BeOp for PublishersBeOp for AdvertisersPricingBlogAbout usSign in
Navigating Data Privacy in the US
Press Release

If you’ve been following data privacy in the United States, you’re more than aware that major changes are to come with the California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) in effect as of January 1, 2023. In response, we’ll likely see a ripple effect occur with data privacy laws and see other states enact and consider more comprehensive legislation in the coming years. In order to better understand some changes and challenges surfacing, and how BeOp has been helping Publishers navigate privacy regulations and data privacy, read on!

Which states have recently passed new privacy bills and when do they come into effect?

Recently, legislatures in Virginia, Colorado, Connecticut, and Utah, and California have passed broad privacy laws that will be effective in 2023. Specifically:

  • The Virginia Consumer Data Protection Act, effective January 1, 2023
  • The Colorado Privacy Act, effective July 1, 2023
  • The Connecticut Act Concerning Personal Data Privacy and Online Monitoring, effective July 1, 2023
  • The Utah Privacy Act, effective December 31, 2023
  • The California Privacy Rights Act, effective January 1, 2023

What's the CPRA?

The CPRA is an expansion of the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020 and granted California consumers the right to request that businesses disclose what personal information they have collected about them, and request that this information be deleted.

So, what exactly is the major change from the CCPA?

The CPRA builds on these protections and provides additional rights to California consumers, such as the right to correct inaccurate personal information, the right to opt out of the sale of their personal information, and the right to request that their personal information be deleted. The CPRA also imposes stricter requirements on businesses to protect the personal information of California consumers and imposes significant fines for violations.

How are data privacy regulations affecting Publishers, specifically?

In regards to the CPRA, Publishers need to be aware of a key provision; the creation of a new category of sensitive personal information which includes things like racial or ethnic origin, sexual orientation, and precise geolocation data. This information is subject to additional protection and publishers will need to be particularly careful when collecting, using, and disclosing this type of data. They’ll need to have systems in place to honor these requests in a timely/efficient manner, and comply with the requirements to avoid fines, reputational damage and loss of consumer trust.

Another expected repercussion is that user consent may drop further in the coming year. According to BeOp, consent for European Publishers dropped from nearly 100% to approximately 60% following the implementation of GDPR in the EU. The main consequence of this reduction in consent is the inability of many SSP’s to monetize this inventory since the vast majority of players in the market are still cookie driven or in other words, consent mandatory. Thanks to BeOp’s tech, Publishers are still able to effectively monetize this inventory through direct sold campaigns and contextual targeting.

Not doing business in California? A need for caution still exists.

It is important to note that the CPRA applies not only to publishers based in California, but also to any publisher that collects the personal data of California residents. This means that even if your business is located outside of California, you may still be subject to the requirements of the CPRA if you have readers or users in California.

Updates to fines associated with CPRA violations.

One key difference between the CCPA and the CPRA is that the latter includes provisions for increased fines for certain violations. Under the CCPA, the maximum fine is $2,500 per violation or $7,500 per intentional violation. Under the CPRA, the maximum fine for intentional violations is unchanged, but the maximum fine for a violation of a consumer's "sensitive personal information" is $75,000 per violation or $750,000 per intentional violation. As revised fines will begin to be enforced in the US beginning July 1, 2023, responsible data collection is more important than ever.

How will collecting first-party and zero-party data help Publishers in the coming years?

For those new to these terms, first-party data refers to information that is collected directly from the publisher's own sources, such as website analytics and email subscription lists. Zero-party data, on the other hand, is information that is voluntarily provided by the user, such as preferences and demographics. With this data, publishers can gain a deeper understanding of their audience and create more relevant and personalized ad and content experiences for them. So, the question arises…

What are some ways Publishers can confidently collect data?

Companies that have been built for privacy and have proven to navigate privacy regulations unscathed are the partners who should be considered for Publishers. BeOp, 1plusX, and Permutive are great examples.

In 2015, BeOp’s co-founders Louis Prunel and Nicolas Sadki foresaw the pending loss of access to data and how this would decrease the already low performance and returns of programmatic, and developed and refined an entirely distinct and complete contextual and cookieless advertising ecosystem including DSP, SSP and an integrated Creative Platform which enables Publishers to easily create privacy compliant data capture units which include an added option for collecting user consent.

Furthermore, BeOp is built upon sophisticated, AI-driven contextual tools including semantic targeting, and data collection units are able to connect to any DMP such as 1plusX and Permutive.

1plusX offers real-time data management, data clean room, and CTV solutions to help publishers and advertisers engage their audiences.

Permutive empowers publishers and advertisers to activate audiences responsibly, to restore consumer trust. Their audience infrastructure connects publishers and advertisers, enabling them to address their full audience, in-the-moment, while protecting user privacy and respecting customer consent.

As all of these integrations are plug and play within BeOp, you’re enabled to collect some serious volumes of data without much setup. In addition, BeOp can also connect to your CRM via a direct integration or webhook. Take a look here for an example of how BeOp data is passed into Permutive.

What type of data can be collected with BeOp and how can Publishers ensure it’s GDPR & CPRA compliant?

Both first-party and zero-party data can be collected through BeOp units and can be used for sales teams, RFP responses, marketing/retargeting, or to inform editorial teams content. Since BeOp was built for privacy from the ground up, you can be assured of GDPR and CPRA compliance. The ways we support our partners, and provide peace of mind are as follows:

  • Data in the platform is only stored for 13 months
  • GDPA Contacts are stored in our platform
  • BeOp’s Terms and Conditions are clearly posted
  • We let the user choose if the data is stored or not on our databases (you can set storage at 0 months, which equates to no storage at all)
  • We give the ability to check the consent for any registered partner from the TCF from IAB compliant CMPs for campaign delivery (we check if the user has consented to Google before delivering that particular campaign)
  • We have developed a “consent brick” which provides the user the opportunity to provide a true consent on “what” they are doing with BeOp, and set up is simple

  • We do not store any cookie (even for the service) if the user has not consented to BeOp usage
  • We have anonymised IP addresses and all personal information of the users in our databases
  • We have encrypted all our databases

The good news is data collection can be fun and engaging as well!

BeOp formats are “conversational units''. Built upon the premise of “story doing”, our units include polls, quizzes, forms, videos and more that enable publishers to engage with users in an automated fashion without needing to rely on user data. In addition to improving a Publishers UX and boosting overall engagement, these units are capable of producing unprecedented results; users spend an average 30 seconds on BeOp’s formats, and interaction rates for data collection units typically fall between 1% and 5%.

Examples of Success

  • Apartment Therapy received a 2.35% interaction rate for zero-party sales data, and responded within 24 hours to RFP’s.

  • Le Figago captured 100k emails in 5 weeks in the 2020 election cycle, and leveraged semantic targeting.

Who’s adopted these solutions?

Leaf Group, Group Nine Media, Apartment Therapy Media, Network N, and Trusted Media Brands are already among the mutual partners of BeOp and Permutive for responsible first-party and zero-party data collection.

Finally, don’t forget past mistakes of GDPR and CCPA non-compliance. Fines can be serious.

Be aware that depending on the legislation penalties for non-compliance differ. GDPR allows for fines of up to 4% of a company's global annual revenue or €20 million, while the CCPA allowed for fines of up to $7,500 per violation.

GDPR Publisher Fines

In 2020, the UK ICO fined the publisher Reach plc, which owns a number of national newspapers in the UK, ÂŁ250,000 ($332,000) for violating the GDPR. The ICO found that Reach had failed to adequately protect the personal data of approximately 1 million individuals whose data had been accessed by unauthorized third parties.

In addition, the Italian data protection authority fined the publisher RCS MediaGroup $1.4 million for violating the GDPR. The company, which owns a number of Italian newspapers and magazines, was found to have unlawfully processed the personal data of approximately 3.5 million individuals.

CCPA Publisher Fines

In 2020, the California Attorney General's office reached a settlement with the publisher Bonnier Corporation over allegations that the company had violated the CCPA by collecting and sharing personal information from California consumers without their knowledge or consent. As part of the settlement, Bonnier agreed to pay a fine of $50,000 and implement a comprehensive data privacy program.

After learning all this, one question remains…

Have you prepared sufficiently for the data privacy changes to come in 2023 and beyond?

If interested in learning more, contact us at before Data Privacy Day on January 28th to see how we can help, and talk about your data strategy for 2023!

Did you like this article?
Share it on TwitterShare it on LinkedIn
© BeOp 2015 - 2024
🇫🇷 Français →🇺🇸 English →
  • Blog
  • About us
  • Acknowledgments
  • Jobs
  • Contact
Made with đź’š by the BeOp team