Is Retargeting CCPA Compliant?

Randy Apuzzo

April 2020

The CCPA is a sweeping consumer privacy law establishing greater rights for California state residents who can now demand to see all of the personal information a company has saved on them, and what it’s shared with others. With widespread confusion over digital marketing and the CCPA, we take a deep dive into retargeting to help you stay on the right side of this often-ambiguous legislation.

What Does CCPA Mean for Advertisers?

The CCPA (California Consumer Privacy Act) sent shockwaves through the digital advertising sector when it came into force on January 1st, 2020. But although the rules have been in place for several months now, confusion still abounds as to exactly how the privacy law will impact established forms of online advertising like retargeting.

Before getting into the nitty-gritty, here’s a quick refresher of the CCPA as it stands...

The CCPA establishes various rights for California state residents grouped under the following headings:

  • “The Right to Know” what personal information a business has collected, used, shared, or sold.

  • “The Right to Delete” all of the personal details that a company, or its associates, has stored on them.

  • “The Right to Opt-Out” of the sale of their personal information for commercial purposes.

  • “The Right to Non-Discrimination” - businesses can’t provide different prices or levels of service to those that have exercised their CCPA rights.

The CCPA is broad in scope, but it doesn’t affect every business: It’s limited to mid- to large-sized companies that do business in California (regardless of where they’re located) and meet the following criteria:

  1. Annual revenue exceeding $25 million, or
  2. Receives data from at least 50,000 people, households, or devices every year, or 

  3. Generates at least 50% of its annual revenue from selling personal data.

‘Personal Information’ Under the CCPA

The CCPA has been roundly criticized (and rightly so) for its ambiguity in several key areas (see ‘sale’ below). Still, when it comes to defining personal data, it’s definitive, covering practically any data that could potentially be used by advertisers to build personal preference profiles. Consumers’ ‘personal information’ includes:

  • Identifiers (i.e., name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers)

  • Commercial information (i.e., records of personal property, products or services purchased, obtained, or considered, or additional purchasing or consuming histories or tendencies)

  • Biometric information (i.e., DNA or genetic information)

  • Internet or other electronic network activity information (i.e., browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement)

  • Geolocation data

  • Audio, electronic, visual, thermal, olfactory, or similar information

  • Professional or employment-related information

  • Education information provided that it is not publicly available

  • Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, etc.

‘Sale’ Under the CCPA

We usually associate the word ‘sale’ with a straightforward monetary transaction. Still, the CCPA’s definition is far more inclusive, encompassing (wait for it…) “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” 

For companies that buy, sell, or facilitate the sale of targeted advertising, such a broad definition provides little room to maneuver. But, there‘s a workaround. A company is permitted to transfer consumer data to vendors that are classified as ‘service providers,’ which begs the question: what’s a service provider? To qualify as a service provider, a vendor has to:

  • Be a legal entity organized for profit;

  • that processes information on behalf of a business;

  • to which the business discloses a consumer’s personal information for a business purpose;

  • under a contract that prohibits the vendor from retaining, using, or disclosing the personal information for any purpose other than performing the services specified in the contract.

CCPA and Retargeting

There’s no doubt that retargeting (also known as remarketing) works. Stats show that retargeted website visitors are 43% more likely to convert and that retargeted ads have a 10x higher click-through rate (CTR) than their regular display counterparts. Online retail is the sector most heavily invested in retargeting (occupying 27% of the market) with media (17%), tech (10%), healthcare (10%), finance (9%), education/government (8%), travel (5%), and agencies (4%) also relying on this potent form of programmatic advertising.

When it comes to retargeting and the CCPA, Facebook has taken the do-nothing approach, claiming that the Facebook Pixel, which gathers insights on users to target them with ads, “does not sell people’s data.” Instead, Facebook maintains that they only sell advertising space, and give away Pixel free of charge. Knowing what we do about the CCPA’s definition of the term’ sale,’ this sounds a rather dubious assertion. According to Facebook, brands and third-parties should take responsibility themselves for how they protect personal data.

Google has taken a far more proactive and helpful approach, introducing ‘restricted data processing’ (discussed later.) And Uber has added an “opt-out” button to its app, adding that “some sharing of personal information… may be considered a ‘sale,’ even if no money is exchanged”. Perhaps they should tell Facebook that!

Such uncertainty has hit every California-based digital agency hard. A 75% drop in digital advertising spend going towards California, between this year and last, is not unusual. Perhaps even more damaging, the CCPA seems to have catalysed a general trend towards companies taking their data buying and planning functions in-house in an attempt to maintain a tighter grip over the data they use, for fear of being guilty by association with any third-party acting in bad faith.

The notion of the ‘data lake,’ a vast repository of precious consumer data, in its rawest form, just waiting to be tapped and processed into ingenious retargeting opportunities, is starting to look more like a festering ‘data swamp.’ Ad tech companies are having to contend with the unknown provenance of much of the dirty data they hold and decide how much of it they’re going to have to drain away.

Economics 101 dictates that a reduction in the supply of data will lead to an increase in price, but it remains to be seen how it will affect quality. Will retargeting become less precise, because of the scarcity of the data? Or more effective, because the data will be up-to-date and representative? Only time will tell.

CCPA and Cookies

CCPA cookie consent is based on an opt-out mechanism, which means websites can still load cookies automatically, but they have to provide a transparent method for opting out. There’s no requirement for websites to display a CCPA cookie consent banner, but they must, at the very least have a ‘cookie clause’ in their general terms and conditions that:

  1. States that they use cookies and explains briefly what cookies are;
  2. Discloses what types of cookies they (or any third parties) are using;
  3. Informs users why they use cookies; and
  4. Ensures users know how they can opt-out of having cookies placed on their devices.

How Restricted Data Processing Works

Google is playing its part in helping advertisers meet their CCPA data collection obligations through ‘restricted data processing,’ a new system that lets advertisers automatically restrict how data is processed for specific users through most Google products (including Google Ads, App Campaigns and Google Analytics.)

Once restricted, Google only processes data for business purposes that meet CCPA requirements for programmatic advertising. These include ad delivery, reporting and measurement, security and fraud detection, debugging, and product feature optimization, but no personalization. Advertisers can enable restricted data processing on a per-user basis (for example, following a user opt-out by clicking on a ‘Do Not Sell My Personal Information’ link.) Or, simply enable restricted data processing for all users in California - the easy option.

How Marketers Can Remain CCPA Compliant in 2020 and Beyond

To remain CCPA compliant long into the future, marketers will have to adopt a more respectful, transparent, customer-centric approach to the acquisition and use of consumer data, training employees on their CCPA liabilities, and keeping on top of necessary amendments to the legislation. For companies with annual revenue approaching the $25 million threshold, preparedness is especially crucial.

Marketers are going to have to reconsider tried and tested digital advertising practices in light of the recent changes. Take email marketing, for example: Never has it been more critical to resist inundating customers with spammy correspondence. Because customers can now do much more than simply unsubscribe, they can request the deletion of all the personal information that your company, and associates, holds on them. That’s not only a loss of valuable data, but it’s a time-consuming and challenging task to carry out.

While the outlook for retargeting may initially look bleak, the CCPA categorically does not spell the end for personalization. On the contrary, it’s a massive opportunity to engage clients around best practices, get them back on side, and offer better, more effective personalization than ever before.

How to Be CCPA Compliant With Third-Party Monetization Partners

Under the new laws, a third party is defined as any entity that receives personal information that it hasn’t collected itself. That’s an expansive definition, and as such, not particularly helpful to those in digital marketing that have to familiarise themselves with every third-party’s CCPA policy. Whether it be Google ads, or ad networks like AdSense or Media.net, marketers have to go through all these policies with a fine-toothed comb or risk falling foul of the legislation by association.

Responsibilities and Obligations Under the CCPA

Companies covered by the CCPA have to publish compliant privacy notices and policies and update them every 12 months. As with the GDPR, companies also have to carefully manage and maintain data inventories, which are directories for handling sensitive data used for a business purpose.

Businesses have to make it easy for consumers to demand access and opt-out requests, responding to them within 45 days. This requires having, at the very least, a toll-free telephone number and an “interactive webform,” as well as a clearly labeled “Do Not Sell My Personal Information” link on the homepage, which takes visitors to all the required info.

Businesses must also have a mechanism in place to remove a user’s information from the data sold to third parties. And third party contracts and processor agreements have to be updated to include things like the provision of processing records, requirements for the syncing of consumer response processes, and more.

"If We're GDPR Compliant, Are We CCPA Compliant?"

The CCPA is essentially California’s answer to the EU’s GDPR (General Data Protection Regulation,) and companies that have already complied with every GDPR privacy regulation will find it far easier to achieve CCPA compliance too. There are, however, several significant differences between the two sets of rules, some of which I’ve outlined below:

  1. The CCPA protects California residents that it terms ‘consumers.’ These are any persons in California for more than “a temporary or transitory purpose” and anyone “domiciled in the state” but outside of the state for a “temporary or transitory purpose.” The GDPR focuses on “data subjects,” and that includes anybody whose personal data is being collected, held, or processed, regardless of whether they are an EU citizen or not.

  2. The GDPR guards against the breach of personal information linked to an identified person. The CCPA guards against the breach of personal data that can be linked to an individual or specific household.

  3. The CCPA stipulates that websites must give consumers the right to opt-out of the sale of their personal information. The GDPR doesn’t have such a requirement.

  4. The CCPA only affects businesses of a specific size, while the GDPR affects every business or person with a means of processing data online.

Penalties for Noncompliance With the CCPA

The CCPA differentiates between what it terms ‘intentional’ or ‘unintentional violators.’ Unintentional violators are fined $2,500, while businesses that are notified of non-compliance and do not comply within 30 days are deemed ‘intentional violators, and face a higher fine of $7,500. 

$7,500 might sound like chump change to a company generating $25 million in annual revenue, but this is levied on a per violation basis. If there’s a breach, that’s $7,500 per customer, and that will rack up very quickly indeed! Furthermore, individuals have the right to sue businesses that don’t comply with the law. And, if violations aren’t rectified within 30 days of a written complaint, and the California Attorney General declines to prosecute, then a business can be hit with a class-action suit.

Insights in your inbox

Subscribe to the Zesty newsletter

Latest articles

Subscribe to the zestiest newsletter in the industry

Get the latest from the Zesty team, from whitepapers to product updates.