What is CCPA? What Do Mediavine Publishers Need to Do About it?

Chances are a lot of you have heard the acronym CCPA in the news lately. If you haven’t, well, now you have. What is CCPA and why should you care? Glad you asked.

The California Consumer Privacy Act, or CCPA, is a privacy and consumer protection bill (AB-375) for residents of California. It officially goes into effect on January 1, 2020.

CCPA regulations are designed to enhance privacy and data protection for California residents, much like the EU’s General Data Protection Regulation (GDPR) last year.

A man typing at a laptop computer

What is CCPA? Is it the same as GDPR?

CCPA is in many ways similar to the GDPR, which went into effect in the European Union in mid-2018. However, there are significant differences beyond the obvious geographical ones.

The key takeaways for Mediavine publishers are as follows:

CCPA is opt-out

Unlike GDPR, CCPA regulations are structured on an “opt-out” basis. This means you can collect data about your users, but must specifically give your users a way to opt out of this.

CCPA is focused on the sale of personal information

Long story short, CCPA is designed to regulate the sale of the user’s personal information. Or as the law says, “transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”

California wants residents to know how their personal information is being used, and to give them the chance to opt out of the sale of that information.

Who does CCPA impact?

If you’re a Mediavine publisher, CCPA regulations probably apply to you. Why?

Because anyone who “buys, receives for commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more California residents, households, or devices each year” must be compliant.

Given the Mediavine requirements of 50,000 sessions a month, and California likely providing a bunch of that traffic as the most populous U.S. state, it’s possible, even likely, that you receive 50,000-plus California residents visiting per year.

What is “personal information” in this context?

CCPA defines “personal information” fairly broadly. The law describes it as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

That could mean anything from a user’s IP address to their browser and search history.

Moreover, CCPA also considers any data used to “create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” as personal information.

So more or less, anything a site does to personalize the experience for users could fall under this.

Hands typing on a wireless keyboard.

But I’m not selling any personal information …

We know. You’re likely not directly in the data-selling game, and neither is Mediavine for that matter. However, if you’re a Mediavine publisher, you are monetizing via advertisements.

The IAB (Interactive Advertising Bureau) considers the transfer of data for monetary compensation as part of the sale of advertisements. While it may not sound like what Mediavine is, fundamentally, we are certainly involved in this complex process and must remain on the safe side.

So you can assume if you have at least 50,000 California visitors a year and are running advertisements, then CCPA impacts you.

What is Mediavine doing about CCPA?

Prepare for acronym overload: Mediavine is following the IAB CCPA Compliance Framework and releasing a Consent Management Platform (CMP) for CCPA, much like we did with GDPR.

However, since these CCPA regulations are opt-out (see above), and the IAB CCPA Compliance Framework is significantly different, it’s also going to be a much different implementation.

At this time, the implementation will be less intrusive than what we put forward for GDPR, and should make for a better user experience given the opt-out vs. opt-in nature of the regulations.

TL;DR – We will help publishers provide notice to their users, and an easy, obvious way for users to opt out of data sales.

What if a user actually does opt out?

Great question. If a user opts out of the sale of their personal information, the IAB CCPA Compliance Framework has mechanisms for us to convey their consent – or lack of consent, in this case — to our advertising partners.

Our ad partners will then serve non-personalized advertisements to those users, ensuring no personal information is collected, used or sold at any point during the transaction.

While advertisements won’t be as effective for those users — they’ll still be receiving ads, but not ones curated for them personally — this process will respect their choice if they opt-out.

A mobile blog user.

Is this going to ruin my RPM in California?

Another great question, albeit one we can’t fully answer yet. It’s a little early to know the impact of CCPA on RPMs in California because nothing is being enforced (the law takes effect January 1, 2020).

However, with GDPR, what we’ve seen is most users allowing consent for personalized ads in the EU and we hope to see similar results in California.

We honestly think that personalized ads offer a better experience for the Internet as a whole, and users have very little to worry about. Unfortunately, nefarious practices of several companies have raised privacy concerns, which we fully support.

If I use the Mediavine CMP, do I need to do anything else?

Ultimately, CCPA will require more than you just relying on Mediavine to help with the advertising side of things.

Chances are you’re also using other data providers, which are collecting and/or selling data, and you’re ultimately responsible under CCPA regulations to know what’s happening with that data.

For example, if you’re running analytics, sending out a newsletter, or other things that many of us do and may seem benign, you’ll still need to establish that these providers and their methods are CCPA compliant as well.

You will also need to update your privacy policy as the CCPA has additional notice requirements.

TL;DR – The Mediavine CMP provides your users notice and the ability to opt out. You’ll need to make sure any services you’re using that sell data are respecting that setting.

We conform to the IAB standard and there’s an easy API that any of your other providers can access. (And again, you will also need to update your privacy policy to include CCPA disclosures.)

We recommend you watch our Facebook Live and check out this CCPA Handout by Jamie Lieberman of Hashtag Legal. It provides a checklist to help you know what you need to do.

But ultimately, we would recommend a consultation with counsel to make sure you’re fully protected.