Top 7 CCPA Tips for App Marketers
February 06, 2020
Facial recognition. Location tracking. Music preference. Food Choices. Relationship Status. Personal Information. Electoral Influence. We live in a data-driven world and information is king.
It has been a month and a bit over a year since the respective CCPA and GDPR privacy laws took effect. But what do these really mean for users and for marketers alike?
In this opinion piece, we’re interviewing Christian Eustermann, Remerge’s General Counsel and advocate for stricter data protection, on the topic of privacy. We’ll cover the basics then tackle some questions to help marketers navigate their way through these news laws.
First of all, what is the CCPA?
The California Consumer Privacy Act (CCPA) is a bill that enhances privacy rights and consumer protection for residents of California, United States. The CCPA took effect on January 1, 2020.
The CCPA provides these rights to consumers:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Equal service and price, even if they exercise their privacy rights.
Who is the CCPA for (who should care)?
The CCPA applies to any business in California that collects personal data and satisfies any of the following:
- has annual gross revenues in excess of $25 million; or
- possesses the personal information of 50,000 or more consumers, households, or devices; or
- earns more than half of its annual revenue from selling consumers’ personal information.
As the CCPA and GDPR only protect Californian and European residents, what does this mean for those who live outside? What if these residents travel or move abroad?
Before getting to territorial differences, we’ll first have to define the scope of the CCPA and nail down the definition of “resident”.
CCPA is relevant for anyone doing business in California. This also includes companies that operate outside of California or do business with Californians, which means having customers within the state, or in our industry context - targeting residents with ads.
But what does “resident” actually mean?
Does the term only apply to those living in the state? And if so, for how long? According to the Clarity in Privacy’s CCPA Definition of Consumer, “a resident includes every individual who is in the state for other than a temporary or transitory purpose” or is “domiciled in this state but is outside the state for a temporary or transitory purpose”. This means that visitors of California are not covered by the law, but Californians who move abroad are.
For example, visiting San Francisco on a business trip or taking a layover flight over to Hawaii will not count for protection. However, for some there is still great uncertainty. Those who move to California and decide to stay longer may or may not be eligible for protection under the CCPA.
What advice can you give app marketers whose strategies cover geographies with mixed privacy laws?
Three words: play it safe.
For mobile marketing, even though location data of different granularities might be available, it doesn’t guarantee much because any user’s geolocation only reflects where they currently are. California residents who are travelling abroad may not be identifiable with their state or country of residence, but are actually covered by the law. For example, if a California resident travels to Paris for vacation, the device’s location will be registered as within France even though the user is still a Califronian resident.
Likewise, we do not know whether a European traveller in California intends to stay in California for temporary or transitory purposes or even decides to stay and eventually become a California “resident”. We also do not know for how long that traveler has already been in California.
GDPR’s territorial scope in comparison covers where the data is being processed (i.e. if the processing happens within Europe, GDPR applies. If the information belongs to a European resident wherever they are, GDPR applies), the CCPA applies to the user itself. Having any touch point with the state’s resident means that the law is applicable to the business. Since it’s almost impossible to accurately track if a user is a resident or not, the best practice to go about it is to treat everyone the same way.
By playing it safe and applying the same strict rules for everyone around the globe, there’s much less to worry about.
« By playing it safe and applying the same strict rules for everyone around the globe, there’s much less to worry about. »
Christian Eustermann, Legal Counsel, Remerge
Does being GDPR compliant guarantee you're CCPA compliant?
In general, it does. The definition of what constitutes Personal Information (PI) however is broader and more complex under CCPA, defining PI as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” A key variation with GDPR is the word “household” which adds more complexity to the implementation of the Act. For example, data collected by an entity may not be associated with an individual but could identify a household.
While the CCPA does not provide for the GDPR roles of “Controller” and “Processor” it works with the terms “Business” and “Service Provider” where the latter processes data on behalf of a Business, much like a “Processor” does under GDPR for it’s Controller.
Deloitte summarizes the differences quite well in the image below. Note that opting-out of sale doesn’t mean that data cannot be processed by the business that collected the data from the consumer.
What are some processes you can recommend companies immediately implement to become compliant?
What companies need to do to become compliant is to have technical and organizational processes in place to safeguard consumers privacy and data security.
To name a few: monitor which data they have, monitor which user asked to opt-out or for the deletion of their data, have a privacy policy in place (informing users what they do with the data, what they use it for, and give them the possibility to opt-out), have a solidified process on what to do with users who opted-out, control the access of data (only those who need to use it can access it), educate employees and have policies in place on how to treat personal information and how to keep it safe, make sure that technical (encrypting data both at-rest or in motion, but also have door-locks) and organizational measures (internal processes) are implemented for privacy and data security.
A must have: hire an auditor, not doing a one-time, but continuous audit, because we want to be as sure as we can be with what we can or cannot do within or outside of the framework. Establishing a privacy and/or compliance team would also be a big plus.
What should marketers ask their UA and retargeting partners to ensure they are in compliance?
Does your external partner provide state-of-the-art technical and organizational measures to ensure privacy and security of data entrusted with them?
Any final thoughts or comments?
It’s great to see laws and changes taking place to protect consumers, especially in today’s world where information is easily accessible. I’ve always been an advocate for data privacy and security, and I’m happy to be part of a company that is truly committed to having the highest standard of protection. Advertising as an overall industry is surely affected, but I think for the better.
Since 2014, Remerge has been compliant with the German privacy standards, and has since taken adequate measures to provide the highest level of data protection and privacy for its clients and their customers. Remerge has hired a General Counsel and undergoes continuous external auditing, to ensure utmost and permanent compliance. Effective 2018, Remerge has been GDPR-Compliant and consequently CCPA-compliant.