The California Consumer Privacy Act (CCPA) was enacted to provide California consumers with greater transparency and control over their personal information. The CCPA was created in response to changing public perceptions. Users, rightfully, want to understand and have the option to exercise control over their own data. Therefore, companies in the ad tech ecosystem need a way to ensure that everyone is compliant with the law, and playing by the same rules. So how does it work, and how can we help you comply?
- How does the CCPA work?
- What publishers should expect with the CCPA
- Why you need a CMP like Didomi
On Thursday, April 23rd 2020, PubMatic hosted a webinar to educate the industry and affected publishers on this new legislation. Marina Gu, Senior Director & Customer Enablement at PubMatic moderated the conversation between Thomas Chow, General Counsellor at PubMatic, Ashwanth Vemulapalli, Senior Product Manager at PubMatic, and myself, Jawad Stouli, CTO & Co-Founder of Didomi. I was invited to present some practical & technical aspects of CCPA compliance thanks to a Consent Management Platform (CMP) such as ours.
The webinar also addressed CCPA's legal implications, the IAB’s CCPA framework, and the U.S. Privacy String. See the full recording of this webinar here:
How does the CCPA work?
The IAB’s CCPA Framework requires participating publishers that choose to sell the personal information of California consumers in the delivery of digital advertising to provide “explicit” notice regarding their rights under the CCPA, to explain in clear terms what will happen to their data, and to notify the downstream technology companies with which the publishers do business that such disclosures were given.
Unlike the GDPR in Europe, which is an “opt-in” regime requiring consent, the CCPA is an “opt-out” regime requiring publishers to include a “Do Not Sell My Personal Information” link on their digital properties.
What publishers should expect with the CCPA
There are three main elements, to my mind, that publishers and advertisers should look out for.
First, there will be a massive adoption of the IAB’s CCPA framework. We expect the IAB to play the same role as the TCF in Europe, which was key in standardizing the way consent is collected and shared between publishers, vendors and advertisers.
Second, the impact on CPM and revenue is likely to be much lower in the US than in Europe, as the CCPA is an “opt-out” model - implying that there will be higher opt-in rates from users, and there will be a lower impact on publishers’ operations. Indeed, the opt-out rate will potentially be lower than 1%.
Third, expect more US regulations to follow. It is very likely that there will be iterations of similar regulations throughout the country, and you should prepare to be capable of complying with changing regulations from every location you operate in.
For all these reasons, a Consent Management Platform (CMP) like Didomi can easily help you integrate the IAB CCPA framework, and get compliance with evolving regulations.
Why you need a CMP like Didomi
CMPs are very easy to deploy: they work just like your other partners and vendors. You will get a small piece of code to deploy on your website or your mobile app, that you will be able to embed, just like your regular tags, and then CMPs will automatically start interacting with the users and vendors.
Collect, store and share consent
Didomi was created in 2017 to help compliance with data privacy regulation both in the EU and in the US, for ad tech publishers, advertisers, and anyone who has to deal with the GDPR or the CCPA.
We collect user choices by helping publishers inform their users of the choice to opt-in or out from the sale of information. We store that information to keep a legal proof of how that user was informed, and what the user choice was. Finally, we share users' choices with vendors, automatically ensuring that the ad request complies with local regulations.
Bear in mind that CMPs like Didomi provide standard user interfaces to make you compliant, but we advise you to configure and adapt the look-and-feel and messaging, to make sure that the end result is customized to your particular brand experience.
Simple deployment, instant benefits
A CMP like Didomi is very easy to configure. You may create a platform for a website, an AMP website, or mobile app. Decide the regulations you want to cover with your notice (CCPA, GDPR), and configure the look-and-feel of your notice to customize it to your company’s visual identity. You end up getting a tag that you can use and deploy to make sure your consent notice appears on your website. And the job is done!
The standard workflow for a user is to see the notice, get the option to either get more information and be able to not sell their data, or simply acknowledge the notice and potentially ignore it. In this case, your notice will disappear on the next page, and the user will be opted-into the sale of personal data. For you to be in full compliance with the IAB CCPA framework, users will also be given the option to change their minds later on.
Deployment is done with your usual tools through your tag managers or directly through your website, and works exactly the same way for your websites or your mobile apps.
As a publisher, you are free to do all of that yourself. However, we do see that it gets complicated for publishers over time to build and maintain their notices, and to comply with different, ever-evolving regulations. A commercial CMP like Didomi will bring years of experience and expertise to make sure that you are always compliant and up-to-date with frameworks and regulations.
Check out our website to help you get started with compliance!