by Mirjam Sommerfeld
The CCPA and Affiliate Marketing are a topic Publishers and Advertisers doing business in California should review carefully.
1. What is the CCPA?
The CCPA has been effective since January 2020 and gives consumers that are California residents certain rights regarding the collection, use, storage, and transfer of their personal information. The CCPA imposes certain duties for businesses. It can be applicable for publishers or advertisers doing Affiliate Marketing.
2. Who needs to comply with the CCPA?
The CCPA applies to for-profit businesses doing business in California that meet one or more of the following:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
The CCPA applies to Service Providers which are for-profit entities that process information on behalf of a business. A Service Provider is a business that receives personal information for business purposes or pursuant to a written contract.
The rights under the CCPA are for California residents only. The CCPA does not apply to nonprofit organizations. If a publisher or advertiser falls under one of these categories and has users that are California residents, the CCPA applies. Publishers or advertisers can fall under different categories depending on what personal information they collect and how they use it. They can even fall under different categories depending on the stage of their doing.
3. What do publishers have to do?
a) Privacy notice
Publishers must inform consumers at or before the point of collection about:
- The categories of personal information that are collected
- The purposes for each category
- Give further notice if additional categories are collected
b) Duty to inform consumers about their rights
The CCPA provides the following privacy rights for California consumers:
- The right to know what personal information a business collects and how it is used and shared;
- The right to delete personal information;
- The right to opt-out of the sale of personal information; and
- The right to non-discrimination for exercising the CCPA rights.
Publishers and Advertisers have to provide an explicit notice explaining these rights in clear terms.
c) “Do not sell my personal information” link
Publishers and Advertisers have to include a clear and conspicuous “Do not sell my personal information” link for California residents on their websites. The link should allow California residents to opt-out of the sale of their personal information. Publishers and Advertisers cannot sell personal information after a user has clicked on the link. They have to take technical measures and communicate with their tech partners to ensure that. Advertisers have to inform their ad companies when a user has opted-out and make sure that personal information is no longer sold.
Personal information that has been collected to fulfill the opt-out request cannot be used for marketing or other purposes anymore.
4. What happens if publishers or advertisers do not comply with the CCPA?
The CCPA allows fines to be imposed of up to $2,500 for each violation or up to $7,500 for each intentional violation.
5.CPRA (California Privacy Rights Act)
The CPRA augments the CCPA inter alia by adding more rights for California residents and data retention provisions. That law will become effective on January 1, 2023. We will discuss the changes in a separate post.