Brands have until July 1, 2020 to ensure full compliance with the latest data privacy law, California Consumer Privacy Act (CCPA) that went into effect January 1, 2020. For this post, we sat down with our General Counsel, Chris Lin, to answer the most pressing questions about how brands can ensure they’re CCPA-compliant.


 1. Q: What is CCPA?

Chris: The California Consumer Protection Act is a law designed to give California residents additional rights over the use and sale of their personal information. This means that consumers will have specific rights over any of their personal data that a brand has collected, such as:

  • The right of access: This means consumers will be able to access their collected data as well as to inquire on how their data will be used.
  • The right of deletion: Consumers will be able to request deletion of any collected data. However, there are exceptions that may allow brands to do business. For example, a brand offering a coupon would be able to use this information in order to complete a transaction for the consumer, or a financial company needing to complete a transaction would be permitted to retain consumer data, as would a firm that requires this information for security or legal compliance purposes.
  • The right to opt-out of “sales”: This right is what we expect will impact brands the most. Consumers will have the ability to opt-out of their data being “sold” from a business to a third party.

2. Q: When does CCPA go into effect?

Chris: January 1, 2020, but brands will have a six-month grace period on enforcement.


3. Q: Who is impacted by CCPA?

Chris:  Any brand doing business in California that collects, sells or buys personal information from online consumers are going to be impacted in some way. What brands do with this data will designate the requirements they must follow to be compliant, and each brand will fall under one of three categories: “business,” “service provider” or “third-party.”


4. Q: How do brands know which category they belong to?

Chris: As I mentioned earlier, these categories are based on the use of consumer data. While each company should consult their legal department to determine where their business sits, I’ve outlined the definitions below.

  • “Business”: A for-profit entity doing business in California that collects consumers’ personal information itself or on the behalf of others (either alone or jointly) and:
    • Has gross revenue above US$25 million; or
    • Annually buys, sells, receives or shares personal information from more than 50,000 consumers, households or devices for commercial purposes; or
    • Has more than 50% of annual revenue derived from selling personal information.
  • “Service Provider”: A for-profit entity that processes information on behalf of a business. A “service provider” is a business that receives information for business purposes or pursuant to a compliant contract.
  • “Third Party”: Neither a business that collects personal information from the consumer nor is a service provider.

what brands need to know about CCPA; how will CCPA affect online advertisersSomething to note here, adtech companies can fall into different categories at different times depending on what they’re doing with the data at any given moment. Also, it’s suggested that if brands use collected personal information for advertising purposes, it’s best that they categorise themselves as a “business” or the value of their advertising will be limited (see Q6 for more detail).


 5. Q: How will CCPA impact brands?

Chris: CCPA will have a large impact on digital advertising as it brings new regulations that restrict how brands collect and manage consumer data that is used to drive relevant advertising. Most immediately, brands will need to ensure that:

  1. They’re prepared to serve the required “opt-out” option to California residents by January 1, 2020 when CCPA takes effect.
  2. They’re able to pass on any required signals (i.e. a consumer has opted-out, requested deletion, etc.) to their partners/tech companies.

6. Q: Will this negatively impact brands’ advertising efforts?

Chris: The way we see it, no. But, being an attorney, I must beg your patience for a two-part answer.

  • Part 1: If a consumer does choose to opt-out of sales, then advertising to that consumer will obviously be affected because they have chosen to negate their data being collected or sold. Delivering relevant advertising requires the collection of data from consumers when they visit a brand’s website. This collected data is used to better understand brands’ ideal consumers’ shopping habits. Once identified, this data can be used to create advertising that will attract other consumers with similar shopping habits – meaning consumers that are more likely to engage and convert. Without this data, relevant advertising cannot be accomplished.
  • Part 2: CCPA can ultimately improve the advertising ecosystem for both the consumer and business. For brands, it eliminates consumers who aren’t really interested or engaged with advertising promotions – meaning brands will now more easily know which consumers are open to personalised advertising or offers. In the end, we see CCPA as a way for brands’ ad dollars to reach more of the “right” consumer; therefore, increasing their ROAS.

Ultimately, it is our hope that CCPA will bring more transparency and rights into the use and sale of consumers’ personal information, while allowing businesses to get more bang for their advertising buck.


7. Q: What can a brand do and not do with a user’s personal information if they opt-out of sales?

Chris: If a user opts out of sales, that does not mean that a company is required to delete this information or refrain from its use (unless the consumer exercises their right to ask for their collected data to be deleted). What it does mean is that their personal information cannot be further used or repurposed for a commercial gain.  For example, if a brand advertises 20% off a pair of shoes, it can still complete the consumer transaction, as well as pay the commission to the company that presented the ad; however, neither the brand nor the commissioned company may use any personal information of that consumer beyond fulfilling this transaction.


8. Q: What are the impacts of non-compliance?

how will CCPA affect publishers; what do i need to know about CCPAChris: As is the case with many laws, the action taken will depend on the severity of the infraction. Here’s a run-down of the enforcement mechanisms in the CCPA.

  • Private enforcement: CCPA empowers consumers to file their own lawsuit in the event of a data breach allowing consumers to recover up to US$750 per incident or actual damages, whichever is greater.
  • Governmental enforcement: The State’s Attorney General can also file a civil case. Businesses have 30 days to fix their non-compliance or be liable to pay fines up to US$7,500 per violation.

9. Q: What is required for advertisers to fulfil the CCPA requirements?

Chris: Advertisers will need to determine what category they fit best under (see question four), but any advertiser collecting and providing information to a partner will likely be considered a “business.” These advertisers will also need to provide explicit notice and an opportunity to opt-out to consumers. This way, the CCPA requirements have already been fulfilled before consumer data is collected and sent off to another party for advertising purposes.

We have seen some advertisers choose to geo-block California-based traffic or suppress California-based traffic when passing the collected data to another party.

On a high level, the following are solutions brands can take to ensure compliance:

  1. CMP integration: For advertisers already using a CMP tool previously created for GDPR, there may be integration opportunities.
  2. Pass signals via JavaScript tag: Advertisers can leverage an existing tag to pass consent information to partners. Advertisers must collect an opt-out signal from the consumer to be passed as variables in a JavaScript tag.
  3. Disclosures and opt-out link: Advertisers can include a “Your Privacy Rights” link on each page of their website which will lead users to a disclosure revealing what companies may collect their personal information when they interact with their digital property. In our disclosure, we’ve included what kind of personal information is being collected (IP addresses, digital identifiers, etc.) and what this information will be used for (personalisation of ads, analytics on how they engage with websites and ads, etc.).

Regardless of what option advertisers take, we recommend that advertisers include a link to the company’s privacy policy on each page of their website, and for their privacy policy to reference Rakuten Marketing’s data collection and a link to our privacy policy.

For Rakuten Marketing advertisers, an email has been sent with more information about how new CCPA requirements affect them.


 10. Q: What is required for publishers to fulfil the CCPA requirements?

Chris: For publishers that categorise themselves a “business,” they will need to disclose privacy rights through a link on their site and give users the option to opt-out of tracking or prevent the sale of their personal data.

Publishers will be relieved of this obligation if they block traffic via IP addresses for users in California. The options we’re suggesting for our publishers are:

  1. Affiliate link opt-out signals: Include a link to the company’s privacy policy on each page of their website. This privacy policy will reference Rakuten Marketing’s data collection and a link to our privacy policy. Publishers will also need to implement some way to collect an opt-out signal from the consumer to pass consent information to partners.
  2. CMP integration: For advertisers already using the CMP tool created for GDPR, there may be integration opportunities.
  3. Disclosures and opt-out link: Advertisers can include a “Your Privacy Rights” link on each page of their website which will lead users to a disclosure revealing what companies may collect their personal information when they interact with their digital property. In our disclosure, we’ve included what kind of personal information is being collected (IP addresses, digital identifiers, etc.) and what this information will be used for (personalisation of ads, analytics on how they engage with websites and ads, etc.).

In response to the requirements of CCPA, we have updated our publisher membership agreement (PMA), and this updated PMA went into effect on January 1, 2020.  The biggest substantive change to our PMA is the language, which was updated to meet the notice and opt-out requirements needed to comply with CCPA.

For Rakuten Marketing publishers, an email from us communicating this information with a link to the new PMA has been sent. For any further questions, publishers can always reach out to their publisher development manager or our publisher support team at uspubsupport@rakuten.com.


 11. Q: How will brands pass on proper signals to their partners?

Chris: There is still work to be done and some ambiguities around how companies can ensure compliance. Yet, similar to the industry work behind the CMP tool for GDPR, groups like the IAB and ANA are working to create a universal set of signals to allow partners and clients to pass along opt-out and delete requests. There is currently a compliance framework for CCPA the IAB/IAB Tech Lab has drafted that has a standardised contract for use between publishers and their partners and a series of technical specs so companies can follow through on the contract. Additionally, the digital advertising alliance (DAA) is offering a compliance tool that will allow publishers, brands, agencies and adtech companies in the digital supply chain to provide consumers a clear and recognisable mechanism to opt-out of sales. We will be looking towards these groups to assist in providing tools and other material to guide the industry on best practices for compliance.


12. Q: What does Rakuten Marketing require of its advertiser and publisher partners to be compliant?

Chris: Any partner that has Rakuten Marketing providing tracking on their site will need to include a “your privacy rights” link on any page where data is collected. This link will take consumers to Rakuten Marketing’s privacy policy and an opt-out page. For brands that are collecting  opt-outs on their own, we require that they implement a way to pass opt-out signals to us via the IAB’s CCPA compliance framework. We also require that brands who don’t have a pixel on their site, but are directly providing us with conversion information (e.g., API) implement a way to pass opt-out signals to Rakuten Marketing via the IAB’s framework.

What is CCPA and how do i prepare; marketing tips around data privacyIn May 2018, to assist brands to comply with GDPR, Rakuten Marketing developed a consent management platform (CMP), but we didn’t stop there.  We also created “wrappers” that work with other third-party CMPs to help support the compliance efforts of brands. While CCPA does not require upfront consent from the consumer, Rakuten Marketing is committed to promulgating transparency in what is often considered the opaque world of adtech. As such, we are working closely with publishers and brands in our network to provide access to our privacy policy and opt-outs to consumers at the first opportunity.


13. How does CCPA affect brands outside of the US?

Chris: Any brand that does significant business with consumers who reside in California are required to be compliant with CCPA, regardless of their location, and the requirements to ensure Rakuten Marketing campaigns are complaint are the same as outlined above. Significant is defined by business that “annually buy, receive, sell or share personal information of at least fifty thousand California residents.”


14. Q: Is there a chance of this privacy policy advancing to a federal level?

Chris: Most say that if there is a chance, it’s a long way away. However, there are already many other states adopting similar privacy regulations. Nevada already has one in place, while Hawaii, Maryland, New Mexico, Washington and others have similar laws under draft. Brands should, if they haven’t already, accept that privacy regulation is becoming not only a federal concern but a global one as well. GDPR has already gone into effect and new international laws are being made in Brazil, New Zealand and Bahrain, among others.