California’s Department of Justice has developed and released a draft of implementing regulations for the state’s upcoming data privacy law. The rules clarify how the state will enforce the California Consumer Privacy Act (CCPA) and explain what businesses have to do to ensure they are following the law.

The draft implementing regulations for CCPA groups the actions businesses have to take around five key components: how to notify consumers about what data is being collected; how to handle the consumer requests for information; how to verify the identity of consumers making the requests; how to handle requests for information for children younger than 16 years old; and what needs to be done to avoid discriminating against consumers who don’t want their data or sold. The comment period for the draft rules end Dec. 6.

Privacy is an “inalienable right” in California, and CCPA will reset “the power dynamic between [consumers] and businesses,” California Attorney General Xavier Becerra said at a press conference announcing the draft implementation. The CCPA “allows you to pull the curtain back and see what information companies have collected about you, so that if you want, you could have that data deleted.”

The implementation rules lay out the things businesses have to think about as CCPA becomes law. “We want businesses to understand consumers have rights,” Becerra said. “Everyone has an obligation to know their rights and responsibilities under CCPA.”

The CCPA isn’t just for businesses that collect data online. A business that “substantially interacts with consumers offline” also has to notify the consumer about the data being collected and provide an offline opt-out mechanism.

The new law also requires businesses to be “transparent” about the data’s value, so that “consumers know how their information is valuable to the business,” Becerra said. Towards that end, businesses have to clarify the “service difference” a business may offer in exchange of personal information, so that the consumer can make an informed decision.

California may be the first state to have such a far-reaching data privacy law, but it isn’t alone. However, most local laws have focused on one or two aspects of consumer privacy, such as opt-outs and collection. The breadth of California’s law means that companies have to make changes all across the data lifecycle. “We may be the first, but we won’t be the last.” Becerra said.

The law goes into effect on Jan. 1, but the rules implementing and enforcing the law won’t go into effect until July 1, said Stacey Schesser, California’s supervising deputy attorney general.

Mention a “cookie” and most people expect a chocolate chip treat to appear. However, when talking about digital marketing, cookies are references text files on a browser that associate bits of data to a specific user.

Cookies are created when a user visits a website to keep track of their movements within the site, helping the user remember their login, preferences, and other information. Many online retailers use cookies to keep track of the items in a user’s shopping cart as they explore the site. Without cookies, your shopping cart would reset to zero every time you clicked a new link on the site. That would make it impossible to buy anything online.

Types of Cookies
The two most common types of cookies are first-party and third-party. Both types of cookies contain browser information and can perform the same functions. However, the real difference between the types of cookies has to do with how they are created and used.

• First-party: These cookies are originated from the primary domain visited by the user, used to personalize that users experience on that primary domain.
• Third-party: These cookies don’t originate from the primary domain visited by the user. The most common use of third-party cookies is to track users who click on advertisements and associate them with the referring domain.

Cookies have become the most common method of identifying website users and allowing for a personalized browsing experience on a desktop (we discuss mobile below). However, with growing awareness of privacy issues, the introduction of laws like the General Data Protection Regulation (GDPR), CCPA, Apple’s ITP, Firefox’s ETP and now Chrome’s ITP, some are saying the end of cookies is near.

More on Third-Party Cookies
For the MarTech industry, ad targeting is a huge deal. Third-party cookies are used to gather the information on user behavior such as websites visited, time spend, clicks, location, and more. This information creates a unique profile of the user to show them only relevant and personalized ads.

The lifespan of third-party cookies has been threatened for a while. In 2017, Apple first released ITP aka Intelligent Tracking Prevention for the Safari browser. With ITP 1.0, Safari wanted to prevent third-party cookies from tracking users across different sites. And now, they have ITP 2.2 coming soon to strengthen that protection against user tracking.

Why You Should Care
Chrome is following in Apple’s footsteps and released a new set of controls that allow users to see all of the cookies currently stored by the browser and give them the option of blocking any trackers they don’t like. With Google Chrome accounting for nearly 70 percent of the global desktop internet browser market share, the MarTech industry is getting nervous.

The cookie also poses obstacles in the mobile space — if they even work at all. There is a new term called ‘the unreachables’, the mobile-only users, who don’t really engage on desktop computers and don’t interact with traditional media. No cookies for them.

Goodbye Cookie, Hello Device ID
The cookie isn’t dead yet, but as protection against user tracking, browser privacy and the growth of mobile users continues to grow, device IDs will be redefining the role and the usefulness of cookies.

Cookies don’t deliver the holistic view that device IDs do. Device IDs provide better and more reliable data. They present a clear view of a user based on deterministic data across longer, if not indefinite, stretches of time. Cookies only track a single session and the average “lifespan” of the cookie is no more than three weeks, creating discrepancies when measuring long term user journeys.

Device IDs are a more efficient way of targeting and reaching customers via connected devices more accurately. There is a science of how to properly collect and curate accurate device IDs to an individual and if done right, ad spend will be utilized wisely and profitably, if it’s done wrong, spending and ROI will be disastrous.

Device IDs will drive this future; cookies will not.