This website uses cookies to ensure you get the best possible experience. See our Cookies Policy.

PMG Digital Made for Humans

Understanding the Basics of CCPA

6 MINUTE READ | November 18, 2019

Understanding the Basics of CCPA

A consumer’s right to online privacy has been a burning issue for nearly everyone; from consumers, companies, and now, state government officials with the CCPA providing Californian consumers with more control over their data. There’s no doubt that new laws will have a significant impact on the digital advertising industry and how consumer data is collected, managed, and utilized across the larger digital economy. Our agency POV on CCPA is coming soon, but in the meantime, here are the basics of the legislation.

Disclaimer: We are not lawyers. PMG is not responsible for providing legal advice and recommends that any companies seeking to comply with the CCPA or any other data privacy regulations hire appropriate legal counsel as any legal advice will need to be tailored to your unique business.

CCPA (currently known legislatively as AB 375) builds upon prior laws —such as ‘Shine the Light,’ CA Civil Code § 1798.83— and aims to further improve Californians’ right to privacy by giving consumers newfound, effective ways to better control their personal information.

The legislation empowers Californian consumers with the right to know and access all the personal data being collected on them by certain businesses. Californians can now find out what categories of data are being collected, why it’s being acquired, and what’s being done with it. Categories can best be defined as the particular data points getting collected, so information like an email address, phone number, or mailing address are classified as individual categories of personal information. Consumers will also gain visibility into whether or not their personal information is being sold or disclosed and to whom. If their data is being sold, they will now be able to opt-out of that sale of their information. Lastly, consumers have the opportunity to request their personal information to be deleted by the business.

These various requirements and regulations directly apply to consumer’s “personal information.” Importantly, the definition of personal information in the CCPA is unprecedented and intentionally broad to include any information that is capable of being associated with or linked to a particular consumer or household including information like:

  • Name, postal address, unique personal identifier, IP address, email address, account name, social security number, or other similar identifiers.

  • Financial information, biometric and medical information, or health insurance information. 

  • Commercial information related to product or purchase history or tendencies

  • Internet historical data and geolocation data.

Note that personal information does not include publicly available information.

In affording Californian consumers with these new rights, certain businesses (as outlined below) will be required to disclose 1) the specific categories and pieces of personal information being collected, 2) the business purposes for collecting or selling that information, 3) whether or not they sell that information, 4) whether or not they share the information with third parties, and 5) the categories of third parties with which the information is being shared or sold. These disclosures, along with all others required under the CCPA, must be clearly outlined at or before the time of collection. They must also be contained in the businesses’ online privacy policies and appear in an ADA compliant format.

The business must also outline a procedure for consumers to 1) request what type of data is being collected upon them and 2) a process for how to request deletion of that information. Upon receiving a request, businesses will have to verify the identity of the person to confirm the correct information is being delivered to the consumer, making it a verifiable consumer request. A business only has 45 days to respond to a consumer’s request. It is important for each and every affected business to have a set procedure in place to respond to these requests. A business must allow for these requests to be submitted, at a minimum, via a toll-free telephone number and online. Businesses with a brick and mortar presence in California may also need to have an in-person opt-out procedure for consumers.

The business must also put nondiscrimination practices in place to ensure consumers receive equal services and prices, even if a person decides to exercise their privacy rights, such as opting-out or requesting their data to be deleted.

If a business sells personal information, it will be required to create a separate page titled “Do Not Sell My Personal Information” with a link on the homepage of the company website (if the Company has an app, this link should be on the About Us Page or other similar page). This link should take consumers to a page that provides them with a process to opt-out of their data being sold. Businesses must also include this link and process in the business’s online privacy policy along with disclosing any California-specific descriptions of consumers’ privacy rights. 

Each business must review and update these policies every twelve months. Because of the short timelines and technical nature of these provisions, businesses will need to establish well-defined systems for consumers to submit consumer requests and correspondence protocols for handling those requests. Staff should be trained to comply with these procedures. 

The businesses required to provide the arrangements set forth in CCPA must be over a certain user and/or revenue threshold, as detailed in the legislation:

  • Have annual gross revenues in excess of $25 million (but note this monetary threshold may be adjusted pending further amendments in 2020). 

  • Annually buys, receives for business commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices.

  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Many businesses may dismiss CCPA compliance by only focusing on the annual gross revenue threshold but it’s worth doing due diligence to better understand how much personal data your business processes. You’d be surprised to find how easy it is to receive personal information for 50,000 people, households, or devices.

Once you’ve determined that your organization must comply with CCPA, the road to compliance largely depends on your current business operations and what needs to be revised or developed. However, as a starting point: 1) determine what personal information you collect, 2) determine what happens with it after collection, 3) review and update your privacy policy to comply with the CCPA, 4) review and update your website to notify consumer, at or before the time of collection, that you collect information, 5) establish procedures for responding to information and deletion requests, and 6) if you sell data, establish a “Do Not Sell My Information Page” and opt-out procedure.

— 

Insights meet inbox

Sign up for weekly articles & resources.

Again, we’re not attorneys and highly recommend that you read the CCPA for yourself and work alongside trusted legal counsel. Be on the lookout for PMG’s POV on how CCPA affects digital programs in the weeks to come.


Posted by Abby Long

Related Content

Get Inspired

PMG Intelligence Report: Holiday Kickoff

4 MINUTES READ | September 15, 2022

Get Insights

White House Unveils Federal Consumer Privacy and Technology Reforms

3 MINUTES READ | September 15, 2022

Get Invited

Carrie Pinkley to Share Insights in Reddit Holiday Webinar

1 MINUTE READ | July 18, 2022

Get Insights

Battle of the AVODs: Disney, Netflix Tap Ad Partners

3 MINUTES READ | July 14, 2022

ALL POSTS