site(s) and how they are being loaded. Again, this includes tags and pixels that you may not be directly implementing, but are instead piggybacking off of other platforms you have directly included.
The best place to start with this type of exercise is a tag audit. You can learn more about tag auditing here. As always, don’t hesitate to reach out to us at Tag Inspector for help with this process.
3. Understand What Data is Collected by Each Platform
Once you have identified and organized all of the platforms loading on your website, it’s time to do a deeper dive into each. We can understand the data collected by each platform by looking at the network requests they are sending from your business’ site up to the respective servers for each tool.
Here’s an example of what this looks like in raw form:
By using a tag auditing tool such as Tag Inspector, you can collect these at scale across all pages of your site(s) and get simpler outputs to aggregate and understand this data:
4. Identify, for Each Platform, If Any of the Data Points Collected Are Considered “Personal Information”
Now that you have identified the platforms loading across your website and parsed out the data collected, it’s time to determine if any of those data points are classified as “Personal Information” under the California Consumer Protection Act.
According to the CCPA, Personal Information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (CCPA 1798.140.o.1)
This is further explained with the following in section 1798.140.o.1.A-K of the CCPA. We’ve included only points that are relevant for our discussion of marketing and advertising platforms below:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
It is important to know and understand these categories, as you will need to reflect the categories of Personal Information collected/shared/sold in your Privacy Notice and disclosures for consumers.
The easiest way to break out and identify the data points that are “Personal Information” is to take our parsed-out requests from Step 3 and then go through each data point for each platform. You can also reach out and request this information from each of the platforms you are leveraging on your site. If going about it yourself, here’s an example for how we (Tag Inspector) work with clients to map this out with a Google Analytics request:
5. For Any Platform Collecting “Personal Information,” Map the Data and Ensure All Requirements Under CCPA Are Being Met
Once you have identified the platforms collecting and the specific data points that are considered “Personal Information” under the law, it is now time to determine (1) where this data is going and how it is used and (2) that all protections outlined within the law are being adhered to.
For the first item, you need to understand if the Personal Information is merely being “collected,” if it is “shared,” or if it is “sold.” Here are how each of those terms are defined:
- Collecting: Buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior (1798.140.e).
- Selling: Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration (1798.140.t(1)).
- Sharing: Providing Personal Information to another provider.
It’s important to make these distinctions because additional disclosure and erasure requirements come into play for any data that is sold. The sharing of Personal Information is also necessary to be reflected in disclosures to consumers.
The second item, making sure that all protections outlined within the law are being adhered to, requires you to focus on a few different areas. These are outlined with a quick description of the requirements below. For a deep-dive in each requirement, check out our webinar on May 29 where we will discuss “Everything Marketing and Advertising Professionals Need to Know About the CCPA”:
- Disclosure at or before collection: The first step of the requirements outlined in the CCPA is disclosure of the collection of Personal Information to consumers on your website. It must be clear what categories of Personal Information is being collected and provide information for how the consumer can learn more.
- Privacy Notice: Within the Privacy Notice, consumers must be able to clearly access descriptions of their rights under the CCPA and further information about the Personal Information collected about them, with whom it is shared, the purpose of collection, and if/to whom it is sold.
- Opt-out: The right to opt-out for consumers relates to any Personal Information collected from them that is sold. They must be made explicitly aware of this activity and have the ability to opt-out of such behavior.
- Erasure: Consumers have the right to request erasure of “any personal information about the consumer which the business has collected from the consumer.” This extends to third-parties with whom the information has been disclosed as well.
- Access: Under the CCPA consumers are granted the right to receive answers to verifiable requests, free of charge, within 45 days of the request being made for the 12-month period prior to the request. The response must be provided in a “readily usable format” that the consumer can transfer to another entity “without hindrance.”
From the business perspective, you need to make sure that you have adequately mapped and organized the Personal Data collection as well as a process to provide this information in the case of a request.
Begin Preparing Well in Advance of January 2020
As you can see, the process for getting your site(s) up to compliance with the CCPA is going to take some work. It’s important to get started in the process as soon as possible to begin understanding what platforms and what Personal Information you are collecting today. Get these initial steps out of the way and rest easy come 2020.
Interested in getting started with a tag audit? Let us know! The Tag Inspector team works with thousands of websites annually and would love to learn more about how we can help your organization.