California Attorney General Adds Cookie and Analytics Tracking To It's Purview & Fines Could Be Massive
Tim: Welcome back to Thinking Caps, Summer Edition. I'm on the road. Richard's in the UK. But we want to bring you some news that just came out around the CCPA and some compliance there. There's some new news that analytics trackers are in the crosshairs. Will it affect you? Let's dig in right now. Yeah, Rich. This is really interesting. I mean, it's definitely fair to say that enforcement has definitely started, and marketers need to be aware what's going on. And there's a great Digiday article here that we're going to breakdown.
Richard: Today, we are going to look at the enforcement of the CCPA and give marketers a view on what is actually going on.
Tim: Yeah, Rich. I mean, it's clear that enforcement is starting behind CCPA, and marketers need to know what's going on. Digiday launched two articles, we're going to dig into one of them. But go ahead, Rich, give me the particulars of what you have.
Richard: Yeah. Essentially, enforcement letters have now begun to stream out to advertisers, social media sites, data brokers, and ad tech firms from the California Attorney General's office.
Tim: Yeah. I mean, it is clear now that the CCPA, the California Consumer Privacy Act, and the CCPRA, clearly enforcement's not just about data breaches anymore, Rich. It's also about cookies and tracking technologies, and that includes these analytics trackers that a lot of marketers who are watching are probably using in some way. And the penalties for violations could be incredibly steep.
Richard: Well, all right. It's definitely something we need to dig into. What's going on? There's a guy called Rob Bonta, who's the state's AG, who's been sending out these letters to enforce CCPA. And these letters have essentially made his position very, very clear, and that's what I think we need to dig into. The big thing to note here is that data tracking for advertising and analytics purposes, as you say, including cookie based tracking fits within the CCPA's definition of a data sale, of a data sale.
Tim: Yeah. I mean, think about that, a data sale. There's a few lawyers at Digiday, the Digiday author's spoken to, and they said that many companies are being asked to provide details about the data sharing and, specifically, data around cookies and tracking. So that could be from their ads. It could be from the analytics. Clearly, CCPA is going much beyond just the data that a marketer is storing, but going after the data they might be buying, using or bartering for analytics and tracking.
Richard: Yeah. That's not the only thing that gives us a view into how the attorney general's office are thinking about enforcement when it comes to CCPA. Lawyers are also interpreting a series of generic CCPA case examples that the agency published on July 19th, which show evidence of enforcement around tracking for analytics purposes and opt out notices. They're really isn't much of a gray area left now. Cookies and other tracking tech for ads and analytics are firmly in the enforcement crosshairs of the CCPA.
Tim: Yep, absolutely. In fact, I'm going to read a little bit here. There's one case example published by the AG's office. An unnamed social media firm was actually accused of noncompliance after sharing personal information about people's website activities with third party analytics providers without providing the appropriate notice or opt out capabilities. In fact, this recording this morning on August 3rd, there's a new article that goes into deeper onto those opt outs and how general third party opt outs are not going to cut it. And it's very, very clear that third party trackers, and people that are tracking things from apps and websites, are in the crosshairs of the CCPA.
Richard: Let's just take a step back. Data sharing via analytics and trackers could constitute a data sale, according to the attorney general. That's going to have massive consequences for marketing, marketers and advertisers, no question about that. The question is, how are they actually thinking about fines? What's going to be the damage for those companies that are caught out of compliance? Well, a lot of the action, right now, is sending out letters with a 30- day cure period to rectify. However, things are going to get very hairy at the next level of enforcement.
Tim: Yeah. There's no doubt there. If you think about this, the state could charge companies for each individual instance of a cookie related violation. That's crazy. I mean, there could be thousands, if not millions, of uses of cookies across your ad ecosystem and tracking. If it could charge for each time a California resident interacts with a website without proper notice or opt out capabilities, that could be huge. And I'm quoting here, " In cases like these, the number of violations maybe large." That's an attorney quoted in it. I'll go on to continue with, " A big tally of violations can add up to giant civil penalties. When violations are found to be unintentional, each one could result in a$ 2500 fine." I mean, that's crazy. And then, " If found intentional, it could be as high as$ 7500 each violation, for each cookie violation." That's crazy.
Richard: Ouch. Ouch, ouch, ouch. Look, we need to see how they calculate a violation, a specific violation. But the stick is clearly big enough for the attorneys general or the California Justice Department, in general, to deliver a heavy blow, if they wanted, to companies. We need to take note of this. The question is, are businesses, are marketers taking this seriously? Well, not according to this research, also, from Digiday. Which basically looks at a small fraction of the sites in the Comscore 50, and evaluating the privacy notices they're showing to their US visitors. And just a little more than 10% of the sites owned by the largest media companies are giving most American internet users an opportunity to manage what kinds of data those sites can collect and use. It seems there's quite a lot of dry ember to be burnt through, when it comes to this issue around enforcement, and those letters coming out of the attorney general's office.
Tim: Yeah. I mean, this is going to be huge. And, again, as I mentioned this morning, there's a new article in Digiday. That's your homework, if you're watching this, right now. It's titled, California Attorney General Says Popular Digital Ad Opt Outs From Trade Groups Don't Comply with the CCPA. This goes even farther and, in fact, it states here that both the Network Advertising Initiative and the Digital Advertising Alliance have popular opt out tools for ad tracking that are being used right now. I mean, they're ubiquitous. A lot of marketers and agencies... So think about this, Rich. The marketers saying, " Hey, agency, run my ads, do everything, take care of me," and now these agencies are using these ubiquitous opt out tools. And they just stated those are no longer going to work, as well. This is a giant quagmire that marketers, and agencies, and analytics trackers, and everyone else have to deal with.
Richard: I just hope that it reinforces, to marketers out there, the need to really take control of their own customer relationships to spend money on platforms, like Facebook and Google, to get them off those platforms into the brands own database to use things like loyalty programs to build that value exchange to incentivize that direct connection between brand and consumer over the longterm, so you can be isolated from being able to know who your customers are and be able to deliver great personalized marketing. Because the data is coming directly to you, and you're tracking their activity on your own channels, on your own platforms. I hope this is a real wake up call to the industry at large to really double down on those efforts to build those direct relationships, those first party relationships, with consumers.
Tim: Yeah. And Rich, I'll add to that on the technical site of things. Look, if you're maybe shopping for a CDP, and you're going to attach it to a couple different things, an ESP, your email, or your point of sale, or anything. This is the time to really kick the tires and say, " Can my marketing system of record, can my engine, actually accept whatever the opt out mechanism becomes for advertising and analytics trackers?" Because you're going to need real time streaming, not batch data. This stuff has to come in, in real time, if someone opts in and out. How are you taking them in and out of segments, or getting them into the right ad group? It's no longer about just matching, Tim, wants mountain clothing, not beach clothing. That's great, and you need that, as you just mentioned personalization. But you also need to know if Tim opted in or out on a particular ad network, and that's going to be incredibly interesting. If you're building a CDP, be very, very careful that, that engine, can really handle those incoming, outgoing real time slippery data connections to make sure you're in compliance. That's what I got. We got 30 seconds left, Rich, go ahead and close us out.
Richard: Well, I'd say, actually, mountain clothes and beachwear are the only things I've ever seen you in. If that's a segment, I think you're going to win.
Tim: Well, if anybody has a poison ivy recommendations, I could use that, because I got a lot of poison ivy from these woods you're looking over my shoulder. All right, that was a fun one.
Richard: All right. Cool. Excellent. Well, same time next week.
Tim: Yes, sir. See everybody next time.
The California State's Attorney General issues letters to analytics tracking forms claiming cookie and analytics infractions fall under CCPA/CCPRA as potential 'data sale', Violators could face incredible fines at the cookie or per person level. The AG also warns widely accepted opt-out features aren't up to speed and could create massive infractions. Is your brand in the crosshairs? We explain the high level overview in this episode.