CCPA FAQs
LiveRamp's Data Ethics team has put together a quick overview on the CCPA (the California California Consumer Privacy Act of 2018) to help make sure you're prepared, as well as provide you with information on how LiveRamp is approaching its own compliance.
Caution
Disclaimer: This document contains confidential information and is not to be shared outside of the organization it was originally sent to. Further, please note that statements within this document are subject to change, and no information in this document is to be considered legal counsel.
The CCPA is the most comprehensive privacy law in the United States to date and is designed to give Californians more control over their personal information by providing rights that include the right to access information, right to opt-out of the sale of their information, and the right to deletion.
The CCPA went into effect on January 1, 2020. As of March 6, 2020, the draft regulations are awaiting finalization. The California Attorney General is currently working through comments to the modified draft regulations. Note that the Attorney General can begin enforcement of the CCPA on July 1, 2020.
The CCPA applies to for-profit businesses operating in California that collect personal information of California consumers for which any of the following are true:
Annual gross revenues over $25M.
Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices.
Derives at least 50% of annual revenue from selling California consumers’ personal information.
The CCPA provides the following rights to consumers:
The right to know what personal information has been collected.
The right to know whether that information has been disclosed or sold.
The right to say no to the sale of their information (also called "opt-out").
The right to request deletion of their personal information.
The right to access their personal information.
The right to equal service/price when people exercise their privacy rights.
No. While efforts made to comply with the GDPR may also be leveraged for compliance with the CCPA, the CCPA is not interchangeable with the EU’s data protection regulation. There are differences between the two pieces of legislation and compliance with one does not equate to compliance with the other.
We recommend focusing efforts around the following proactive measures:
Analysis and Assessment – map existing processes against CCPA requirements to scope the impact of changes and identify stakeholders.
Awareness – drive alignment around the resources needed to address required changes.
Design Future State – create a detailed blueprint for compliance.
Development – transform the blueprint into actionable work streams.
Implementation – remediate gaps and implement new processes, policies, and tools.
Governance – ensure compliance is monitored and enforced by reviewing all data sources and performing privacy impact assessments, as well as amending contracts as needed.
If a company intentionally violates the CCPA, it will be subject to the maximum civil penalty: $7,500. Otherwise, the max penalty is $2,500 per violation. Additionally, the CCPA entitles consumers to $100-$750 compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach.
We have been focusing on the following facets of our business in our preparations:
Website & Policy — we are updating our websites and privacy policies to ensure that California consumers understand and are informed about their rights under the CCPA.
Classification — we are reviewing our products and classifying ourselves as a business or service provider.
Contract — we are remediating our contracts to reflect our product classifications, as well as to ensure that all parties who interact with our network are transmitting data in a privacy-safe, compliant manner.
Product — we are building our systems to recognize and support core stipulations of the CCPA, such as respecting consumer opt-outs.
Consumer Portal — we are creating a consumer portal where consumers can exercise their rights for access, opt-out, and deletion.
Training — we are providing CCPA training to our employees.
LiveRamp will handle opt-outs differently depending on if a client opts out from LiveRamp directly or indirectly from one of our clients or their partners:
Direct Opt-Outs — once the CCPA goes into effect, if a consumer opts out from LiveRamp directly via our website, we intend to universally opt that consumer out of all LiveRamp services regardless of the client.
Indirect Opt-Outs — if a consumer opts out at the website of one of our clients, the client must notify us, and we will opt that consumer out of that individual client’s workflows.
LiveRamp is actively working with its sources to ensure CCPA readiness and will be undergoing due diligence reviews to vet CCPA compliant data.
LiveRamp is both a business and a service provider, depending on the product and workflow. In general, we are a business where we collect personal information for our own purposes. For example, when we source personal information for our Identity Graph. We are a service provider where we process personal information on behalf of a client for a specified purpose and do not further use or disclose personal information outside of that purpose. For example, when we process client onboarding and measurement data. We will be sending out communications to clients regarding necessary contract updates based on our classification for each product a client has with us.
For more information on the business, service data seller, and third party classifications, please visit https://rampedup.us/ccpa-explained-businesses-service-data sellers-third-parties/.