How CCPA Impacts Mobile Advertising and AdTech

Following the EU’s landmark General Data Protection Regulation (GDPR), California’s new law, The California Consumer Protection Act (or CCPA) is the US’s most significant data privacy act to date. Its implications are far-reaching for mobile advertisers and app developers.

What is CCPA?

After being enacted in 2018 under the name Act AB-375, California’s sweeping new data privacy law came into effect on January 1st 2020. It is a state-wide regulation that creates new consumer rights pertaining to the access, deletion and sharing of personal information by businesses.

These rights can broadly be understood in four categories. Consumers have:

  • The “Right to Know” what personal information is being collected, used, shared, and sold (including both category of info and specifics)
  • The “Right to Delete” personal information held by businesses and those businesses’ service providers.
  • The “Right to Opt-Out” of the sale of personal information and direct businesses that sell their information to cease doing so. Children under the age of 16 must provide opt-in consent. Those under the age of 13 require a parent or guardian’s opt-in consent.
  • The “Right to Non-Discrimination” in prices and services should they choose to exercise the previous privacy rights.


What does this mean for businesses?

Businesses subject to CCPA are those that:

  • Have gross annual revenue in excess of $25m,
  • Derive more than 50% of annual revenue from the sale of consumers’ personal information, and/or
  • Buy, receive, or sell the personal information of 50,000 or more consumers, households or devices.

N.B. Businesses that handle personal information of more than 4 million consumers will have additional record-keeping and training obligations.

All businesses that meet these requirements with consumers in California must provide notice to consumers at or before data collection while simultaneously providing a “do not sell my info” opt-out link on both websites and mobile apps. User-enabled privacy settings that signal ‘opt out’ will also count as a valid request and must be treated as such. These obligations remain in place even if the consumer does not maintain a password-protected account with the business.


How does CCPA affect mobile advertisers and app developers?

Much like the EU’s equivalent GDPR legislation, CCPA affects both native citizens and businesses headquartered in the area, as well as any external business that interacts with those citizens. The ‘California’ qualification is not for businesses, but for end users. Mobile tech is, by very definition, mobile. The geographic proliferation of apps and mobile ads, coupled with the fact that the industry is built on the maximization of user acquisition, clicks and downloads, makes the industry especially vulnerable to CCPA’s significant fines.

N.B. GDPR and CCPA should not be treated as identical. GDPR is ‘opt-in’ and has more specific requirements. CCPA is opt-out, but defines data more broadly (including any personal identifiers, commercial data, geolocation data, biometric data, and employee data).

The processing of Personally Identifiable Information (PII) is pervasive in the mobile tech and mobile advertising industries. Just as with personal computers and servers, it is vital that mobile apps and devices comply with the rulings.

The majority of tools to help businesses manage consumer privacy preferences are web focused. Mobile apps do not have the same frameworks readily available. Apps need to take meaningful steps to understand the data they have attached to individual users, how that data can be communicated and managed, as well as how third parties are using it.

With time, direct solutions may become more available for app developers. In the meantime, it is highly recommended that apps use Consent Management Platforms (CMPs) to streamline a complex process. Unfortunately, while there are now CMPs updated in light of GDPR, there are only a few who have updated their tech for mobile integration under CCPA.

Without a CMP, publishers who utilise programmatic advertising or who send ad calls to third parties must find alternative ways to strip PII for users, including: IP, mobile IDs and cookie syncing IDs. This could be done in-house, writing code to automatically strip excluded users’ data through server-side integrations with partners. Those reliant on JavaScript tags may not have that level of control, and therefore must find another way to honor users’ data requests. 

Mobile app developers are not completely without a toolkit. To help app developers deal with CCPA, the developers at Google have released SDKs for both Android and iOS. These SDKs allow publishers to enable parameters that restrict how certain unique identifiers and data is processed in the provision of services. Though when these are turned on, Google will only show non-personalized ads – a factor that will be of great detriment to mobile marketers.


Additional Advice:

"<yoastmarkTo minimize chances of being caught out by CCPA, mobile advertisers and app developers should follow these steps:

1)     Re-examine privacy policies – Meticulously check they are compliant with all of CCPA’s required disclosures.

2)     State specific purposes for data collection – User consent must be informed and unambiguous.

3)     Perform a detailed data management framework audit – In order to guarantee that there are no holes in your data management framework, map-out the lifecycle of consumer data-usage, from collection to processing to storage. Use it to identify weak points and vulnerabilities.

4)     Create and update lists of any data-sharing partners – The careful maintenance of one’s own permissions and records is insufficient. When utilising third-party tools, only use those which follow the top industry standards. As part of the data audit, programmatic advertisers should maintain lists of anyone they have shared data with. That includes ad servers, exchanges, DSPs and DMPs.

5)     Treat privacy requests as urgent – Prioritise the management-of and response-to users’ privacy requests. Being too slow to react to a consent withdrawal request could be disastrous.

6)     Reconsider which data is worth storing – Study the types of consumer data already accessed and stored. This includes the look-back period to January 1st, 2019. Companies can reduce the risk of being affected by CCPA by minimizing the data sets they store and deleting those that are non-vital.


Broader Effects on the Mobile Advertising Industry

For advertisers, who have become heavily reliant on the analysis of user data, CCPA is particularly complex.

Section 1798.140(o)(1) of the CCPA bill defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. While this includes standard identifiers (name, address, passport number), it also can be understood to include other types of data that advertisers have become accustomed to utilising (biometrics, audio, geolocation).

CCPA will affect Geolocation Data

For programmatic advertisers, this personal information is an incredibly valuable asset.

Because CCPA is focused on data selling, there are some specific ad tech data uses that do not appear to violate the ruling. For example, because no PII is being sold, if advertisers use the same data in an in-house ad-server (for behavioural targeting or frequency capping) and advertisers are buying against those profiles, no PII is shared with advertisers and users may not be able to opt out. Similarly, category targeting based on user searches or page context does not rely on PII so users cannot opt out.

In addition, using PII from 3rd party data providers to enable on-site targeting as well as sharing data with infrastructure partners (who would be considered service providers) both appear to be acceptable practices under CCPA. These should qualify for “business purposes” exemptions.


A Changing Industry

While CCPA is only intended to protect consumers from California, in lieu of a federal law, CCPA is expected to impact people and companies well beyond the state. Furthermore, a slew of states, including Washington, Virginia, Nebraska, and New York, are proposing their own privacy bills. While it is unclear which bills will be passed into law, each will likely have different requirements to California’s ruling.

With this in mind, it is advisable that mobile advertisers and app developers do not merely do the minimum required. Instead regard CCPA as a tipping point and prepare for widespread changes in the way governments treat privacy.


CCPA Today

CCPA is still very much in its infancy. While the ‘45 Day Comment Period’ has ended, bills of this nature are complex and further revisions and clarifications are expected. The California Attorney General has confirmed that widespread enforcement is not due until July while emphasizing that the remaining months should not be treated as a grace period. If your mobile business operates in California, act now.


Further reading:

Based in our Berlin office, Aparna leads the marketing team at Applift.