In the past few years, the Awin Group has undergone a major shift in the way privacy is handled. While Awin and ShareASale have always taken its legal obligations seriously, Europe’s Global Protection Data Regulation (GDPR) introduced a new level of maturity when it comes to dealing with personal data. Data that was previously not always considered personal data, such as data collected by way of tracking cookies, now falls under the scope of the GDPR. New processes were developed and existing processes were amended to reflect the newfound respect for personal data. Privacy is now engrained in our operations, centered in large around the principles of the regulation.
If 2018 was the year of GDPR, 2019 is certainly the year of the California Consumer Privacy Act (CCPA) and broader US legislation. The assumption that GDPR readiness automatically means CCPA compliance is an oversimplification of the complexity these laws bring. While both the GDPR and CCPA have the same aim of increasing data protection, the CCPA requires separate dedicated attention.
In this article we will outline some of the crucial questions the CCPA asks, as well as some of the steps the Awin Group is taking to ensure compliance by January 1, 2020.
Roles and responsibilities
For those who are familiar with GDPR terminology, the terms data controller and processor will not be new. Defining the role an organization takes in processing personal data is key to defining its obligations under the GDPR. The same approach applies under the CCPA, albeit with different terms and different obligations tied to the respective categories.
The CCPA differentiates between three distinct categories: businesses, third parties and service providers.
- Businesses are the organizations that do business in the State of California and fall under the scope of the CCPA due to meeting thresholds set out therein.
- Third parties are organizations involved in data processing that receive the data from a business and are able to use the data for its own purposes.
- Service providers are organizations processing data on behalf of a business under a written contract.
In order to ensure that all parties roles and responsibilities are clear under the CCPA, Awin will be rolling out a Data Processing Addendum to its advertisers and an update to the T&Cs for its publishers. These updates will consider any operational differences which impacts the analysis under CCPA and GDPR.
Data processing agreements
In 2018, the Awin Group introduced its GDPR-compliant data processing agreement (DPA) template. This DPA will now be supplemented with a CCPA addendum, and rolled out for the full US and Canada advertiser base to ensure that all US and Canada advertiser relationships are both GDPR and CCPA compliant.
The necessity to keep GDPR provisions within the DPA stems from Awin’s company structure and predominantly EU-based technologies. While most of the obligations will remain similar, the DPA will reference the CCPA, its terminology, and will include specific restrictions and obligations regarding consumer data.
For publishers, the data protection clauses form part of the standard publisher terms and conditions. To keep this structure, the CCPA provisions will also be incorporated. Both changes will be initiated in the coming days, allowing for revision prior the January 1 deadline.