3 Key Takeaways from California's Consumer Privacy Act


California's State Legislature passed the California Consumer Privacy Act yesterday. While the law does not take effect until January 2020, this is a big deal now for both consumers and data purveyors (including all advertisers, sellers, and intermediaries). But – as with many laws — the devil is in the details. On the surface CCPA looks a lot like GDPR, and will affect many companies, including those not based in CA. However, the size of businesses affected, and the liabilities to be imposed, are quite different from GDPR. This may not only limit which companies comply, but will also likely strengthen the positions of the largest companies in the industry.

The California Consumer Privacy Act of 2018 – Key Components

There are many details to be found by reading the bill in its entirety. For context, here is the pertinent language which defines Californians' privacy protections by Assembly Bill No. 375, now law: 

(i) Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:

(1) The right of Californians to know what personal information is being collected about them.

(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.

(3) The right of Californians to say no to the sale of personal information.

(4) The right of Californians to access their personal information.

(5) The right of Californians to equal service and price, even if they exercise their privacy rights.

1. GDPR-ish

On the surface, CCPA sounds an awful lot like GDPRHowever, things get very different when looking just a little deeper. 
Perhaps most importantly, CCPA only applies to companies with more the $25mm annual gross revenue. Once that threshold is crossed, the liability is $100 – $750 per consumer, per incident. Far smaller than the draconian sums threatened by GDPR. 

Further, while consumers can request that their information be deleted, and the company in possession of that information must comply with that request – companies are not required to get consent prior to collecting consumers' information. 

2. How Will This Play Out? 

The answer to this depends on who you are. 

This new law makes Oracle's acquisition of GrapeShot look even smarter. Additionally, it will likely have the unintended consequence of benefiting the entrenched players: Facebook, Google, Amazon, Axciom, Oracle, all the other big DMPs, and the large publishers who can collect large volumes of first-party data. With the scale to implement strong first-party data solutions, they may raise their walls ever higher, making a reasonable claim that they have an obligation to limit shared data. 
The smaller publishers are likely to be unaffected right now, as they do not reach the $25mm annual revenue floor. However, over a short period of time, CCPA will likely affect any publisher who uses audience data. Advertisers, agencies, and/or data intermediaries will begin to insist upon stricter scrutiny and compliance.
The biggest impact will likely be felt by every other company in the US. Any company with a website will now have to monitor how their data is being shared. Every retargeting campaign that started with first-party data has to be reconsidered. Every pixel on their site now needs to be monitored to understand data sharing and leakage risks. This again probably helps incumbent players, but will likely also create more data partnerships and co-ops amongst big brands, allowing them to bring more control in-house. 

3. What Happens Next? 

There will be a lot of analysis in the coming days. Questions, breakdowns, expert weigh-ins, what-ifs, challenges. Regardless, there is no doubt that the issue of consumers' data privacy will continue to grow in importance and in volume. Companies – including us here at Industry Index – who are focused on helping businesses comply with these growing pressures, will be well positioned. 

Tech Categories


Jonathan Shaevitz
Jonathan Shaevitz
A MadTech veteran, corporate leader and advisor, and a product guy at heart. Tech background includes DSP, SSP, and all things programmatic. Recently fascinated by the proliferation of Content Marketing, AI and Chatbots.