What is CCPA and How Can Your Business Ensure Compliance?

The California Consumer Privacy Act, better known as CCPA, was enacted in 2018 and provides new privacy rights to consumers living in California.

The California Consumer Privacy Act, better known as CCPA, was enacted in 2018 and provides new privacy rights to consumers living in California. This and other consumer data and privacy laws impact all facets of digital marketing around the world.

From advertisers to publishers, 2020 has been all about making sure that all aspects of a business are in compliance with these regulations in order to preserve and grow revenue streams.

So, why are we talking about CCPA right now?

It’s going to start impacting businesses sooner rather than later. CCPA went into effect on January 1, 2020. Enforcement of compliance with the law begins on July 1, 2020, meaning that advertisers and publishers alike need to get in compliance.

Rakuten Advertising is committed to keeping you informed on the nuances of these laws and providing you with strategies that support compliance and position you for future revenue growth.

On that note, let’s get CCPA compliance-ready together! 

The California Consumer Privacy Act: A Refresher on the Basics

  • CCPA laws apply to the protection of “personal information” for California residents. The CCPA gives consumers protection of the following 4 rights:
  1. The right to “Opt-Out” from the collection of their personal information/data
  2. The right to access their personal information/data; under this section, the consumer has the right to:
    1. Know which data/information has been collected, stored, and sold.
    2. Request access to the personal data collected.
    3. Request to correct the personal data/information collected.
  3. The right to request that a business, another business, or third party “NOT SELL” personal information/data which has already been collected.
  4. The right to request their personal information/data be deleted.
  • Opt-out” vs. “Opt-in” – Unlike the EU’s GDPR laws under which consumers must have some legal right to collect and use information – in most cases for ad tech, this means consent, or ‘opt-in” to their personal information being collected. The CCPA, on the other hand, requires an opt-out. Consumers must be provided the right, accessibility, and proper transparency to opt-out of the sale and collection of their personal information.
  • Enforcement of compliance with the regulations take effect on July 1st, 2020. Regulators are also enforcing a look-back window for compliance with the regulations dating all the way back to January 1st, 2020 when the CCPA officially became part of California law.

Who does the CCPA apply to? And how does the CCPA define “personal information?”

  • All brands (publishers, advertisers, Internet websites, and apps, etc.) that do business with California residents are required to be in compliance with the CCPA.
  • Personal Information is “information that…(directly or indirectly)…is reasonably capable of being associated…with a particular consumer…include[ing]….information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”

How does the CCPA define “sale” and “collection” of data collected?

  • Sale is defined as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
  • Collection is the “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.”

What “personal information” does Rakuten Advertising collect?

  • RMUID – This is a unique identifier assigned to a user once a transaction converts and an Order ID is generated and is often used to further analyze partnership optimizations
  • IP Address – This is collected for several reasons; the most common of which being the ability to identify the location of the user/consumer for compliance purposes under regulations like CCPA and GDPR; it’s also used to improve the quality of our affiliate network within certain fraud-detection best practices deployed by internal Network Quality teams. This is used to improve the quality of our advertising platform.
    • For Example: Rakuten leverages consumer data to fuel our publisher products and technologies such as, Consumer Graph, Dynamic-Ads, Placements Marketplace, AI & Machine Learning, and Matchmaking. Review our Services Privacy Policy for a thorough explanation of how Rakuten Advertising collects and uses information.

What are the regulatory and industry consequences of non-compliance?

  • Civil penalties can range from $2,500 for a nonintentional violation to $7,500 for an intentional violation.
  • The CCPA also contains a private right of action that consumers can bring under certain circumstances if a business experiences a data breach.
  • Advertisers are more likely to optimize partnerships with publishing partners that meet appropriate compliance requirements claiming that it’s “better to be safe than sorry”

As a publisher, you may be asking yourself: “So, what does this mean for me and my business? How do I know what steps to take to be CCPA compliant?”

Great questions. Let’s break it down:

To begin, you should determine which category your business falls under.  What companies do with this data will determine the requirements they must follow to be compliant and designates 1 of 3 categories under which each will fall: “business” (e.g. Rakuten Advertising), “service provider” or “third-party.”

  • Regardless of publishers’ assessment of their own status, Rakuten Advertising and its publisher partners are Businesses under the interpretations of the CCPA laws as both business types collect personal information that may be “sold” to third parties. Because Rakuten Advertising is a Business, it’s required to provide consumers with explicit notice of data collection, the opportunity to opt-out and exercise their rights BEFORE the point of data collection.
  • For more information, refer to this Q&A from our General Counsel, Chris Lin.

Publishers Have Three Options for CCPA Compliance

Option 1: Affiliate Link Opt-Out Signals (Preferred Option)

Include a link to your company privacy policy on each page of your website; your company privacy policy must reference Rakuten Advertising’s data collection as well as a link to the Rakuten Advertising privacy policy.

SAMPLE LANGUAGE: “We partner with Rakuten Advertising, who may collect personal information when you interact with our site. The collection and use of this information is subject to the privacy policy located here.”

Publishers must also collect an opt-out signal from the consumer and pass consent information to Rakuten Advertising using the consent parameter “cnst.” For more information, please visit the Rakuten Advertising Help Center.

Option 2: CMP Integration

If you are already using a consent management platform (CMP) for GDPR, there may be integration opportunities with your existing tool, depending on your CMP. You can contact the publisher support team at to determine if there are integration opportunities with your existing CMP tool.

Option 3: Rakuten Advertising Disclosure & Opt-Out Link

Include a “Your Privacy Rights” link on each page of your website, which directs to a page that provides the following disclosure:

“The below companies may collect personal information when you interact with our digital property, including IP addresses, digital identifiers, information about your web browsing and app usage and how you interact with our properties and ads for a variety of purpose, such as personalization of offers or advertisements, analytics about how you engage with websites or ads, and other commercial purposes. For more information about the collection, use and sale of your personal data and your rights, please use the below links.”

As well as links to both our services privacy policy and our user rights / opt-out page.

Michelle Attar is the Regulatory Operations Manager at Rakuten Advertising. She graduated from The University of Michigan in 2009 with a B.A. in the English Language & Literature, and she is currently pursuing her Master’s of Engineering Degree in Cybersecurity Compliance & Policy at The George Washington University.

Set your business up for success by becoming compliant. Contact a Rakuten Advertising representative for support & set up a call to discuss your business’ needs today!

Avatar of Rakuten Advertising
Rakuten Advertising

Rakuten Advertising leads the industry in delivering performance-driven ad solutions that help the world’s top brands connect with unique, highly engaged audiences – from first impression to final sale.