PMG Digital Made for Humans

Understanding the Basics of CCPA

6 MINUTE READ | November 18, 2019

Understanding the Basics of CCPA

Author's headshot

Abby Long

Abby is PMG’s senior managing editor, where she leads the company’s editorial program and manages the PMG Blog and Insights Hub. As a writer, editor, and marketing communications strategist with nearly a decade of experience, Abby's work in showcasing PMG’s unique expertise through POVs, research reports, and thought leadership regularly informs business strategy and media investments for some of the most iconic brands in the world. Named among the AAF Dallas 32 Under 32, her expertise in advertising, media strategy, and consumer trends has been featured in Ad Age, Business Insider, and Digiday.

A consumer’s right to online privacy has been a burning issue for nearly everyone; from consumers, companies, and now, state government officials with the CCPA providing Californian consumers with more control over their data. There’s no doubt that new laws will have a significant impact on the digital advertising industry and how consumer data is collected, managed, and utilized across the larger digital economy. Our agency POV on CCPA is coming soon, but in the meantime, here are the basics of the legislation.

Disclaimer: We are not lawyers. PMG is not responsible for providing legal advice and recommends that any companies seeking to comply with the CCPA or any other data privacy regulations hire appropriate legal counsel as any legal advice will need to be tailored to your unique business.

CCPA (currently known legislatively as AB 375) builds upon prior laws —such as ‘Shine the Light,’ CA Civil Code § 1798.83— and aims to further improve Californians’ right to privacy by giving consumers newfound, effective ways to better control their personal information.

The legislation empowers Californian consumers with the right to know and access all the personal data being collected on them by certain businesses. Californians can now find out what categories of data are being collected, why it’s being acquired, and what’s being done with it. Categories can best be defined as the particular data points getting collected, so information like an email address, phone number, or mailing address are classified as individual categories of personal information. Consumers will also gain visibility into whether or not their personal information is being sold or disclosed and to whom. If their data is being sold, they will now be able to opt-out of that sale of their information. Lastly, consumers have the opportunity to request their personal information to be deleted by the business.

These various requirements and regulations directly apply to consumer’s “personal information.” Importantly, the definition of personal information in the CCPA is unprecedented and intentionally broad to include any information that is capable of being associated with or linked to a particular consumer or household including information like:

  • Name, postal address, unique personal identifier, IP address, email address, account name, social security number, or other similar identifiers.

  • Financial information, biometric and medical information, or health insurance information. 

  • Commercial information related to product or purchase history or tendencies

  • Internet historical data and geolocation data.

Note that personal information does not include publicly available information.

In affording Californian consumers with these new rights, certain businesses (as outlined below) will be required to disclose 1) the specific categories and pieces of personal information being collected, 2) the business purposes for collecting or selling that information, 3) whether or not they sell that information, 4) whether or not they share the information with third parties, and 5) the categories of third parties with which the information is being shared or sold. These disclosures, along with all others required under the CCPA, must be clearly outlined at or before the time of collection. They must also be contained in the businesses’ online privacy policies and appear in an ADA compliant format.

The business must also outline a procedure for consumers to 1) request what type of data is being collected upon them and 2) a process for how to request deletion of that information. Upon receiving a request, businesses will have to verify the identity of the person to confirm the correct information is being delivered to the consumer, making it a verifiable consumer request. A business only has 45 days to respond to a consumer’s request. It is important for each and every affected business to have a set procedure in place to respond to these requests. A business must allow for these requests to be submitted, at a minimum, via a toll-free telephone number and online. Businesses with a brick and mortar presence in California may also need to have an in-person opt-out procedure for consumers.

The business must also put nondiscrimination practices in place to ensure consumers receive equal services and prices, even if a person decides to exercise their privacy rights, such as opting-out or requesting their data to be deleted.

If a business sells personal information, it will be required to create a separate page titled “Do Not Sell My Personal Information” with a link on the homepage of the company website (if the Company has an app, this link should be on the About Us Page or other similar page). This link should take consumers to a page that provides them with a process to opt-out of their data being sold. Businesses must also include this link and process in the business’s online privacy policy along with disclosing any California-specific descriptions of consumers’ privacy rights. 

Each business must review and update these policies every twelve months. Because of the short timelines and technical nature of these provisions, businesses will need to establish well-defined systems for consumers to submit consumer requests and correspondence protocols for handling those requests. Staff should be trained to comply with these procedures. 

The businesses required to provide the arrangements set forth in CCPA must be over a certain user and/or revenue threshold, as detailed in the legislation:

  • Have annual gross revenues in excess of $25 million (but note this monetary threshold may be adjusted pending further amendments in 2020). 

  • Annually buys, receives for business commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices.

  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Many businesses may dismiss CCPA compliance by only focusing on the annual gross revenue threshold but it’s worth doing due diligence to better understand how much personal data your business processes. You’d be surprised to find how easy it is to receive personal information for 50,000 people, households, or devices.

Once you’ve determined that your organization must comply with CCPA, the road to compliance largely depends on your current business operations and what needs to be revised or developed. However, as a starting point: 1) determine what personal information you collect, 2) determine what happens with it after collection, 3) review and update your privacy policy to comply with the CCPA, 4) review and update your website to notify consumer, at or before the time of collection, that you collect information, 5) establish procedures for responding to information and deletion requests, and 6) if you sell data, establish a “Do Not Sell My Information Page” and opt-out procedure.


Stay in touch

Bringing news to you

Subscribe to our newsletter

By clicking and subscribing, you agree to our Terms of Service and Privacy Policy

Again, we’re not attorneys and highly recommend that you read the CCPA for yourself and work alongside trusted legal counsel. Be on the lookout for PMG’s POV on how CCPA affects digital programs in the weeks to come.

Related Content

thumbnail image

Company NewsPMG Culture

We’ve Acquired UK-Based RocketMill, Accelerating Our Growth into Europe

3 MINUTES READ | December 13, 2023

thumbnail image

Consumer TrendsSEO & Paid SearchSocial MediaProgrammatic AdvertisingStreaming & VideoPlatforms & Media

The News & Trends Impacting Retailers in the Lead-Up to Cyber Week

4 MINUTES READ | November 16, 2023

thumbnail image

Company NewsDigital MarketingProgrammatic Advertising

Mary O’Brien to Speak at Digiday Programmatic Marketing Summit

2 MINUTES READ | November 6, 2023

thumbnail image

SEO & Paid SearchPlatforms & MediaDigital Marketing

Retail Brands Won More SERP Real Estate, But Likely Fewer Clicks in Google's August Core Update

6 MINUTES READ | October 25, 2023

thumbnail image

Consumer TrendsSocial MediaAI & MarketingStreaming & VideoPlatforms & MediaDigital Marketing

Takeaways from Advertising Week New York 2023

4 MINUTES READ | October 20, 2023

thumbnail image

Consumer TrendsDigital Marketing

PMG’s 2023 Holiday Shopping Outlook

4 MINUTES READ | October 9, 2023

thumbnail image

Company NewsDigital Marketing

PMG Acquires Camelot Strategic Marketing & Media

3 MINUTES READ | October 3, 2023

thumbnail image

AlliAI & MarketingCompany NewsDigital Marketing

Ready to Transform Your Data into Insights? Just Ask Alli.

4 MINUTES READ | September 29, 2023

thumbnail image

Social MediaPlatforms & Media

TikTok Shop Launches in U.S.

3 MINUTES READ | September 15, 2023

thumbnail image

Programmatic AdvertisingDigital MarketingCompany News

PMG’s Courtney Ou to Speak at AdExchanger Programmatic I/O

2 MINUTES READ | September 14, 2023

thumbnail image

SEO & Paid SearchAI & MarketingB2B Marketing

The Top Takeaways for SEOs & Marketers from MozCon 2023

5 MINUTES READ | September 12, 2023

thumbnail image

Platforms & Media

Preparing for Apple’s iOS 17 & Link Tracking Protection

4 MINUTES READ | September 11, 2023