Article Image - Navigating CCPA’s Impact on Your Brand

Navigating CCPA’s Impact on Your Brand

By: Pete Capp
October 2020
5 min

In the recent film The Social Dilemma they state, “if you are not paying for the product then you are the product.”

As technology continues to make it easier for consumers to learn, connect and shop, it also makes it easier for brands to collect data. With privacy becoming more and more of a concern for these ever-connected consumers around the world, the Global Data Protection Regulation (GDPR) in the EU and recently the California Consumer Privacy Act (CCPA) in the U.S. were born as a way to regulate the treatment of personal data collection and its usage by brands. If you’re a California-based brand, you’re probably well aware of CCPA but these new regulations and the costly fines associated with them are impacting more than just those brands operating in California. So how do you know if CCPA impacts your business and how can you swiftly navigate these changes correctly? ­Let’s start with some basics.

The California Consumer Privacy Act (CCPA) which began in January 2020, is a game-changer for the United States and follows the growing consumer data privacy trend set by the implementation of the GDPR. Under the CCPA (nicknamed California’s GDPR), California residents have the right to access any personal information that is obtained by a website and its cookies, either to have it deleted or to opt out of its “sale” to other third parties. Compliance under CCPA for data collection of personal information stored on a website database is fairly straightforward for California users. For businesses, if you are for-profit and have customers in California you are required to comply with these rules if you:

  • Earn at least $25 million in revenue per year
  • Own personal data for more than 50,000 consumers, and
  • If half of that revenue comes from the selling of consumer data.

Cookies are typically small text files that are assigned identifiers (IDs) and stored on your computer’s browser. These cookies are created when you use your browser to visit a website to track your interactions within the site. Some of their uses are remembering a registered login, helping you resume where you left off (shopping cart, etc.), site preferences and many other functions.

On the other hand, third-party cookies are installed by other product programs, typically ad tech for other advertising purposes like retargeting that are not directly controlled by the site owner. To advertisers, publishers and ad tech companies alike, this isn’t new news that third-party cookies are facing scrutiny with the continually growing pro-consumer privacy trend in the United States and abroad. These cookies can be used to track a bit more of the user’s activity across sites and over longer periods of time. While the term “third-party cookie” has emerged relatively recently, the technology behind it was created much longer ago and has been around since the ’90s.

While browser companies like Firefox, Safari and soon Google Chrome are already taking the initiative to phase out cookies, there is a need for companies to take immediate action to avoid fines. So, what steps should brands take to change their third-party cookie practices today on their websites? Under CCPA, companies need to offer more comprehensive choices to consumers. These options take the form of passive and active cookie banners that disclose information about what cookies are being stored and their purposes. Cookie banners and privacy policy updates are not explicitly required but are becoming common practices on corporate websites. Most cookie banners fall within these three categories:

  • Notice Only -This banner discloses to visitors that the website uses cookies but does not give the user any direct control over the use. Some banners might even provide information on how to disable cookies directly within the browser itself.

  • Notice/Opt-In - This type of cookie banner will disclose to a website user that the website would like to deploy cookies. The user accepts the use of cookies by either continuing to view the website or by an action of clicking accept within the banner.

  • Notice/Opt-Out - An opt-out notice cookie banner discloses to a website user that the website deploys cookies and provides the user with a mechanism for disabling the use of cookies on the website in the future. This might be a single “opt-out” or a more granular option for opting out of some types of cookies (advertising cookies, etc.).

In addition to cookie banners, companies need to have a “Do not sell my personal information” link provided which allows users to request or delete any personal information being stored by a brand. Brands must facilitate and respond to at least two types of submission requests: the first is a toll-free phone number for users to call and the second is a web-based form. This process is used to verify the authenticity of the requesting user.

A brand can be penalized for failing to maintain a CCPA privacy policy, not responding to a consumer request for their data, not providing a notice when collecting personally identifiable information (PII) or selling data without an opt-out statement. First, your brand will receive a 30-day warning. If the violation isn’t rectified, the fines can be up to $7,500 per intentional violation and $2,500 per unintentional violation (a violation referring to one consumer). The enforcement of CCPA took full effect on July 1st, 2020. There are, however, a lot of discussions to delay enforcement to January of 2021 due to the pandemic.

It goes without saying that privacy is a major concern among website users these days and it’s safe to say that these types of regulations are here to stay. In fact, more states will undoubtedly follow suit in the very near future, but to what extent and how far each state will go is TBD. There are also strong possibilities that as various states pass their own unique data privacy laws (there are several states in this process), that the federal government will introduce national legislation to ease the burden of a state-by-state mosaic of privacy laws. It pays to understand what is to come so your brand can get in front of it.


Hoffman York is a full-service advertising and marketing communications agency with experience helping clients succeed. HY provides award-winning creative solutions, paid media, content creation, public relations, digital strategies and development, as well as research and analytics. To learn more about how HY can help your brand succeed, contact us at [email protected]. Or, click here to see a gallery of our work. 

Say hello.