What Exactly Is CCPA – California Consumer Privacy Act?

For several years now, efforts have focused on protecting Internet users and their data, and today data protection is widely perceived as a priority. On 25 May 2018, the European Union introduced the General Data Protection Regulation (GDPR), which not only looks to protect the data of internet users, but extends this protection to every sphere of human life related to the transfer of the personal data of European citizens. A few days later, following hot on the heels of GDPR, the California Consumer Privacy (CCPA) Act was passed into law.

CCPA is a law of the state of California and covers consumer rights related to the access, sharing and deletion of the personal data of California residents which have been collected by businesses. When CCPA came into force, almost 2 years later, on 1 January 2020, every business that collects and sells the personal data of California residents had to be compliant with this law.

However, there are thresholds which apply. Companies must have:

1. at least 25$ million in annual revenue.
2. personal data on at least 50,000 California residents.
And:
3. more than half of their annual revenue should be derived from the sale of personal data. If your company meets at least one of the above criteria, you need to be prepared to be compliant with CCPA requirements. Please keep in mind that even if you are not based in the United States this law applies to you.

What data does CCPA cover?

California law has gone a step further and encompasses a greater scope of personal data than GDPR. According to the CCPA definition, “personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Here’s what AB 375 considers “personal information”:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(C) Biometric information.

(D) Internet or other electronic network activity information; including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

(E) Geolocation data, audio, electronic, visual, thermal, olfactory, or similar information.

(F) Professional or employment-related information.

(G) Education information, defined as information that is not publicly available, personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)

(H) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.

(I) Characteristics of protected classifications under California or federal law.

What do Publishers, controllers of data in the programmatic environment, need to do in order to be compliant with CCPA?

And to this question we may add: what do they need to do in order to provide users with the possibility of acquiring or deleting their data from site database/cookies? CCPA requires transparency about data-usage; so the best place to provide information to users is in the privacy policy of the site.

In order to make your site CCPA-compliant, you need to update it by revealing the following:

– the kind of information you collect and process
– the reasons for collecting and processing information
– methods for collecting and processing information
– methods for requesting access to personal data, to encompass the transfer, change or deletion of personal data
– methods for verifying the identity of the person who submits a request

Publisher must have a site page called “Do Not Sell My Personal Information”. This allows consumers to opt-out of the sale of their personal data. It must be linked on the homepage in the visible area of the site. What is more, users must be able to request this opt-out without having the account. The decision of the user must be respected for at least 12 months. Only after this time can the Publisher ask the users again whether they will agree to the sale of their data.

COPPA as part of CCPA

COPPA (Children’s Online Privacy Protection Act) was established in 1998 and entered into force on 21 April 2000 with the aim of protecting privacy and controlling the gathering and sales of data from users under 13 years of age. COPPA applies to websites and commercial enterprises. In accordance with the law, a domain that gathers information about users under 13 years of age need to add information about specific data and for what purpose they are gathered. In many cases gathering data from users under 13 requires approval from their parents.

CCPA increased this threshold to users of 16 years of age, which guaranteed that parents and teens had more control over their personal data. Minors under the age of 16 must authorize the sales of personal data, whereas for children under 13, the opt-in consent must be collected from parents and guardians before the Publisher can sell children’s data. For Publishers this means that they need to add to their site a consent request that will ask users under the age of 16 for an opt-in for the selling of their data.

What “sale” means under CCPA

“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

What happens if a company is not compliant with CCPA?

Companies will receive notification from regulators about the violation. After that they will have 30 days to become compliant with the law. If the company is still not compliant after those 30 days they will incur a fine of up to 7,500$ per record. Even with small sites the scale of the fine can be massive, so it’s better to be steer clear of such notifications.

Last but not least

Even though CCPA will take effect on 1 January 2020, when CA residents may start requesting CCPA, the SB 1121 amendment has delayed enforcement by up to six months, with 1 July being given as the cut-off point. Because of this extension, businesses have had a chance to get their houses in order. However, the amendment could be completed at any time, so it is advisable to  make preparations as fast as possible; the date of 1 July is just a provisional deadline. California is the first US state to have created such a regulation about user data, but other states are sure to follow. So we need to be watchful for all such legislative moves; albeit such legislation could take years to be brought into law.

Do you like what you’re reading? Subscribe our newsletter for more content like this!

[mc4wp_form id=”407″]

By subscribing to the newsletter, you agree to receive commercial information about Yieldbird’s services. The controller of the personal data provided is Yieldbird with its registered office at ul. Czerska 8/10, Warsaw. The controller processes the personal data to send you marketing content regarding its services and news about programmatic advertising. You can read more about the processing of personal data in our privacy policy and transparency policy.