The California Consumer Protection Act (CCPA) will be in full force as of July 1, 2020.  This means that the onus of data protection shifts from the consumer to the advertiser – marketers beware!

So, How Did We Get Here?

Last year California passed the CCPA, which allows consumers to prohibit advertisers and marketers from selling information gathered through sales and other interactions.

What does this mean?  Consumers now have ownership of their own data and marketers cannot profit from it without clear consent and permission from the consumer themselves.  It also gives consumers clear rights to request that the advertisers delete their personal data from all data platforms upon request.

  1. Customers must be informed that their data is being collected and of the intended use of their data.
  2. Customers may request that their data not be shared or stored.
  3. Customers may request the deletion of their data at any time and must not be penalized for doing so, including on pricing or services offered.
  4. Businesses are required to provide notice of a customer’s right to opt out of data sharing.

What Are the Rules?

In December 2019, the IAB rolled out a Compliance Framework for Publishers and Technology Companies giving advertisers, SSPs, DSPs, publishers, and any entity involved in the RTB (real time bidding) chain a set of guidelines for conforming with CCPA regulations that go into effect July 1, 2020.  This framework was modified as recently as June 5, 2020 to outline how best to handle data deletion requests between publishers and vendors.

What Is a Data Deletion Request (DDR) and How Do I Comply?

When a consumer wants their personal information removed from a publisher, vendor or advertiser’s database they can submit a DDR.  This is a technical solution that provides the means to signal consumer requests for data deletion.  Access to the API for DDR compliance is part of the US Privacy API and can be found on the iab Tech Lab website.  Here is a quick overview on how the API works in three simple steps:

  1. Each entity that has access to or collects personal data will create a js script that will complete data deletion when triggered.
  2. Each publisher hosts all its vendors’ or partners’ scripts directly on their page so that a single DDR will initiate data deletion across all connected sources.
  3. When a person hits the “Data Deletion” button on a website, the US Privacy API is called and all vendors’ scripts are notified simultaneously.

Are you protected?  Download your CCPA Checklist Today!     

Disclaimer: This article represents Marketsmith’s understanding of CCPA rules and regulations, but it should not be considered a legal interpretation or recommendation.