The California Consumer Privacy Act (CCPA) was voted into law in 2018 and will go into effect on January 1, 2020. As mentioned in our CCPA FAQ blog post on this topic, the regulation is designed to give California consumers more power over their personal information. This means that if your company processes personal data from Californians you should be aware of how the CCPA might affect you. While the CCPA is specifically targeted to Californians, companies that are not located in California will still need to comply. If a company handles personal information of California consumers from at least 50,000 devices or has revenues of $25 million or more from California businesses or California user data (regardless of how much personal information they collect), it needs to comply with the act.
In this blog post, we will cover how to ensure that your company is satisfying its transparency requirements, the Interactive Advertising Bureau (IAB) CCPA Framework, how users should be able to opt-out of a “sale” of their data, and additional user rights under the CCPA.
Transparency Requirements Under the CCPA
The purpose of the CCPA is to increase transparency between California consumers and companies, giving greater rights to consumers over their personal information. This includes the right to know what category of data is being collected about a person and for which purposes, and whether their personal information is being shared or “sold” to other businesses, service providers, or third parties. Consumers are also able to opt-out of any “selling” of their data, request access to their data, and request that their data is deleted.
For companies, this means that their privacy policy must be updated to reflect if and how consumer data is being collected and shared.
A CCPA compliant privacy policy must include:
- A description of consumers’ rights under the CCPA;
- A description of the categories of personal information collected by the business in the preceding 12 months;
- The business purposes for which the personal information is collected;
- The categories of personal information sold or disclosed for a business purpose in the preceding 12 months;
- The categories of third parties with whom personal information is shared;
- A link to a “Do Not Sell My Personal Information” web-based opt-out possibility (when the business “sells” data);
- A description of any financial incentives for providing data or not exercising rights to delete or opt-out of the sale of data (e.g., if a company offers a discount or an in-game reward to users entering their email address for marketing purposes, this incentive must be disclosed in the privacy policy); and
- If a company does not have a direct relationship with a consumer, it needs to provide two or more designated methods for submitting “right to information” requests, including a toll-free telephone number for California consumers and a dedicated website to exercise this right, such as a web form.
In addition to the requirements listed above, the privacy policy must also be written in a clear and precise language that is easy for users to understand.
The IAB CCPA Compliance Framework
One of the main aspects of the CCPA is the right for California consumers to opt-out of businesses selling their data to third parties. The act keeps what constitutes a “sale” broad, putting the ad tech industry in a tricky position in their preparations for January 1, 2020. Simply disclosing data to another business that processes data for their own analytics or for purposes of another business, even as part of a larger transaction involving a product or service, likely constitutes a “sale”.
The IAB has created a new advertising industry framework to support CCPA compliance for publishers and technology companies engaged in programmatic and direct transactions where a sale of personal information takes place. This framework is specifically designed for publishers who sell consumer data (and the technology companies they sell it to) in order to ensure that they remain compliant with the new act. There are three goals of the framework: ensuring that publishers communicate consumer rights to their Californian users, including how to opt-out; that publishers digitally communicate which users have opted out of the sale of their data; and that ad tech companies receiving data from users who opted out treat it in compliance with the CCPA and exercised rights of the users. According to the IAB, any company involved in the digital advertising industry is able to sign the framework agreement.
The framework offers participating publishers with guidelines for how they must provide consumers “explicit” notice of their rights under the CCPA, as well as what will happen to their personal data, in addition to notifying their business partners (to whom consumer data is disclosed) that these notices were provided. Publishers are also required to include a “Do Not Sell My Personal Information” link on their digital platforms, including apps. If a user clicks this link, they should be opted out of any sale of data previously collected about them, while downstream business partners should also be notified to ensure that users’ rights are honored. The IAB also provides technical specifications to signal this information throughout the advertising chain.
The IAB Limited Service Provider Agreement
The framework also defines what a “service provider” in the advertising technology industry is allowed to do with personal information and established a new contractual industry-spanning agreement for such a role: the IAB Limited Service Provider Agreement. A “service provider” is a company that has a contractual agreement with a business to process consumer data for specified business purposes on behalf of that business. Having this agreement in place with the IAB prohibits the service provider from processing data in ways not outlined in the agreement or in the CCPA when a consumer has opted-out of the sale of their data. At the same time, only one contract is needed to be signed instead of multiple ones with every publisher participating in the IAB CCPA framework. This simplifies the ad tech data chain while also allowing data buyers to show their accountability through regular audits to ensure that no personal data of California consumers is being misused after they have exercised their rights.
How Can Users Opt-Out?
The CCPA requires that it must be easy for consumers to opt-out of their data being sold, through a “Do Not Sell My Personal Information” link. According to the IAB Framework, this link must be included on a company’s website (as well as any other platform(s) where digital data is collected) and listed in the privacy policy. A GDPR-like “opt-out banner” is therefore not needed.
While users must be able to actively opt-out of their data being sold via a company’s website, privacy settings of devices must also be interpreted accordingly. This means that opt-out flags set by users on their devices need to be respected. For example, the user can choose to limit ad tracking through the device-level settings of a mobile device, commonly found under the privacy settings. This should be read by a company as the user submitting a valid opt-out request if the user resides in California.
What Other Rights Do Users Have Under the CCPA?
In order to comply with the CCPA, a company must be aware of the kind of personal data that is being collected, where this information is being stored, and with whom it has been shared for which purpose. This means that personal information must not only be securely stored, but it must also be easily identifiable in a company’s databases, including if this data is stored with a vendor. Furthermore, a process should be in place for responding to consumers’ requests to opt-out in the timeframe of 45 days.
Additionally, users should be able to request a transcript of the data that has been collected in the past, as well as for which purposes this data was used. Therefore, companies need to be able to provide records covering a 12-month “look-back” period preceding the date of the request. The general understanding of this requirement is that companies do not need to store data for 12 months to be able to comply with this, if there are no other legal requirements to store the data or if they have stricter data retention periods in place.
If service providers have had access to a company’s user data to fulfill their business contract, they are required to have a process in place for dealing with consumer rights and any opt-out requests. Therefore, there should also be a contractual agreement in place to ensure that they are handling consumers’ data in line with the CCPA.
Finally, all businesses need to implement CCPA trainings for their customer-facing employees to ensure that they are informed about CCPA requirements, including how to direct users to where they can exercise their rights.
What’s Ahead?
The CCPA will go into effect on January 1, 2020, but companies will have until July 1, 2020 to satisfy the act’s requirements before any enforcement actions begin. In the interim, the California Attorney General’s draft proposal of CCPA regulations, which are to be enacted to interpret and implement the CCPA, will go through another phase of public commentary throughout the state of California.
However, companies should be prepared to become more transparent in how they are collecting, using, and storing consumer data. This must be conveyed through an updated privacy policy and a notice of how users can opt-out, as well as providing information about what happens to their data after users have opted out. In addition, companies should assess their relationships with all their vendors to identify which of them are considered service providers under the CCPA and which of them are businesses or third-parties. The underlying agreements need to be assessed to identify changes needed to ensure that the obligations of the parties are in line with the CCPA.
Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of the CCPA.