(805) 233-7987

364 East Main St. Suite 444 Middletown, DE 19709


Affiliate Marketing and the California Consumer Privacy Act (CCPA)

Affiliate Marketing and the California Consumer Privacy Act (CCPA)

On January 1st, the nation’s most comprehensive privacy law goes into effect. The California Consumer Privacy Act (CCPA) promises to significantly change how personal information is collected and shared in the United States. While the law and its accompanying regulations are very complex, at a high level, the law (1) requires greater transparency and disclosures to consumers regarding the collection and use of their personal information, (2) obligations a business to provide a consumer the ability to opt-out of the sale of their personal information and (3) grants consumers the right to access and delete the personal information that a business may hold about them. 

Personal information is defined very broadly under the law.  It includes not only name and email address, but IP addresses, persistent identifiers, geolocation data and other information. Sale is also broadly defined to include not just transfers for monetary consideration, but also other valuable consideration.   In connection with the sale opt-out, a publisher that does sell such information will be required to have a link on the homepage of their website that says “Do Not Sell My Personal Information.”

Earlier this year we wrote about 10 things you can do to ensure compliance with the CCPA – http://www.dglaw.com/images_user/newsalerts/Digital_Media_CCPA_Update_Preparing_For_The_CCPA.pdf.  However, compliance is a challenge.  In addition to the text of the law, the California Attorney General issued draft implementing regulations in October which clarify obligations, and in some instances, add new requirements. While the law goes into effect on January 1st, enforcement by the California Attorney General will not begin until later in 2020.  Further, these important regulations have not yet been finalized.  So compliance is a moving target. That said, a company ignores working on compliance measures at its peril. The California Attorney General has hired additional staff to enforce the law, which allows fines to be imposed of $2,500-$7,500 per violation.

As if this were not already confusing enough, the Interactive Advertising Bureau (IAB) is proposing a CCPA compliance framework for the industry to deal with retargeting and third party data collection on publisher websites that could qualify as a ‘sale’ under the CCPA. 

For more information on the CCPA, see our latest alert at http://www.dglaw.com/images_user/newsalerts/Digital_Media_California_Attorney_General_Releases.pdf .

The following two tabs change content below.
Gary Kibel (gkibel@dglaw.com, Twitter @GaryKibel) is an attorney and partner in the Digital Media, Technology & Privacy Practice Group of Davis & Gilbert LLP in New York City and the General Counsel of the Performance Marketing Association. Gary advises ad tech companies, advertising agencies, media providers, brands and other commercial entities regarding transactions for affiliate marketing, interactive media, behavioral advertising, social media, programmatic media buying, data collection and usage, and other emerging products and services. He is a Certified Information Privacy Professional (CIPP) and member of the Education Advisory Board of the International Association of Privacy Professionals (IAPP). He advises clients in many industries regarding consumer-facing privacy and internal data security issues, including, information security policies, privacy disclosures, contractual obligations, security breaches, and compliance with a wide variety of privacy laws and self-regulatory obligations. He has a B.A. from Binghamton University, M.B.A. from Binghamton University and J.D. from Brooklyn Law School. Prior to becoming an attorney, Gary was an information systems analyst in the Investment Banking Division of Merrill Lynch & Co.
No Comments

Sorry, the comment form is closed at this time.