Use Cases



Not Categorized

Is Retargeting CCPA Compliant?

The CCPA is a sweeping consumer privacy law establishing greater rights for California state residents who can now demand to see all of the personal information a company has saved on them, and what it’s shared with others. With widespread confusion over digital marketing and the CCPA, we take a deep dive into retargeting to help you stay on the right side of this often-ambiguous legislation.

What Does CCPA Mean for Advertisers?

The CCPA (California Consumer Privacy Act) sent shockwaves through the digital advertising sector when it came into force on January 1st, 2020. But although the rules have been in place for several months now, confusion still abounds as to exactly how the privacy law will impact established forms of online advertising like retargeting.

Before getting into the nitty-gritty, here’s a quick refresher of the CCPA as it stands...

The CCPA establishes various rights for California state residents grouped under the following headings:

The CCPA is broad in scope, but it doesn’t affect every business: It’s limited to mid- to large-sized companies that do business in California (regardless of where they’re located) and meet the following criteria:

‘Personal Information’ Under the CCPA

The CCPA has been roundly criticized (and rightly so) for its ambiguity in several key areas (see ‘sale’ below). Still, when it comes to defining personal data, it’s definitive, covering practically any data that could potentially be used by advertisers to build personal preference profiles. Consumers’ ‘personal information’ includes:

‘Sale’ Under the CCPA

We usually associate the word ‘sale’ with a straightforward monetary transaction. Still, the CCPA’s definition is far more inclusive, encompassing (wait for it…) “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” 

For companies that buy, sell, or facilitate the sale of targeted advertising, such a broad definition provides little room to maneuver. But, there‘s a workaround. A company is permitted to transfer consumer data to vendors that are classified as ‘service providers,’ which begs the question: what’s a service provider? To qualify as a service provider, a vendor has to:

CCPA and Retargeting

There’s no doubt that retargeting (also known as remarketing) works. Stats show that retargeted website visitors are 43% more likely to convert and that retargeted ads have a 10x higher click-through rate (CTR) than their regular display counterparts. Online retail is the sector most heavily invested in retargeting (occupying 27% of the market) with media (17%), tech (10%), healthcare (10%), finance (9%), education/government (8%), travel (5%), and agencies (4%) also relying on this potent form of programmatic advertising.

When it comes to retargeting and the CCPA, Facebook has taken the do-nothing approach, claiming that the Facebook Pixel, which gathers insights on users to target them with ads, “does not sell people’s data.” Instead, Facebook maintains that they only sell advertising space, and give away Pixel free of charge. Knowing what we do about the CCPA’s definition of the term’ sale,’ this sounds a rather dubious assertion. According to Facebook, brands and third-parties should take responsibility themselves for how they protect personal data.

Google has taken a far more proactive and helpful approach, introducing ‘restricted data processing’ (discussed later.) And Uber has added an “opt-out” button to its app, adding that “some sharing of personal information… may be considered a ‘sale,’ even if no money is exchanged”. Perhaps they should tell Facebook that!

Such uncertainty has hit every California-based digital agency hard. A 75% drop in digital advertising spend going towards California, between this year and last, is not unusual. Perhaps even more damaging, the CCPA seems to have catalysed a general trend towards companies taking their data buying and planning functions in-house in an attempt to maintain a tighter grip over the data they use, for fear of being guilty by association with any third-party acting in bad faith.

The notion of the ‘data lake,’ a vast repository of precious consumer data, in its rawest form, just waiting to be tapped and processed into ingenious retargeting opportunities, is starting to look more like a festering ‘data swamp.’ Ad tech companies are having to contend with the unknown provenance of much of the dirty data they hold and decide how much of it they’re going to have to drain away.

Economics 101 dictates that a reduction in the supply of data will lead to an increase in price, but it remains to be seen how it will affect quality. Will retargeting become less precise, because of the scarcity of the data? Or more effective, because the data will be up-to-date and representative? Only time will tell.

CCPA and Cookies

CCPA cookie consent is based on an opt-out mechanism, which means websites can still load cookies automatically, but they have to provide a transparent method for opting out. There’s no requirement for websites to display a CCPA cookie consent banner, but they must, at the very least have a ‘cookie clause’ in their general terms and conditions that:

  1. States that they use cookies and explains briefly what cookies are;
  2. Discloses what types of cookies they (or any third parties) are using;
  3. Informs users why they use cookies; and
  4. Ensures users know how they can opt-out of having cookies placed on their devices.

How Restricted Data Processing Works

Google is playing its part in helping advertisers meet their CCPA data collection obligations through ‘restricted data processing,’ a new system that lets advertisers automatically restrict how data is processed for specific users through most Google products (including Google Ads, App Campaigns and Google Analytics.)

Once restricted, Google only processes data for business purposes that meet CCPA requirements for programmatic advertising. These include ad delivery, reporting and measurement, security and fraud detection, debugging, and product feature optimization, but no personalization. Advertisers can enable restricted data processing on a per-user basis (for example, following a user opt-out by clicking on a ‘Do Not Sell My Personal Information’ link.) Or, simply enable restricted data processing for all users in California - the easy option.

How Marketers Can Remain CCPA Compliant in 2020 and Beyond

To remain CCPA compliant long into the future, marketers will have to adopt a more respectful, transparent, customer-centric approach to the acquisition and use of consumer data, training employees on their CCPA liabilities, and keeping on top of necessary amendments to the legislation. For companies with annual revenue approaching the $25 million threshold, preparedness is especially crucial.

Marketers are going to have to reconsider tried and tested digital advertising practices in light of the recent changes. Take email marketing, for example: Never has it been more critical to resist inundating customers with spammy correspondence. Because customers can now do much more than simply unsubscribe, they can request the deletion of all the personal information that your company, and associates, holds on them. That’s not only a loss of valuable data, but it’s a time-consuming and challenging task to carry out.

While the outlook for retargeting may initially look bleak, the CCPA categorically does not spell the end for personalization. On the contrary, it’s a massive opportunity to engage clients around best practices, get them back on side, and offer better, more effective personalization than ever before.

How to Be CCPA Compliant With Third-Party Monetization Partners

Under the new laws, a third party is defined as any entity that receives personal information that it hasn’t collected itself. That’s an expansive definition, and as such, not particularly helpful to those in digital marketing that have to familiarise themselves with every third-party’s CCPA policy. Whether it be Google ads, or ad networks like AdSense or Media.net, marketers have to go through all these policies with a fine-toothed comb or risk falling foul of the legislation by association.

Responsibilities and Obligations Under the CCPA

Companies covered by the CCPA have to publish compliant privacy notices and policies and update them every 12 months. As with the GDPR, companies also have to carefully manage and maintain data inventories, which are directories for handling sensitive data used for a business purpose.

Businesses have to make it easy for consumers to demand access and opt-out requests, responding to them within 45 days. This requires having, at the very least, a toll-free telephone number and an “interactive webform,” as well as a clearly labeled “Do Not Sell My Personal Information” link on the homepage, which takes visitors to all the required info.

Businesses must also have a mechanism in place to remove a user’s information from the data sold to third parties. And third party contracts and processor agreements have to be updated to include things like the provision of processing records, requirements for the syncing of consumer response processes, and more.

"If We're GDPR Compliant, Are We CCPA Compliant?"

The CCPA is essentially California’s answer to the EU’s GDPR (General Data Protection Regulation,) and companies that have already complied with every GDPR privacy regulation will find it far easier to achieve CCPA compliance too. There are, however, several significant differences between the two sets of rules, some of which I’ve outlined below:

Penalties for Noncompliance With the CCPA

The CCPA differentiates between what it terms ‘intentional’ or ‘unintentional violators.’ Unintentional violators are fined $2,500, while businesses that are notified of non-compliance and do not comply within 30 days are deemed ‘intentional violators, and face a higher fine of $7,500. 

$7,500 might sound like chump change to a company generating $25 million in annual revenue, but this is levied on a per violation basis. If there’s a breach, that’s $7,500 per customer, and that will rack up very quickly indeed! Furthermore, individuals have the right to sue businesses that don’t comply with the law. And, if violations aren’t rectified within 30 days of a written complaint, and the California Attorney General declines to prosecute, then a business can be hit with a class-action suit.

By Randy Apuzzo

Randy has had a penchant for computer programming from an early age and started applying his skills to build business software in 2004. Randy's stack of skills range from programming, system architecture, business know-how, to typographic design; which lends to a truly customer-centric and business effective software design. He leads the Zesty.io team as CEO.

Related Articles

Subscribe to the zestiest newsletter in the industry

Get the latest from the Zesty team, from whitepapers to product updates.