In our first post in our California Consumer Privacy Act series, we introduced the new legislation and talked through its purpose. The law provides an opportunity for publishers to (re)establish trust with their customers through increased transparency and accountability.
Now, we’ll provide more detail to help you determine whether the new law applies to you and what the possible repercussions of non-compliance are.
Who does the California Consumer Privacy Act of 2018 apply to?
The law applies to any for-profit “‘Business’ that collects consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of $25,000,000[…] or
- Annually sells, alone or in combination, the personal information of 50,000 or more consumers or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information; and any entity that controls or is controlled by [that business]”(1798.140, 1, A).
What information is “personal information” under the California Consumer Privacy Act?
All of the following fall under the definition of personal information:
- Identifiers such as a real name, alias, postal address, unique identifier, internet
protocol address, electronic mail address, account name, social security number,
driver’s license number, passport number, or other similar identifiers;
- All categories of personal information enumerated in Civil Code 1798.80 et. seq, with
specific reference to the category of information that has been collected;
- All categories of personal information relating to characteristics of protected
classifications under California or federal law, with specific reference to the category
of information that has been collected, such as race, ethnicity, or gender;
- Commercial information, including records of property, products or services provided, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric information; [including voice and face recognition used commonly by IoT devices]
- Internet or other electronic network activity information, including but not limited to,
browsing history, search history, and information regarding a consumer’s interaction
with a website, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Psychometric information;
- Professional or employment-related information;
- Inferences drawn from any of the information identified above; and
- Any of the categories of information set forth in this subdivision as they pertain to the minor children of the consumer.
Which personal information is most important to U.S. publishers and ad tech vendors?
As you can see above, California’s law contains a broad definition for personal data which includes “unique identifiers” and “IP addresses,” and specifically calls out “Internet or other electronic network activity information, including but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.” This means that basically any individualized advertising behavior, on any device, is now protected by the law. It also means that any campaign targeting with geolocation data or DMP segments with protected class characterizations are subject to the law.
What is the penalty for violating the act?
Any person or business that intentionally violates this Act may be liable for a civil penalty of up to $7,500 for each intentional violation with no state maximum fine. For example, an individual violation could represent each line in a database, resulting in thousands of individual violations per enforcement. For unintentional violations, companies will pay $2,500 for each violation if they fail to fix it within 30 days.
Moreover, government entities at any level of state government in California can bring the suit and there are special stipulations (and compensation of 15% of the fines) that encourage whistleblowers.
Finally, the law stipulates a private right of action to enforce data breaches, meaning direct consumer lawsuits are also encouraged, which could lead to a flurry of class-action lawsuits.
What should I do now?
As a result of GDPR preparations, many companies in our industry are already familiar with their own data protection and management protocols and processes. This means that as an industry, we should be well-prepared to properly inform the public of our processing behaviors so that citizens can make an informed choice. For the publishers and vendors that chose to exit the EU as a result of GDPR, you likely have much more work to do to update your behaviors and processes to comply with the new law.
It is important to note that the industry is still lobbying heavily to clarify and refine the law, so there will likely be changes in the coming months that could affect implementation and compliance efforts. In a future blog post, we’ll outline some initial steps you can take to achieve compliance.
This article was written by Eric Shiffman, product marketing manager at SpotX.