The CCPA (U.S.)
Caution
While we love discussing regulatory interpretation with our customers, LiveRamp does not provide any feedback that should be considered legal counsel. Please work with your legal team or external counsel to determine the compliance interpretation that best suits your business’s needs.
The California Consumer Privacy Act or the CCPA went to enforcement on July 1, 2020. It is the most comprehensive privacy law in the United States of America targeted at companies that collect and/or sell personal information. It is designed to give Californians more control over their own data.
The following are among the major new data protections CCPA introduces:
Right to access information: Consumers in California will be able to know the “what, who, and why” surrounding their personal information. Specifically, they can request the following, which must be provided in a digestible format:
Which categories of information were collected and sold
From whom this information was collected, with whom it was shared, and to whom it was sold
Why it was collected
Right to deletion: Consumers in California will be able to request that a company delete the personal information it has collected about them.
Right to opt-out: Consumers in California will be able to direct a company to not sell their personal information to third parties (although the definition of “sell” in the bill is broader than simply monetary exchange).
The CCPA's broad definition of a 'sale' can, and likely does, encompass situations where a company allows a third party to gather information from consumers through the use of cookies.
CCPA Regulations, approved on August 14, 2020, are the practical and technical procedures for businesses to implement the CCPA’s statutory requirements.
Update Privacy Policy Disclosures: Amend existing privacy policies to disclose additional data privacy collection, use, disclosure, and sale practices, and provide details on the business’s verification and processing of requests, and financial incentives.
Provide Notice of Collection of Personal Information and for businesses that sell PI, then notice of right to opt-out.
Adhere to Guidelines for Verifying Consumer Requests.
Establish Recordkeeping: maintain records of CCPA consumer requests in a specific form for at least 24 months.
The CCPA is the most comprehensive privacy law in the United States to date and is designed to give Californians more control over their personal information by providing rights that include the right to access information, right to opt out of the sale of information, and the right to deletion.
The CCPA applies to for-profit businesses operating in California that collect personal information of California consumers for which any of the following are true:
Annual gross revenues over $25M.
Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices.
Derives at least 50% of annual revenue from selling California consumers’ personal information.
If a company intentionally violates the CCPA, they will be subject to the maximum civil penalty: $7,500 per data record associated to the violation. Otherwise, the max penalty is $2,500 per violation. Additionally, the CCPA entitles consumers to $100-$750 compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach.
No. While efforts made to comply with the GDPR may also be leveraged for compliance with the CCPA, the CCPA is not interchangeable with the EU’s General Data Protection Regulation. There are differences between the two pieces of legislation and compliance with one does not equate compliance with the other.
There are a number of differences, but when it comes to the implementation of a preference and consent manager like Privacy Manager, the key difference comes down to whether the default is opt-in or opt-out. Under CCPA, consumers are opted-in by default whereas the opposite is true for GDPR. Additional differences include the need for a consent toggle under GDPR, whereas CCPA requires the implementation of a “Do Not Sell My Info” button.
The CCPA provides the following rights to consumers:
The right to know what personal information has been collected.
The right to know whether that information has been disclosed or sold.
The right to say no to the sale of information (also called "opt out").
The right to request deletion of their personal information.
The right to access their personal information.
The right to equal service/price for users who do exercise their privacy rights vs. those who do not.
While there are many actions required for compliance for your site and app, here are a few places where technology can help:
Examine all third party resources on your site or in the app.
Involve your web and app developers.
Come up with a CCPA compliance strategy (consider removing some of those third party resources, for example).
Select the appropriate compliance tools.
Implement compliance tools and keep them updated.
Tell me more:
Take a close look at your sites and apps.
Understand which advertising partners you work with, what other resources you have connected, why they are on your app or site and what they do. You are likely to make some interesting discoveries if you do that check, we promise.
You will most probably need help of your web and app developers at this point: they will be your best friends in this compliance journey, so be sure that you have somebody who understands how apps and sites work by your side.
Talk to somebody who understands the CCPA. Or become that person yourself.
Sorry, but this part is hard to avoid: you need to know the ins and outs of the CCPA and what to watch out for as more details become available and the law becomes final. Make sure to consult with your legal team or an outside counsel to ensure you’re going through the right procedures.
Look for the right compliance tools.
Now that you understand the specifics of your situation and have at least a draft compliance plan, you can decide how to implement it.
Get your web and app developers involved as early on as possible, but keep an overview of the general picture.
You need to be prepared to spend some time on your site and app compliance, especially if you have never examined them before. So take this activity seriously, have a dedicated web/app developer ready and guide them when needed to make sure that they do not miss the bigger (legal) picture.
Introduce the developer to the process at the stage of the tool selection, invite them to participate in sales calls and ask questions. After all, they are the ones who will be dealing with whatever you select and they are the ones likely to understand how the implementation will go.
Implement the tools and keep them updated.
Putting a preference manager on your site/app is not going to make you compliant on its own, and there are a substantial amount of other updates necessary to enable compliance for CCPA, including updates and disclosures within your privacy policy. Think of how you are going to stick to your compliance plan and keep the preference manager updated. It’s also important to keep it updated whenever you roll out changes on your site/app or add new third-party resources.
All in all, compliance is an ongoing process and not a click of a button activity. No tool can make your site or app compliant if you do not have clarity on why you need that tool and how to use it. Our most successful clients have their dedicated project teams ready to deal with all compliance topics. Be prepared to ask a lot of questions and work on the most important part of the compliance process: a plan and an idea of how to execute it. We are always here for you to share information or give advice, but by now you have probably come to the realization that whoever sells miracles is not telling you the whole truth and that compliance is a journey and not a destination, at least at the stage we are in now.