Privacy Updates | June 30, 2020 | 3 min read
What CCPA Means for Marketing Technology Companies
On July 1st, California will begin its “official” enforcement of the California Consumer Privacy Act (CCPA). In other words, it’s the date all companies will go “without a net” on their compliance with this new law.
Fortunately, Zeta is ready for the legislative change, having completed the bulk of our CCPA preparations prior to the start of 2020.
In its most basic form, CCPA creates rights for California residents modeled on the rights created by existing, but disparate, privacy laws (e.g. GDPR).
In light of GDPR and other international privacy laws, Zeta decided to extend the rights of CCPA to all consumers in our database, not just those in California.
As the owner of first-party marketing data, Zeta created two ways for consumers to exercise their right to privacy.
#1 – For data in the Zeta Data Cloud held in an identifiable format, there is a request process for consumers to complete.
#2 – For data in Zeta’s programmatic engine held with pseudonymous identifiers—but not linked directly to identifying information—there is a rights request page. This page allows consumers to read their cookies in real time, see personal data displayed back, and decide what they want to do with it:
Taking things a step further, Zeta also revamped our online privacy policies and internal guidance, while simultaneously ramping up the time we spend talking with clients about how CCPA can be managed at the ground level.
Which brings us to the topic of client-owned data.
Under the CCPA, Zeta is a “Service Provider” with respect to client-owned data.
When client data is loaded into Zeta’s environment, it’s stored in a secure silo, isolated from Zeta’s first-party data, and from data belonging to other Zeta clients. Zeta does not repurpose this client data, rather, Zeta maintains it to provide services on behalf of the clients who own it. This segmentation protects our clients in a number of ways:
Thus far, Zeta has received over 8,000 data-subject action requests, providing us with an unexpected but valuable opportunity to stress test our readiness for CCPA.
In short, Zeta responded to the 8,000+ requests within the timeframe allowed by the CCPA, so we feel very ready for the July 1st deadline.
As any privacy professional in the United States will tell you, CCPA won’t be the end of the story.
In fact, California has already certified a new ballot question for November regarding the option to adopt a “CCPA 2.0,” known as the California Privacy Rights Act, which would further push California toward European privacy standards.
CCPA 2.0 will more closely align California’s digital privacy laws with the European Union’s GDPR. It will take enforcement of the CCPA away from the California Attorney General, and put enforcement in the hands of a new state agency (almost like a digital privacy Highway Patrol if you will).
It will also create additional restrictions around the collection and use of sensitive data, which includes data that could be used for identity theft, or to materially disadvantage or harm a person.
And that’s just in California. There are CCPA-like laws being introduced in more than two dozen states, and there are drafts of similar bills appearing at the federal level as well.
At Zeta, we embrace this changing landscape, and we’ve made “privacy-by-design” an inherent part of our culture. Moreover, it’s why we employ a team of privacy professionals with more than three decades of collective experience to assist our engineers and product development teams.
As explained by our Chief Privacy Officer, Ben Hayes:
“Our team is closely involved with the technology innovation process at Zeta. We work with the people who are actually developing the marketing technologies of tomorrow, and we help shape their thought process about how those solutions need to work in terms of protecting consumer privacy. We’re always trying to position ourselves to comply with not only the rules that are in force today, but the rules that may be coming next month or next year, and to provide consumers a good experience when interacting with Zeta by being transparent about our practices and giving consumers control over data that relates to them.”
Fortunately, Zeta is ready for the legislative change, having completed the bulk of our CCPA preparations prior to the start of 2020.
What is CCPA?
In its most basic form, CCPA creates rights for California residents modeled on the rights created by existing, but disparate, privacy laws (e.g. GDPR).
Zeta’s approach to CCPA
In light of GDPR and other international privacy laws, Zeta decided to extend the rights of CCPA to all consumers in our database, not just those in California.
As the owner of first-party marketing data, Zeta created two ways for consumers to exercise their right to privacy.
#1 – For data in the Zeta Data Cloud held in an identifiable format, there is a request process for consumers to complete.
#2 – For data in Zeta’s programmatic engine held with pseudonymous identifiers—but not linked directly to identifying information—there is a rights request page. This page allows consumers to read their cookies in real time, see personal data displayed back, and decide what they want to do with it:
- Export a copy of the data
- Delete the data
- Opt out of the data being used for online behavioral advertising
Taking things a step further, Zeta also revamped our online privacy policies and internal guidance, while simultaneously ramping up the time we spend talking with clients about how CCPA can be managed at the ground level.
Dealing with client-owned data
Which brings us to the topic of client-owned data.
Under the CCPA, Zeta is a “Service Provider” with respect to client-owned data.
When client data is loaded into Zeta’s environment, it’s stored in a secure silo, isolated from Zeta’s first-party data, and from data belonging to other Zeta clients. Zeta does not repurpose this client data, rather, Zeta maintains it to provide services on behalf of the clients who own it. This segmentation protects our clients in a number of ways:
- Clients never “sell” data to Zeta
- Zeta doesn’t sell our first-party data to clients (there are some limited cases that meet the CCPA’s definition of a sale, but in general, Zeta’s platform allows our advertiser clients to reap the benefits of Zeta’s first-party data without ingesting it into their own environments).
- Our clients get to handle their own CCPA-related consumer rights requests with respect to their first-party data.
- Zeta can apply “delete” or “do-not-sell” assignments from our clients with respect to their first-party data.
Zeta is stress tested for CCPA
Thus far, Zeta has received over 8,000 data-subject action requests, providing us with an unexpected but valuable opportunity to stress test our readiness for CCPA.
In short, Zeta responded to the 8,000+ requests within the timeframe allowed by the CCPA, so we feel very ready for the July 1st deadline.
Data privacy and the future are uncertain
As any privacy professional in the United States will tell you, CCPA won’t be the end of the story.
In fact, California has already certified a new ballot question for November regarding the option to adopt a “CCPA 2.0,” known as the California Privacy Rights Act, which would further push California toward European privacy standards.
CCPA 2.0 will more closely align California’s digital privacy laws with the European Union’s GDPR. It will take enforcement of the CCPA away from the California Attorney General, and put enforcement in the hands of a new state agency (almost like a digital privacy Highway Patrol if you will).
It will also create additional restrictions around the collection and use of sensitive data, which includes data that could be used for identity theft, or to materially disadvantage or harm a person.
And that’s just in California. There are CCPA-like laws being introduced in more than two dozen states, and there are drafts of similar bills appearing at the federal level as well.
At Zeta, we embrace this changing landscape, and we’ve made “privacy-by-design” an inherent part of our culture. Moreover, it’s why we employ a team of privacy professionals with more than three decades of collective experience to assist our engineers and product development teams.
As explained by our Chief Privacy Officer, Ben Hayes:
“Our team is closely involved with the technology innovation process at Zeta. We work with the people who are actually developing the marketing technologies of tomorrow, and we help shape their thought process about how those solutions need to work in terms of protecting consumer privacy. We’re always trying to position ourselves to comply with not only the rules that are in force today, but the rules that may be coming next month or next year, and to provide consumers a good experience when interacting with Zeta by being transparent about our practices and giving consumers control over data that relates to them.”