What you need to know about CCPA
By now, you’ve probably heard that California passed a privacy law which goes into effect in 2020. Below is general information about it. If you already know the basic information and you want to cut to the chase about working with ownerIQ, skip down to How will ownerIQ comply? and How will working with ownerIQ affect my CCPA compliance?
What is the California Consumer Privacy Act (“CCPA”)?
The California Privacy Protection Act of 2018, also known as CCPA, provides California residents certain privacy protections in terms of how their personal information can be used by for-profit companies.
Does the CCPA affect my company?
Any for-profit company that does business in California has requirements under CCPA if it meets any of the following:
- Your business’s annual revenue is over $25 million
- Your business received information of over 50,000 consumers, households, or devices annually
- At least half of your business’s annual revenue comes from selling personal information
When does the CCPA go into effect?
CCPA was signed into law in June, 2018. The requirements go into effect on January 1, 2020.
However, the California Attorney General has until July 1, 2020 to publish regulations (the standards for enforcing the law). Also, the Attorney General cannot bring legal action against violators of CCPA until either July 1, 2020 or six months after the final regulations are published, whichever comes first.
What are my compliance obligations under the CCPA?
Broadly speaking, CCPA requires two parts: disclosure obligations and information governance.
- Their rights under CCPA
- Categories of information being collected
- How the personal information will be used (including whether it will be shared or sold to third parties)
- Categories of personal information shared with or sold to third parties within the past 12 months.
Companies also must place mechanisms that allow consumers to exercise their rights to obtain and delete their personal information, as well as to opt out of the sale of their personal information. CCPA requires companies that sell personal information to place a link on the website home page titled “Do Not Sell My Personal Information,” linking to a page that allows consumers to opt out. This required language and link seems to be a replacement of Opt Out link in the website footer and probably functions similarly, though functionality upgrades may be needed.
What is Personal Information under CCPA?
“Personal Information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include publicly available information.”
This definition includes cookies and mobile ad IDs, which are used in programmatic advertising by ownerIQ and other adtech companies.
What counts as selling personal information under CCPA?
“Selling” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
“Selling” is broadly defined. For ownerIQ customers, they must decide whether they receive monetary or other valuable consideration with the use of their audience segments. If so, the “Do Not Sell My Data” link and associated opt out page should be placed on the website home page, along with the appropriate disclosures at the point of collection and in the privacy notice.
How will ownerIQ comply?
We will update our disclosures, based on our classification under CCPA. We are also working with other companies in our industry to address whether our standard industry opt out platform needs to be upgraded to comply with CCPA, as well as how to provide the right of access. (Our opt out choice is basically a deletion already; we will make sure it meets the right to delete.) We will work with our customers on any information they need to fulfill their disclosure and choice mechanism requirements.
How will working with ownerIQ affect my CCPA compliance?
This will depend on which ownerIQ products and services you purchase, as we would be either a service provider or a third party under CCPA. If you are advertising using your own audience segments (e.g., retargeting), you have disclosure requirements for the original collection of the data, like you would in most of your business activities, and we would likely be your service provider. If you allow use of your audience segments for uses beyond your own advertising, you will need to place the “Do Not Sell My Data” link on your website homepage, along with the required collection and privacy notice disclosures. Many uses of data, even beyond programmatic advertising, will fall in the latter category. Make sure you can provide the appropriate disclosures and opt out choice, as well as propagating the right to access and deletion to your vendors. ownerIQ will provide an opt out choice for its data use (may be similar to our current opt out link), and assistance in the right of access (as those tools are further developed by the adtech industry).
Note: All of the above is based on CCPA as it is today. There is still work being done by the California AG, as well as other parties, in clarifying the implementation of CCPA.