6 MINUTE READ | November 18, 2019
Understanding the Basics of CCPA
A consumer’s right to online privacy has been a burning issue for nearly everyone; from consumers, companies, and now, state government officials with the CCPA providing Californian consumers with more control over their data. There’s no doubt that new laws will have a significant impact on the digital advertising industry and how consumer data is collected, managed, and utilized across the larger digital economy. Our agency POV on CCPA is coming soon, but in the meantime, here are the basics of the legislation.
Disclaimer: We are not lawyers. PMG is not responsible for providing legal advice and recommends that any companies seeking to comply with the CCPA or any other data privacy regulations hire appropriate legal counsel as any legal advice will need to be tailored to your unique business.
CCPA (currently known legislatively as AB 375) builds upon prior laws —such as ‘Shine the Light,’ CA Civil Code § 1798.83— and aims to further improve Californians’ right to privacy by giving consumers newfound, effective ways to better control their personal information.
The legislation empowers Californian consumers with the right to know and access all the personal data being collected on them by certain businesses. Californians can now find out what categories of data are being collected, why it’s being acquired, and what’s being done with it. Categories can best be defined as the particular data points getting collected, so information like an email address, phone number, or mailing address are classified as individual categories of personal information. Consumers will also gain visibility into whether or not their personal information is being sold or disclosed and to whom. If their data is being sold, they will now be able to opt-out of that sale of their information. Lastly, consumers have the opportunity to request their personal information to be deleted by the business.
These various requirements and regulations directly apply to consumer’s “personal information.” Importantly, the definition of personal information in the CCPA is unprecedented and intentionally broad to include any information that is capable of being associated with or linked to a particular consumer or household including information like:
Name, postal address, unique personal identifier, IP address, email address, account name, social security number, or other similar identifiers.
Financial information, biometric and medical information, or health insurance information.
Commercial information related to product or purchase history or tendencies
Internet historical data and geolocation data.
Note that personal information does not include publicly available information.
In affording Californian consumers with these new rights, certain businesses (as outlined below) will be required to disclose 1) the specific categories and pieces of personal information being collected, 2) the business purposes for collecting or selling that information, 3) whether or not they sell that information, 4) whether or not they share the information with third parties, and 5) the categories of third parties with which the information is being shared or sold. These disclosures, along with all others required under the CCPA, must be clearly outlined at or before the time of collection. They must also be contained in the businesses’ online privacy policies and appear in an ADA compliant format.
The business must also outline a procedure for consumers to 1) request what type of data is being collected upon them and 2) a process for how to request deletion of that information. Upon receiving a request, businesses will have to verify the identity of the person to confirm the correct information is being delivered to the consumer, making it a verifiable consumer request. A business only has 45 days to respond to a consumer’s request. It is important for each and every affected business to have a set procedure in place to respond to these requests. A business must allow for these requests to be submitted, at a minimum, via a toll-free telephone number and online. Businesses with a brick and mortar presence in California may also need to have an in-person opt-out procedure for consumers.
The business must also put nondiscrimination practices in place to ensure consumers receive equal services and prices, even if a person decides to exercise their privacy rights, such as opting-out or requesting their data to be deleted.
Each business must review and update these policies every twelve months. Because of the short timelines and technical nature of these provisions, businesses will need to establish well-defined systems for consumers to submit consumer requests and correspondence protocols for handling those requests. Staff should be trained to comply with these procedures.
The businesses required to provide the arrangements set forth in CCPA must be over a certain user and/or revenue threshold, as detailed in the legislation:
Have annual gross revenues in excess of $25 million (but note this monetary threshold may be adjusted pending further amendments in 2020).
Annually buys, receives for business commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Many businesses may dismiss CCPA compliance by only focusing on the annual gross revenue threshold but it’s worth doing due diligence to better understand how much personal data your business processes. You’d be surprised to find how easy it is to receive personal information for 50,000 people, households, or devices.
Sign up for weekly articles & resources.
Again, we’re not attorneys and highly recommend that you read the CCPA for yourself and work alongside trusted legal counsel. Be on the lookout for PMG’s POV on how CCPA affects digital programs in the weeks to come.
Posted by Abby Long
4 MINUTES READ | September 22, 2022
4 MINUTES READ | September 15, 2022
3 MINUTES READ | September 15, 2022
4 MINUTES READ | August 19, 2022
4 MINUTES READ | August 12, 2022
3 MINUTES READ | August 5, 2022
3 MINUTES READ | July 28, 2022
3 MINUTES READ | July 26, 2022
3 MINUTES READ | July 22, 2022
1 MINUTE READ | July 19, 2022
1 MINUTE READ | July 18, 2022
3 MINUTES READ | July 14, 2022