4 Things to Remember When Implementing CCPA From a Product Point of View
Over the last few years, there has been growing scrutiny when it comes to data collection. People are starting to care about their privacy. This trend reached its peak in early 2018. The Cambridge-Analytica scandal revolving around Facebook exposed just how far companies and institutions are willing to go in the absence of regulation.
Cambridge Analytica collected data on millions of Facebook profiles without user consent. The data was subsequently used in order to create targeted political advertising campaigns. This scandal may have been a significant factor in changing the rules of the game and driving certain lawmakers to create action items in order to secure end-user privacy.
In May 2018 the European Union launched the General Data Protection Regulation (GDPR), which outlines a host of privacy-related obligations and huge fines for non-compliance. In the US, it seems that one of the first major states to create privacy rules with significant obligations and sanctions for non-compliance is California, where legislators passed the California Consumer Privacy Act (CCPA), effective from January 1st, 2020. However, it looks like the CCPA has yet to be finalized, as updates are continuously coming, so the input provided herein may not be final as well.
Along with the rest of the media industry, we at Minute Media rolled up our sleeves and started working on understanding and implementing the new regulations. As someone who has been leading this initiative from a technical standpoint, I’m happy to share the key points I’ve learned along the way, all from a product point of view. In essence, from my point of view, there are four very important takeaways.
1. Can my GDPR/ePrivacy consent management solution work for CCPA as well?
The regulators of the EU have a more proactive approach, requiring opt-in consent and pushing for a certain level of detail when informing end-users about data collection undertaken by publishers as well as our partners. In addition, by default, browser cookies of EU users are to be disabled until they opt-in. On the other hand, the CCPA is based on a slightly different approach, where the user takes the first action by opting-out (e.g. interact with a “Do not sell my info” button). Therefore, the required product solution for each regulation is different: A very proactive consent pop-up to EU users vs. a “Do not sell my info” button for California users.
Therefore, businesses should generally consider not having one solution for both GDPR and CCPA.
2. How can you implement it?
Once possible, CCPA product compliance solution can be one that detects the state of the user and displays a “Do not sell my info”- click to action button, if they are located in California. When selected, it may take the user to a pop-up (this could also be a landing page), allowing the user to request that his personal data will not be transferred to third parties, and also linking to the privacy policy where it is explained how to request access or deletion of data.
Where necessary, only users who pass a verification process will be allowed to actually receive their personal data or delete it. As part of the implementation, you can either build these services yourselves or use a third-party vendor. The benefit of a third-party vendor is that they have specific expertise in this field which can help in providing the optimal solution to your end-users. However, keep in mind that as regulation and internal business develops an external solution may not be as responsive to internal needs and may result in losing a certain amount of control over how you manage your internal compliance.
3. Where can I place the click to action button?
I’ve encountered this question occasionally during the implementation process. It seems that currently, the CCPA does not exactly specify where the button should be located on the website’s homepage. Some publishers place it on the navigation, others on the top of the page, while most of them place it within the footer. To ensure that the button is not missed by a user, it may be beneficial to consider placing it in two locations, such as the site menu and the footer button in order to make it reachable from each point of your website.
4. Do I also need to adjust my Privacy Policy?
Yes. Just adding the click-to-action button is likely not enough. The privacy policy needs to have certain references to the CCPA, including, for example, elaborated notices that explain how your company has sold and disclosed personal data of California residents in the preceding 12 months, the main rights that California residents have with respect to their personal data, and, in certain cases, even publish specific metrics regarding the number of user requests you have received in relation to the CCPA. You should review your privacy policy and adjust as necessary.
In his high school graduation speech, Drake once said “Sometimes it’s the journey that teaches you a lot about your destination”. For us here at MinuteMedia, the journey towards privacy compliance is one of great importance, therefore, we are paying close attention, allocating resources and learning as much as we can, in order to preserve our users’ privacy.
There is much more to cover, but these four takeaways should help kickstart the implementation process.
Feel free to reach out for any feedback to amit.e@minutemedia.com
This blog was written by a product manager at MinuteMedia, it is not exhaustive, and in no way constitutes as any legal advice. If you have any legal questions regarding this issue, please contact a lawyer.
(Photo and image portfolio by Good_Stock, shutterstock)