The California Consumer Privacy Act will come into effect in January, but many publishing executives remain completely unaware of the new law.
When Digiday polled 200 U.S. publisher executives this February only half of them said they were aware of what CCPA was, and over half of those aware of it said their companies have not yet begun preparing for its introduction.
The CCPA will grant California’s 40 million residents access to any personal data collected from them by publishers and other online advertising companies, and will allow them to request its deletion. The law could also mean penalties on companies of up to $2,500 per person for each violation they commit, such as selling the information of a person who has specifically asked that their information not be sold.
But despite the fact the legislation becomes enforceable in less than a year and could have considerable financial repercussions for non-compliant companies, few publishing executives who were aware of the legislation said their companies were taking steps to prepare. Of the respondents who know of the CCPA, only 48 percent said their companies had begun work to ensure compliance.
If companies have yet to begin working on CCPA regulations, they should do so quickly. Some believe that complying with the CCPA will be harder than adhering to General Data Protection Regulation. Compared to the four years companies had to prepare for GDPR, publishers have just months to prepare for CCPA.
And because CCPA is not identical to the GDPR that went into force last May in the European Union, companies won’t be able to copy and paste their GDPR provisions to their California audiences and claim to follow the law. There are some “overlapping similarities”, however, according Stephen Hicks, general counsel at Ziff Davis.
To make matters more complicated, there remains significant uncertainty around what the final legislation will actually look like due to potential amendments, trade group recommendations and ongoing lobbying efforts in Congress to create Federal-level laws.
Because of the uncertainty, “no publisher can say it’s completely compliant now,” said Hicks. But he added, “it is not too soon for publishers to spend time understanding it and taking measures to prepare like updating privacy policies.” Other steps publishers can take is mapping out their user data sources to more easily identify California residents data. Building out and testing “Do Not Sell” buttons on their homepages for consumers to opt out of having their data sold to third-parties isn’t a bad idea either.
One reason CCPA hasn’t garnered as much attention in the media world as GDPR is that agencies and brands aren’t reliant on publishers gaining user consent for them to collect consumer information. Unlike GDPR where companies needed a legal basis to collect consumers personal information, that is “not necessarily an issue with CCPA,” said Hicks. Without shared responsibility to collect personal user data, marketers aren’t culpable if publishers aren’t compliant.
Some publishers are adopting a wait-and-see approach with regards to CCPA regulations. One mid-sized publisher told Digiday that it was waiting, “to see if the Federal government steps in,” before it spends time and resources to the issue.
Regardless of the reason, many expect publishers to scramble at the last-minute to satisfy the CCPA requirements. The anonymous publisher admitted, “we didn’t start working on GDPR until six months before the deadline, and we’ll probably do the same for CCPA.”
Meanwhile, publishers have other reasons to be concerned with the CCPA. Under it, consumers can request publishers stopping selling their personal information to third parties like agencies or ad-tech vendors that use it for targeting purposes.
While selling audience data does not provide significant revenues for publishers, it is not uncommon either. Earlier Digiday research found that nearly 25 percent of publishers sell their audience data. And in a time of squeezing margins for media businesses, every extra dollar helps.