CCPA for app and SDK publishers
The California Consumer Protection Act, abbrev. CCPA will usher in a “new turning point” citing Appsflyer in the world of data privacy. It appears to be the next greatest development in data privacy protection laws since the sweeping impact of GDPR. The new privacy law became effective recently even though it has been a talking point since 2018.
Consumer privacy will stimulate the marketplace
While it is called the California Consumer Protection Act, California is not the only state that will be impacted by changing data laws. CCPA is setting the trend elsewhere in the United States. States such as Nevada, New York, and Washington will soon draft legislation for similar consumer protections. The web is civilizing, in a sense. Privacy protections give software new rights that may also slow the threat of cybercrime in some respects. Lowered cybercrime rates can stimulate the marketplace.
Citing Herjavec Group, cybercrime is the biggest threat to any company on the planet. It is expected to cost $6 trillion annually unless there are drastic changes in the opportunity for cybercrime. Get the entire Herjavec Group 2019 Official Annual Cybercrime Report for more information.
Likewise, CCPA reach will not only impact the 40 million people who reside in California. Fast Company reports that the law will have state-external reach similar to that of GDPR.
GDPR set up a platform, CCPA is an enforcer
As GDPR sets in motion this revolutionary definition of data rights, the CCPA is the action needed to enforce it. GDPR, whether you were impacted by it directly or not, laid the groundwork for understanding basic human rights as they translate to the digital plane.
The fine print of the CCPA
To understand the California Consumer Protection Act we need to know the plain text, the subtext, the superscript, punctuation and the whole of it. Understanding the law as it is written helps us to form a clear picture of how to comply with it.
The amended bill text of the CCPA can be read at California Legislative Information. The law went into effect on January 1, 2020. In brief summary, the law grants the data consumer various rights regarding how their personal information is used by a business. This includes the reserved right to demand a business delete all of the data they have stored on file regarding the consumer.
The individual sections of the law detail the rights that consumers have to request the deletion of their data. It also details, in Section 3 of the law, Section 1738.110 of Civil Code. This section details all the provisions that CCPA will make for data storage and use full disclosure to the consumer. Businesses are required to make these disclosures so that the consumer may make the most informed decision possible. These are broken down as follows:
- The categories of personal information that it (the entity) has collected about the consumer.
- The categories of sources from which personal information is collected.
- The business or commercial purpose for collecting and selling personal information.
- Categories of third parties with whom the business shares personal information.
- The specific pieces of personal information the business has collected about that consumer.
The law goes on to detail that the business must provide the specifics of each data transaction upon the consumer’s verifiable request.
The business is also prohibited to sell a consumer’s data to a third party for a commercial purpose if the consumer is under the age of 16. Unless the consumer, ages 13-16, or the consumer’s legal guardians, under 13, have authorized the data transaction.
How the CCPA applies to app and SDK publishers
CCPA compliance may feel like a fine hair-split for the app and SDK publisher. Especially in industries such as advertisement, sales, and chat apps where consumer data collection and temporary storage is needed to power the app correctly. Nevertheless, CCPA will act as a suit of armor for the protection of data and the deterrent of hacker crime within your app.
Preparing for the CCPA
Now that you know the text and the particulars for app publishers and SDK publishers it’s time to lay out an action plan. It’s important to make a rapid response because of the fact that the law details this information must be disclosed upon receipt of a consumer data information request.
The age of “right of opt-in” and verifying a consumer’s age will become especially important to app publishers. Many apps require the transfer of large amounts of data between many components to function as desired. The app market will likely change to adapt the demand for age verification sophistication to avoid being outside the realm of compliance with this new law automatically through children’s market targeting apps.
Leveraging GDPR for CCPA
Many app-industry executives share the common opinion that CCPA preparation can follow the GDPR preparation model. Some of the following were included in AppFlyer’s CCPA preparation kit:
- Data mapping
- Processes in place to receive and handle data subject requests
- Methods to delete personal information
- Access to personal data information in an actionable format
- Technical measures combined with organization measures to protect personal information
- Privacy notices.
The AppsFlyer article details the exact potential methods needed to execute this drop list. GDPR-prep had companies complying with data transparency at the awareness-level. Data-storing companies were tasked with making data reportage simple and easy to access.
Google AdMob Help
Tech giants release CCPA assistance guides as well now that the new law is in effect. Following what the major tech companies are doing can help you to mirror their process and adapt accordingly. Google announces through the AdMob Help page that their company disallows all interest-based audience targeting when a user is engaged with the new restricted data processing mode.
Restricted data processing mode allows app and SDK publishers to select “Do Not Sell My Personal Information” as an option.
Google AdMob has also employed a third-party data sale restriction. If data restriction is enabled, AdMob will pass information over the SDK to Open Bidding. Then, Open Bidding mediation is moderated as follows:
- Open bidding is disabled. No callouts are made to Open Bidders.
- Third-party authorized buyers are disabled. No RTB callouts are made to Authorized Buyers.
- Mediation is still enabled.
From this example, we can see that Google is using SDKs to employ some restrictions to data bidding while also keeping other functions open. This is a functionality indicator and a market indicator. Functionality, in that, it shows how the future of CCPA can be made to work seamlessly with other parts of the business model. An indicator of the marketplace, in that, it shows us the role that SDKs will take in the future of enforcing CCPA.
It is vital for internet-based companies to leverage and learn new ways of storing data to retrieve at a moment’s notice. CCPA is the first of many laws that will alter the way business is conducted online. SDK publishers can leverage this time to publish tools that will assist the data collection and representation process for direct consumer privacy reports.