September 7, 2020

Secure Privacy CMP Tool: GDPR and CCPA Compliance for Publishers

In this article, we provide a comprehensive guide of what CCPA and GDPR consent management platforms entail.

For businesses in the adtech industry, a consent management platform is a crucial element for your GDPR and CCPA compliance efforts.  

Nonetheless, some CMPs do not afford you compliance with the major data protection regulations. 

This is mainly because the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA),  have major differences in terms of their data protection provisions, although they have a shared objective of improving user privacy. 

For this reason, a one-size-fits-all solution is unlikely to achieve CCPA and GDPR consent requirements. 

In this article, we provide a comprehensive guide of what CCPA and GDPR consent management platforms entail. The areas covered include; 

  • What is a Consent Management Platform (CMP)?
  • Why do I need a Consent Management Platform (CMP) as a publisher or advertiser?
  • What is the difference between CCPA and GDPR? 
  • Why do I need to obtain user consent under the GDPR and CCPA?
  • How do I benefit from using a CMP?
  • How does the Secure Privacy Consent Management platform (CMP) work? 
  • Why is Secure Privacy the best CMP tool

What is a Consent Management Platform (CMP)?

 This is a software tool that helps websites or applications to meet GDPR and CCPA data protection requirements. 

CMPs facilitate compliance by asking users for consent, gathering and handling their information, and sharing this data with ad partners. 

Commonly, the term CMPs is connected to IAB’s Transparency and Consent Framework (TCF) and the service providers registered under it. 

From a technical point of view, the term refers to a wider concept that goes beyond integration with the Interactive Advertising Bureau (IAB)

Nonetheless, the IAB TCF brings together registered CMPs of adtech vendors such that first parties can obtain user consent to manage personal data through vendors and share it with third-parties. 

Through CMPs, IAB’S Transparency and Consent Framework guarantees transparency and responsibility in the advertising supply chain since publishers can rest assured that they are collaborating with an ad partner who is GDPR compliant and vice versa. 

What is IAB TCF? 

IAB Europe’s Transparency Consent Framework is a set of technical specifications and policies that require website publishers to inform users of the type of data being collected from them and how they plan to use this information together with their third-party partners in a GDPR-compliant way. 

For this reason, the IAB TCF provides the publishing and advertising industry with a harmonized platform on which to demonstrate user consent in the delivery of appropriate digital promotions and content.

Read our blog for a detailed comparison of the IAB TCF v 1.1 and v 2.0.

Why Do I Need a Consent Management Platform (CMP) as a Publisher or an Advertiser?

The main duty of a CMP is to gather user consent for the collection, use, and storage of their personal data for a variety of advertising and marketing goals such as sending personalized ads. 

However, both GDPR and CCPA have set the precedent for allowing users the choice to deny or accept this request. 

This is where CMPs come in,  whereby, they provide a platform for users to either opt-in or opt-out of the installation of marketing or third-party cookies alongside other essential and functional cookies. 

Therefore, if a user opts-out of the placement of advertising cookies in their devices, a publisher cannot collect their personal data for marketing purposes or share it with ad partners. 

CMPs are essential for you as a publisher or advertiser because they allow you to collect user information in compliance with GDPR, CCPA, as well as other global data privacy laws. 

What is the difference between GDPR and CCPA? 

The General Data Protection Regulation (GDPR) is the EU’s trendsetting privacy law that was adopted in May 2018. 

The GDPR oversees how data controllers gather, use, and share personal information of EU residents. 

While the CCPA is a big step for California and the US in general, it is not wide in scope, as is the case with the European Union's General Data Protection Regulation. 

Implemented on January 1, 2020, the CCPA oversees how businesses collect the personal information of California residents. 

Some of the key consumer provisions under the CCPA include the rights to; 

  • Know the kind of data collected from them by businesses
  • Deletion of this information
  • Opt-out from having their data sold to third parties

The six critical clauses that inform the core differences between GDPR and CCPA are ;

  • Target demographic
  • Impacted organizations
  • Type of data impacted
  • Data disclosures
  • Data subjects’ privileges
  • Financial penalties

Target Demographic

Although both GDPR and CCPA apply to natural persons, how they are defined differs. Essentially, CCPA strictly applies to California residents.

In contrast, GDPR applies to the data of EU citizens and residents.

Furthermore, CCPA safeguards the information that can be connected to a specific home, instead of being limited to an individual as is the case under GDPR.

Impacted Organizations

In terms of scope, GDPR's coverage wide. It applies to all organizations, including enterprises, public agencies, as well as the non-profit industry.

In contrast, CCPA's scope is limited to profit-focused firms that satisfy explicit obligations. The specific requirements clarify that that law applies to businesses that report annual gross revenue of more than $25 million.

Additionally, if your organization purchases, collects, sells, or distributes for user data for commercial reasons, the personal data of 50,000 or more consumers, and you obtain 50% or more of your yearly income from selling consumer’s private information, you are subject to CCPA regulations.

Concerning geographical location, GDPR affects your business if you handle EU data subjects’ information regardless of your location.

Type of Data Impacted

While CCPA applies to information that is not controlled by existing national privacy regulations, GDPR oversees all classifications of personal information.

Data Disclosures

Although both GDPR and CCPA oblige businesses to reveal the uses of the personal information they gather, CCPA has an additional requirement in that, you are obligated to reveal data sales and activities involving data processing in the past year.

Data Subjects’ Privileges

GDPR requires companies to seek prior approval from consumers for data processing and third-party access to their information. 

On the other hand, CCPA gives consumers the freedom to opt-out of the sale of their data, in addition to requiring you to provide a visible link at the top of their homepage for this requirement.

Financial Penalties

Under the GDPR, the fine for non-compliance or a data breach, is up to 4 percent of your firm's yearly global revenue or 20 million Euros. 

On the contrary, CCPA penalties are mandated per misuse up to a maximum of $7,500 for every violation.

Furthermore, CCPA does not spell out sanctions for non-compliance. Instead, the violation is only taken into consideration at the point of a breach, which many observers deem as being too late. 

In contrast, GDPR can enforce a sanction in instances where a firm is considered to be in danger of a breach or not acting accountably.

Although both data privacy laws are based on identical principles, notable differences between them exist. 

Characteristically, GDPR's scope is broader, while CCPA has adopted a more specific approach.

However, this does not mean that if you are GDPR compliant, you do not need to be concerned about CCPA because it is clear that it is evident that in some cases, CCPA's obligations exceed GDPR's scope.

Check out our article for a simplified breakdown of the core differences between GDPR and CCPA.

Why Do I Need to Collect User Consent under GDPR and CCPA? 

Both the GDPR and the CCPA, outline specific requirements for publishers and advertisers who rely on consumer data for marketing campaigns. 

User consent is one of the main legal bases for processing consumer data under the GDPR.

 The European Data Protection Board (EDPB), which is the EU’s chief GDPR enforcement oversight body published new guidelines on how to obtain valid consent when it comes to GDPR and cookies.

Valid cookie consent under the GDPR must be; 

  • Informed
  • unambiguous
  • freely given
  • Specific 
  • Easily withdrawn

On the other hand, as already highlighted, the CCPA requires you to let your users know the categories of personal information you sell, and allow them to opt-out of the sale of their data with a ‘Do Not Sell My Personal Information’ link on your website. 

Specifically, consent is not a requirement under the CCPA.

How Do I Benefit from Using a CMP? 

With a CMP, you can keep logs of user information that has been consented to and filter out the users who have not agreed to the terms and conditions in case this information is requested by Data Protection Authorities (DPAs) and other oversight bodies. 

A CMP helps you ensure that your data collection and processing activities are compliant with both the GDPR and CCPA.

Consent management platforms also allow you to know the different kinds of personal data you collect and make it easier for you to know the number of consumers that have authorized you to use their personal information and for what purposes. 

How does the Secure Privacy Consent Management platform (CMP) Work?

GDPR

The Secure Privacy Consent Management platform helps you comply with the GDPR and is registered under IAB Europe’s Transparency Consent Framework (TCF) V 2.0

With the Secure Privacy CMP you get; 

  • Full history and audit trail hosted by you or us
  • A customizable CMP position
  • The consent string passed to third parties
  • Cross-domain support 
  • Predefined text and CMP design 
  • Adaptively show the applicable notice in the relevant region 
  • Customizable appearance and feel
  • Web and native app support 

CCPA 

As your preferred CMP, Secure privacy gives you a privacy preference management platform that allows your data processing activities to satisfy CCPA requirements.

You get; 

  • Full history and audit trail hosted by you or us
  • Web and native app support
  • Customizable templates 
  • California-only geo-targeting 
  • Cross-domain support 
  • Customizable look and feel

Why is Secure Privacy the best CMP Tool for IAB TCF 2.0 ?

IAB’s consent model is fundamentally different from the plugin/cookie blocking consent model used in Secure Privacy and other consent management solutions. 

In general, IAB’s model puts the control in the hands of advertisers and vendors by signaling the user’s consent to advertising vendors. 

However, Secure Privacy can block non-consented vendors and thereby give control to the publisher, who is liable to ensure data protection for all tracking performed by third parties on the publisher’s website.

With this fundamental difference in the design, Secure Privacy introduces a new setting to enable Interactive Advertising Bureau (IAB) Europe which updates your existing cookie banner and privacy center. Read about Data Protection Laws and the principle of Privacy by Design.

We give you a choice to select IAB banners over Secure Privacy banners.

The cookie banners and privacy banners are fully IAB compliant meaning as a registered CMP, Secure Privacy has passed all the UI/UX and technical requirements of the IAB framework.

Furthermore, our solution meets the following ePrivacy Directive and GDPR compliance requirements that are consistent with IAB 2.0’s obligations;

Read more blog posts about data protection.

User Notification

As your CMP, Secure Privacy ensures that consumers are aware of what data is processed and for what purpose, such that they know what they are giving their consent to.

Express Action

Our solution ensures that consumers give consent to the use of cookies based on true choice as opposed to being coerced into accepting their deployment.

Affirmative Consent

Using Secure Privacy as your CMP for IAB Europe Transparency Consent Framework 2.0 also ensures that cookie consent is provided through affirmative and unambiguous action in accordance with GDPR, and ePrivacy Directive compliance requirements.

Notice

Our solution also ensures that an alert is communicated to users before the initial data processing occurs.

Ability to Withdraw Consent

According to the GDPR, consumers should be allowed to withdraw consent easily. Secure Privacy ensures that users can withdraw consent as easily as they gave it.

Get your additional concerns or queries regarding how to integrate Secure Privacy as your preferred CMP for GDPR and CCPA compliance answered by booking a call with us today and get personalized support from a data privacy expert.