,

A Complete Guide For POPI Act Compliance

Imagine getting ready for POPI Act compliance in a short period of time. GDPR compliance took you a lot of time and money. Now, the POPIA – Protection of Personal Information Act has gone into effect on Jul 1, 2020. And, enforcement began on July 1, 2021. You do not have much time. You have several other priorities as well. What if you could follow a simple step-by-step process to get ready for POPI Act in one week?

Or even better..   What if there is a complete guide for POPI Act compliance?   … and each of these 17 steps are easy to follow and implement. Nearly all of these 17 steps cost you no additional money. You are probably eager to read and follow these steps.

 

 

 

 

This is exactly what I am going to share with you in this post. 17 practical and actionable steps that you could use for POPI Act Compliance in One Week or Less.

…and once you are done, please share and comment on how long it took you to get ready for POPI Act compliance using these 17 actionable steps.

1. Does POPI Act compliance apply to your business?

Look, there is a lot of data and blogs out there that outline the law. They detail out how POPI Act applies to your business. For example, you are a business in South Africa, or a NPO, or a government entity, or a Section 21 entity, or simply a HOA, and irrespective of whether you collect personal information or not, you need to be POPI Act Compliant.

Let’s make this as simple as an easy button. Every entity private, public, non-profit, or for profit, must comply with the POPI Act.

Is your business in any way related to California?

If your answer is No, then what are you still doing here? Go and play a round of golf. Let me explain my usage of the word related. It means your business is registered in California. Or, you have revenue from California consumers. Or, you pay any taxes in California. Or, you own any property in California. Now, the next questions get a bit tricky….

 

 

Is your annual revenue in the next twelve months more than $25 Million?

If your answer to this is Yes, then skip this section and move to step 2. I simply ask you to start taking action. You now have one more urgent project. This question is tricky because it may not be California based revenue. Rulemaking from California AG is completed. It is fair to assume $25 Million in total revenue.

 

Based on your current projections if your annual revenues are likely to exceed $25 Million, then you must have CCPA compliance. My recommendation is to start taking action if your revenues are likely to exceed $20 Million.

Do you have more than 961 visitors on your website from California in the last 7 days?

This is easy to check.

  1. Login into your Google Analytics
  2. Navigate to Geo -> Location and Click on California
  3. Select last 7 days timeline for the report
  4. Check the number of users when you move your cursor to California
  5. Is this number more than 961?

does you need CCPA compliance?

Does your company need CCPA compliance? Determine that by the number of users on Google Analytics. If your answer is Yes, then skip this section and move to step 2. Start taking action. If you do not use Google Analytics, then check for this with your web marketing team.

Do you have more than 50,000 customers in California? Check your CRM.

If you have access to your CRM system, then login to your CRM system. Create a report that includes contacts, leads, for the past 12 months. Filter this report for California. Get a total count. Does this count exceed 50,000? If the answer is Yes, then skip this section and move to step 2. And, start taking action.

 

Or alternately check your email marketing system like MailChimp. Do you market and send your newsletter or emails? Do you send emails to 50,000 email addresses that are likely located in California? If the answer is Yes, then start taking action.

 

 

Are you are still reading this section?

Are you a software company dealing in data as the new oil? Boy-o-boy. We can send you a pdf version of this blog. Get a cup of coffee. Start taking action.

2. Deploy CCPA privacy request intake on your website

Privacy requests are new. Your business is required to provide this on your website. Either a web form, phone number, email address, or a mailing address. You could do a combination of one or two of these mechanisms. Check out our detailed blog on CCPA Privacy Request Management.

No business can estimate the number of requests. Plan for 5-10% of your users to send privacy requests. We stay optimistic and expect a much lower request intake in 2020.

Option 1: Create a web form similar to this and deploy it on your website.

Do you have a WordPress website? Simply deploy a forms plugin – WPForms or Ninja Forms.

Create a form for CCPA privacy intake and manage your requests using WordPress. Include basic email verification. Here is an example form:

CCPA Compliance Privacy Request Intake Form

CCPA Compliance Privacy Request Intake Form

Option 2: Sign up to Essert.io

The app is easy to setup. It scales your workflow. Essert provides 13 pre-built email templates. And, it is free to use.

CCPA Compliance: Privacy Requests Management Application

CCPA Compliance: Privacy Requests Management – Sign Up It is Free.

Option 3: Sign up to one of several vendors

Several vendors started with GDPR. They also support CCPA. While many of them provide a free trials, as of this update, none of them provide free intake management software. Essert.io delivers a free app.

Option 4: Review this blog and create your own privacy request management system

Enough said. Need more information on how to manage the intake of privacy requests? Check our blog. Time to move to the next section.

 

3. CCPA Compliance needs categories of data you collect

CCPA (California Consumer Privacy Act) provides the requester a right to know categories of data you collect. Reach out to your digital marketing team for any help. List all the categories of data you collect. Let’s get started.

 

Here is a sample list of categories that you could use:

  • Internet or network activities
  • Device-specific information
  • Commercial information (ex: orders, history, credit card data, etc.)
  • Identifying information (ex: email, phone, etc.)
  • Health information
  • Biometric information
  • Fitness information
  • Professional or employment-related information
  • Educational information
  • Geolocation information
  • Audio/Video information
  • Automotive information
  • Information users share
  • Information to process privacy requests

Now create your own list of categories. The next step is to create an email template that includes your list of personal information categories that your business collects. Create an email template with categories of information collection. Why should you create email templates? Here is a sample email template…

Email templates are important to deliver consistent responses to consumers.

 

Subject:  Privacy Request – Categories of Information Collected 
Message:
Hi {Name},
We received a privacy request from you regarding the categories of personal information we collect. We collect the following categories of information:
 - Internet or network activities
 - Device type information
 - Commercial information (ex: orders, history, credit card data, etc.)
 - Identifying information (ex: email, phone number), and
 - Information to process the privacy requests

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

You may have to create multiple email templates for each requester type. Each of these templates may differ on categories of information collected.

4. List reasons for collecting data by category

CCPA provides the requester a right to know why your business is collecting data. A few businesses collect data to sell as data brokers. Get started. Let’s make it a simple one-time process. You may need help from your digital marketing team. Here is a simple list of all the reasons for collecting data. Get started.

 

Please use this list to get started with your own list.

  • To Enforce Policies, Terms, and Conditions
  • To Track and Monitor Website Usage
  • To Analyze Website Visitor Behavior
  • To Improve Website Performance
  • To Improve Visitor Engagement
  • To Service Customers
  • To Provide Sales and Support
  • To Answer Questions or Address Requests
  • To Evaluate Suitable Candidates for Jobs
  • To Create User Accounts
  • To Communicate Marketing and Sales Promotions
  • To Communicate Company Policy Information
  • To Fill and Manage Sales Orders and Support Requests
  • To Write Testimonials
  • To Deliver Advertisements
  • To Get Customer Feedback
  • To Share Data With Data Brokers
  • To Aid in Research
  • To Aid in Behavioral Analysis
  • To Process Privacy Requests

Create an email template to communicate with the requester

Here is an example. You may have to create multiple email templates.

Subject: Privacy Request - Collection Purpose
Message:
Hi {Name},
We received a privacy request from you regarding the purpose of collecting personal information. Our purpose of collecting your personal information is as follows:
 - To Communicate Marketing and Sales Promotions
 - To Communicate Company Policy Information
 - To Fill and Manage Sales Orders and Support Requests
 - To Write Testimonials
 - To Deliver Advertisements
 - To Get Customer Feedback
 - To Enforce Policies, Terms, and Conditions
 - To Share Data with Data Brokers

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

5. List all sources of data collection

CCPA provides the requester a right to know sources of data you collect. Reach out to your digital marketing team and list all data sources. Let’s get started.

This is a sample list to get started.

  • Laptops and Desktops
  • Websites
  • Desktop Apps
  • Web Apps
  • Mobile Apps
  • Shopping Carts
  • Phone Calls
  • Fitness Devices
  • Mobile Devices
  • Video Streaming Devices
  • Medical Devices
  • Smart Speakers
  • Smart Toys
  • Security Cameras
  • Wifi Routers
  • Automotive Sensors
  • Smart Sensors & Scanners
  • Tablets
  • Data Services
  • 3rd Party Data Brokers
  • Social Media Platforms
  • Advertising Platforms

Create an email template

Use this example email template.

Subject: Privacy Request - Soruces of information collection
Message:
Hi {Name},
We received a privacy request from you regarding the sources of collecting personal information. Our sources of collecting your personal information are as follows:
 - Laptops and desktops
 - Websites
 - Desktop apps
 - Web Apps
 - Shopping cart
 - Phone calls

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

6. Scan your website and list all the cookies used

Do you have cookies on your website? Nearly all those cookies collect personal information. CCPA compliance requires you to know all your cookies. Why?

  1. Provide a detailed notice of data collection
  2. Service Opt-Out, privacy request
  3. Service Delete My Personal Information, privacy request
  4. Provide personal information stored in these cookies

Note: CCPA does not require you to create an opt-in for cookie tracker similar to GDPR. COPPA and opt-in apply for children.

With the cookie list, you can start an inventory to map the data. Use one of these free tools to know your cookie data stores. Discover all your cookies your website is generating. Scanners generate reports to identify and classify cookies discovered in this process. Next step click one of these tools and get a detailed report.

You may create your own cookie scanner using this open source project.

Read more about CCPA cookie consent management here.

7. List all Cloud and internal apps that store personal information

Data mapping is a secret ingredient to achieve CCPA compliance. CCPA compliance requires:

  1. Where you store data (personal information)
  2. How you process this data
  3. Who you share this data

Step 1 kicks off your data mapping process for the purpose of CCPA compliance. From the previous sections you have the list of cookies on your website. Use this table to document where your cookie data is stored. Nearly all cookies capture personal information.

Cookie NameWhere StoredName of Admin3rd Party (Y/N)
Google AnalyticsAnalytics.Google.comJohn DoeY
Automattic Inc.WordPress.comJane DoeY
comScore Inc.ComScore.comJohn DoeY
FusioS4m.ioJane DoeY

To get all these template and the entire blog as a word document CONTACT US.

Next up, list all cloud applications your business uses. The following table helps you document all your cloud applications.

Cloud App NameName of AdminPersonal Information?
Salesforce.comJohn DoeY
WorkDay.comJane DoeY
Office365.comJohn DoeY
DropBox.comJane DoeUnsure
Slack.comJohn DoeUnsure

Your business has many internal applications. These maybe developed internally or 3rd party licensed software. These may be in your own data center or in your private cloud instance. The following table helps you document your internal applications.

Internal App NameName of AdminPersonal Information?3rd Party?
Microsoft ExchangeJohn DoeYY
QuickenJane DoeYY
KronosJohn DoeYY
WordPressJane DoeUnsureN
InventoryMSJohn DoeUnsureN
CoupaSoftwareJohn DoeYY

All done? Hooray!! For CCPA compliance listing the apps is yet another critical step, and that helps with data mapping.

  1. List all stores of personal information
  2. Data discovery
  3. Starting point to address privacy requests for data, delete data, etc.
  4. Review 3rd party vendor agreements (see below)

8. Review privacy clauses in your service provider or partner agreements

Why? CCPA holds you responsible for all the personal information you store. It does not matter where and which 3rd party touches your personal information. For CCPA compliance it is now necessary to enforce 3rd party CCPA compliance. Third party CCPA compliance implies answer to the following simple questions:

  1. List all stores of data we share with you
  2. How do you encrypt personal information or anonymize it?
  3. Do you have a process to detect and communicate data breaches?
  4. Do you have tools to identify, monitor, and delete personal information?

This may look like a lot of work with each 3rd party. Doing this will ensure protection from liability.

Can one single step solve this?

Yes. Execute an amendment to your current agreement with each of the 3rd parties. Include the following clause in such your amendment. (Please consult your attorney.)

Covenant to SafeGuard Digital Information and CCPA compliance.

(a)         Covenant. Company (3rd party vendor) and any affiliate of the Company each covenant to safeguard of Personal Information (as defined in CCPA California Consumer Privacy Act – AB 375), and to institute a procedure, practice, or technology that safeguards Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b)         Data breach or attempt to steal by a person(s) or machines or bot(s). This covenant shall include data breach prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report data breaches, attempts. The Company shall provide a periodic report(s), no longer than each six (6) months of the data breach incident, or an attempt to steal any or all Digital Information. The incident report of a data breach or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any data breach or attempt to steal highly confidential information shall be reported immediately.

(d)         Privacy APIs and CCPA Compliance. The Company shall institute a procedure, practice, or technology that addresses privacy requests. These include but not limited to access to all personal information (a minimum of two times a year), acknowledgement to delete specific personal information, acknowledgement to stop sale (or license) of specific personal information to other 3rd parties.

Execute this amendment with each of your 3rd parties for CCPA compliance.

9. Review privacy clauses in your customer agreements

Uh!! What? Why should we amend our agreements with our customers?

This is specifically important for software vendors or (digital) marketing companies. Your customers need to be ready for CCPA compliance. And they are seeking answers to these questions:

  1. Where do you store personal information?
  2. How do you encrypt personal information or anonymize it?
  3. Do you have a process to detect and communicate data breaches?
  4. Do you have APIs to identify, and delete personal information?

Be proactive.

How? Execute an amendment to your current agreement(s) with each of your customers. Include the following clause in such your amendment. (Please consult your attorney.)

Covenant to SafeGuard Digital Information and CCPA compliance.

(a)         Covenant. Company (“Your Company”) and any affiliate of the Company each covenant to safeguard of Personal Information (as defined in CCPA California Consumer Privacy Act – AB 375), and to institute a procedure, practice, or technology that safeguards Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b)         Data breach or attempt to steal by a person(s) or machines or bot(s). This covenant shall include data breach prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report data breaches, attempts. The Company shall provide a periodic report(s), no longer than each six (6) months of the data breach incident, or an attempt to steal any or all Digital Information. The incident report of a data breach or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any data breach or attempt to steal highly confidential information shall be reported immediately.

(d)         Privacy APIs and CCPA Compliance. The Company shall institute a procedure, practice, or technology that addresses privacy requests. These include but not limited to access to all personal information (a minimum of two times a year), acknowledgement to delete specific personal information, acknowledgement to stop sale (or license) of specific personal information to other 3rd parties.

Execute this amendment with each of your customers for CCPA compliance. You will have an enhanced strategic relationship with your customers. The following sections detail out steps your business needs to do to address these. The result is CCPA compliance and avoiding both civil suits and regulatory penalties.

10. Review the privacy policy on your website

Your website or mobile app privacy policy review for CCPA must include the following:

  1. Information collect on your website
  2. Information on cookies that collect information
  3. Usage of information collected on your website
  4. Category of 3rd parties used to collection information
  5. Do you share information collected with other 3rd parties?
  6. How you store, and safeguard the data

Of course, contact your attorney. Also, several web services generate privacy policies relevant to you. Please review these services:

  1. Termly
  2. Free Privacy Policy
  3. Terms Feed
  4. Privacy Policy Generator
  5. FirebaseApp Policy Generator
  6. Iubenda

While most of the above are for GDPR, you could modify these for CCPA. The key element in reviewing your privacy policies is to ensure that you have two versions of the privacy policy

  • Legal version, and
  • Simple version in plain English

All done? The next step is to send notices with your updated privacy policy.

11. Send notices to partners with the updated privacy policy

Why? We just amended agreements with partners to include – ‘Covenant to Safe Guard Digital Information and CCPA compliance’. What is this new privacy poloicy update notice? A notice should be sent in two forms:

  1. A letter
  2. An email

Create a notification letter, and use the same content in your email as well. Ensure consistency in both the notices. Provide URL links to both the simple version and the legal version.

Step 1: Get a list of addresses (both postal addresses and email addresses)

Step 2: Send out the postal letter typically address to the legal counsel or the President of the company

Step 3: Send out an email (use mail merge)

12. Send notices to customers with the updated privacy policy

Now that you sent out notices to all your partners it is time to repeat this process with your customers. It is likely that you have more than a few thousand customers.

For a large number of customers, it is indeed expensive to send letter notification. Each letter notification is likely to cost you anywhere in the range of $2.00 to $0.50. This could get expensive fairly quickly.

We recommend that you start only with email notification for customers. Please have a way to track number of opens. Send weekly notifications only to those who have not opened the email. Repeat these weekly notification till you reach atleast 30-50% opens. This would likely take about 10-15 weeks. Ensure that you keep a record of this process.

13. Vendor risk assessment

Let’s review step 8 above. In step 8, you created CCPA compliance amendment for execution by each vendor. It is likely that you are able to get 80% of your vendors to sign this amendment. However, this is not enough. There is still a risk of penalties or class-action law suits. It is an operational risk.

The vendor has likely executed the amendment. Is there a way to check their CCPA compliance? This is the tough part. So, you need vendor risk assessment. There are two areas of vendor risk assessment for CCPA.

Area 1: Vendor security risk assessment. How vulnerable is the vendor for data breaches? Making this assessment on a vendor is a difficult operational problem.

Area 2: Vendor privacy request compliance assessment. How well does the vendor comply with the request for personal information? How well does the vendor comply with the request for deletion of data? How well does the vendor comply with the request to not sell personal information?

Several companies offer services to make a 3rd party vendor security assessment for GDPR compliance. The market is still evolving. The following resources provide vendor risk assessment for GDPR compliance. This could be easily extended to CCPA compliance.

  1. ProcessUnity
  2. OneTrust
  3. WireWheel
  4. SecurityScoreCard
  5. IAPP.org

This step is unlikely to be fully automated. Get started and you could make improvements over time.

14. Privacy APIs to access data for Privacy Requests

What are privacy APIs? Privacy APIs is an API framework to address privacy requests. Privacy APIs are new. They are often untested. Three types of privacy requests require privacy APIs. These requests require personal information of the requester:

  1. Request to access all my personal (requester’s) information
  2. Request to delete all my personal (requester’s) information
  3. Request to not sell my personal (requester’s) information

Privacy APIs enable easy and automated access to data in cloud applications. This framework could easily be extended to your business’ own data. (For more information on how to get started with Privacy APIs, please contact us.)

Now you got through 14 steps. It is time to address security

Security is not equal to privacy; and privacy or CCPA compliance does not equal security. Security is one part of privacy.

One key area of CCPA compliance is preventing data breaches. CCPA or AB 375 states

“Any consumer whose nonencrypted or nonredacted personal information … is subject to unauthorized access, theft, or disclosure … result of the business’ violation of the duty to implement and maintain adequate and reasonable security procedures and practices … may institute a civil action…. recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater…” There are several security procedures and practices. DLP, data loss prevention, is a key tool. Data Loss Prevention includes end point protection and network protection.

California Consumer Privacy Act – AB 375

15. Prevent data breaches from your endpoints

Why do you need endpoint Data Loss Prevention ? As part of CCPA compliance, you need to maintain adequate security to prevent loss or theft of personal information. End points – desktops, laptops, and mobile devices, are vulnerable for data theft or exfiltration. End point DLP provides reasonable security to prevent such data breach.

Do you deploy anti-virus protection on all your end points? End point Data Loss Prevention is similar in deployment. Here is a sample list of vendors that provide end point DLP.

Contact us to deploy end point DLP for CCPA compliance.

16. Prevent data breaches from within your network

Have you secured the endpoints? Awesome. It is time to pay attention to rest of your network. Your business needs the ability to proxy, classify, and prevent any unauthorized exfiltration. Benefits of network Data Loss Prevention include:

  • Control traffic on email, HTTP(S), (s)FTP, webmail, web apps, and more
  • Control clear as well as SSL based applications
  • Enforce policies
  • Reduce false positive
  • Prevent insider threats as well as threats from bots
  • Provide forensics where required

Here is a small list of network Data Loss Prevention solutions:

  1. Essert
  2. Symantec
  3. Digital Guardian
  4. Force Point
  5. McAfee

Deploying one of these above solutions implies CCPA compliance. You will also have the ability to fend off any civil suits resulting from potential data breaches.

17. Office 365 DLP to prevents breaches from O365

Office 365 is one of the most widely used applications. Deploying end point DLP and network DLP is not sufficient to prevent exfiltration from Office 365.

Why? Because, Office 365 is a cloud application and can be accessed using uncontrolled end points. @ $2 per user per month, this is an easy deployment and can be completed in less than a week. Depending on your budget you may just deploy Office 365 DLP and phase in end point DLP and network DLP.

Read more about Office 365 DLP here.

Sign Up – Free Forever Privacy Request Management

Press Releases

Read more
,

Helping Publishers with the California Privacy Rights Act (CPRA)

Helping publishers comply with the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a comprehensive data privacy law that outlines the legal requirements for businesses that collect consumer information. This online privacy bill was developed by the California legislature to provide more transparency and control over how personal data for the state’s residents is collected and used. Although the consumer protection legislation was passed in June 2018, it never took effect until January 1, 2020. Its enforcement is set to begin on July 1, 2020, thereby giving businesses ample time to comply with the new regulation.

What does the CCPA offer?

CCPA privacy intends to give California residents the right to control how their personal information is used. It defines personal information as any data that identifies, describes, or relates to a consumer or household. Whether directly or indirectly. This includes biometrics, employment data, academic data, geo-location data, email addresses, IP addresses, tracking pixels, cookie ID, web history, shopping history, and other data points used for advertising, marketing, and reselling purposes.

The CCPA grants California residents the following rights:

  • The right to access information – Residents have the right to ask companies what personal data they collect, what data is shared or sold to third parties, and the reason for doing so.
  • The right to opt-out- Residents can ask companies not to sell their information or share it with third parties.
  • The right to data deletion – Residents can request companies to delete all their personal information.
  • Right to non-discrimination – All California residents should receive equal services and should not be discriminated in any way even when they opt not to share personal data.

How do I know if CCPA applies to my publishing business?

CCPA applies to all for-profit companies based in California. It also applies to all out-of-state businesses, including publishers, who sell to California residents. However, the company should also meet at least one of these criteria:

  • Your publishing company has a gross annual revenue of $25 million and above
  • Your publishing company earns more than 50% of its revenue by selling consumer data
  • Your publishing company collects personal information of more than 50,000 users per year.

Tip- If you’re a publisher earning less than $25 million in annual gross revenue but receive above 134 visitors to your site every day, then the CCPA privacy law also affects you.

Why should publishers care?

Most publishers track consumer data for ad tech use. For this reason, they should be well aware and strive to comply with the CCPA regulations. A survey conducted in 2019 showed that 86 percent of companies were not prepared for CCPA. However, most companies had plans to comply with CCPA privacy regulations by the end of 2020.

Publishers found to be non-compliant might be slapped with a legal fine of $2,500 for unintentional violations or $7,500 for intentional violation of the CCPA privacy law. Additionally, consumers have the right to claim from $100-$750 per incident in terms of statutory damages.

How can publishers comply with the CCPA Regulations?

Publishers should maintain CCPA compliance to safeguard their businesses from undesired legal consequences. This starts by understanding data collection and processing practices on Google Analytics, AdManager, or Adsense. Here are some practices that publishers can use to protect consumer data.

  • Controlling data collection on Google Analytics

Analytics collects a wide range of data in cookies, some of which contain personal information. To comply with the CCPA, publishers should add a privacy policy that assures all readers that their personal information will not be used for advertising or selling purposes. Additionally, give your visitors the option to opt-out. This will automatically stop the Analytics from collecting information about user browsing sessions.

  • Enable restricted data processing

Publishers who use Google Ad manager can restrict user data processing based on their compliance obligations. This allows you to filter out traffic coming from California using a network control and serve non-personalized ads. By displaying a “Do Not Sell My Personal Information” link, publishers can effectively advertise to consumers who ask companies not to sell their personal information.

  • Implement a consent mechanism

Another alternative for publishers using Google Ad Manager is to put a consent mechanism in place instead of restricting data processing for all California-based users. This allows users to consent or opt-out of their information being shared with Google and other ad networks.

Conclusion

As with GDPR, CCPA is another push for enhanced consumer privacy. Similar legislation designed to protect user data is appearing in other American states and around the globe. While the legislation will directly impact over half a million businesses, enhanced data security is great for everyone in the long run. Time has come for publishers to place data security and privacy at the core of their business ethos. So, every publisher must prepare for CCPA privacy by assessing their consumer information and embracing compliant solutions while generating revenue.