Frequently Asked Questions:
- What is CCPA?
- When does CCPA go into effect?
- Who is regulated under CCPA?
- Is Kochava subject to CCPA?
- Are Kochava’s clients subject to CCPA?
- What is the difference between a business, service provider, and third party?
- Who is protected?
- What information is protected?
- Does CCPA protect de-identified or aggregated data?
- What are some of the major rights consumers have under CCPA?
- Are there any special rights for children under CCPA?
- What are some of the major obligations a business has to its consumers under CCPA?
- Is a business liable for the actions of its service providers?
- What does it mean to “sell” personal information under CCPA?
- What is a “business purpose” under CCPA?
- Does CCPA specify certain operational purposes as a “business purpose”?
- Are there circumstances where a business is not required to comply with a request to delete personal information?
- Can a person charge different prices based on its ability to sell personal information?
- Can a business offer incentives to consumers in relation to the business’s use of personal information?
- Can a consumer sue a business under CCPA?
CCPA is a California state law that provides data privacy rights to California residents and restricts the collection and sale of their personal information.
CCPA goes into effect on January 1, 2020. The California Attorney General has authority to begin enforcing the law on July 1, 2020.
Cal. Civ. Code § 1798.185
CCPA regulates “businesses,” “service providers,” and “third parties.”
Kochava is a CCPA-compliant “service provider.”
Most of Kochava’s clients are likely to be subject to CCPA as a “business.”
- Business: Any for-profit entity doing business in California, that meets one of the following:
- Has a gross revenue greater than $25 million.
- Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
- Service Provider: A for-profit entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing personal information for any purpose other than for the specific purposes of performing the services specified in the contract for the business.
- Third Party: A person who is not a “business” or a “service provider.”
Cal. Civ. Code § 1798.140(c), (v), (w)
Consumers are protected under CCPA. A “consumer” is defined as a California resident that is either:
- In California for other than a temporary or transitory purpose.
- Domiciled in California but is currently outside the State for a temporary or transitory purpose.
- Customers of household goods and services
- Business-to-Business transactions
Cal. Civ. Code § 1798.140(g) and Cal. Code Regs. tit. 18, §17014
CCPA protects personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household. Specifically, personal information includes:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
- Geolocation data.
Cal. Civ. Code § 1798.140(o)
CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose consumer information that is de-identified or aggregated.
Cal. Civ. Code § 1798.140(a), (h), (o), and 1798.145(a)(5)
- Right to Opt Out:
- Consumers have the right to direct a business that sells personal information to third parties not to sell the consumer’s personal information. Cal. Civ. Code §1798.120(a)
- Right to Deletion:
- Consumers have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. Furthermore, the business must direct its service providers to delete the consumer’s personal information. Cal. Civ. Code §1798.105(a) and (c)
- Right to Disclosure:
- Consumers have the right to request that the business disclose to the consumer (i) the categories of personal information collected, (ii) the categories of personal information sold to third parties, (iii) the categories of third parties to whom personal information was sold, and (iv) the categories of personal information the business disclosed for a business purpose. Cal. Civ. Code §1798.115(a)
- Right of Data Portability:
- Consumers have the right to receive their personal information from a business in a readily useable format to enable the consumer to transmit the information from one entity to another without any hindrance. Cal. Civ. Code §§1798.100(d) and 1798.130(a)(2)
CCPA prohibits selling personal information of a consumer under the age of 16 without consent. Children aged 13-16 can directly provide consent. Children under 13 require parental consent. Protections provided by the federal Children’s Online Privacy Protection Act (COPPA) still apply on top of CCPA’s requirements.
Cal Civ. Code §1798.120(c)-(d)
- Obligation to Provide Easy Opt-Out:
- A business must:
- Include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on its website homepage.
- Not request reauthorization to sell a consumer’s personal information for at least 12 months after the consumer opts-out. Cal. Civ. Code §1798.135(a)
- A business must:
- Obligation to Inform:
- A business must:
- Inform consumers at or before the point of collection about (i) the personal information categories the business will collect and (ii) the business’s intended use for each category.
- Inform consumers before the business (i) collects additional personal information categories or (ii) uses collected personal information for unrelated purposes.
- Inform consumers of their rights to request the deletion of their personal information. Cal. Civ. Code §1798.105(b)
- A business must:
- Obligation to Respond:
- A business must:
- Comply with a verifiable consumer request.
- Respond within 45 days after receipt (potentially extendable once for another 45 or 90 days on customer notification).
- Inform the consumer of the reasons for not taking action.
- Provide the information free of charge, unless the request in unfounded or excessive. Cal. Civ. Code §1798.100(c)-(d), 1798.105(c), 1798.110(b), 1798.115(b), 1798.130(a)(2), 1798.145(g)
- A business must:
A business that discloses personal information to a service provider is not liable under CCPA if the service provider receiving the personal information uses it in violation of CCPA restrictions, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. Likewise, a service provider is not liable under under CCPA for the obligations of a business for which it provides services.
Cal. Civ. Code § 1798.145(h)
To “sell” personal information under CCPA, a business must “sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means” personal information to another business or third party for monetary or other valuable consideration.
Cal. Civ. Code §1798.140(t)(1)
A business is not “selling” when the business uses or shares personal information with a service provider that is necessary to perform a business purpose, so long as (i) the business has provided the consumer with proper notice and (ii) the service provider does not further collect, sell, or use the personal information beyond was is necessary to perform the business purpose.
Cal. Civ. Code §1798.140(t)(2)(C)
“Business purpose” means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information is reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.
Cal. Civ. Code §1798.140(d)
CCPA specifies the following operational purposes as a business purpose:
- Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
- Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
Cal. Civ. Code §1798.140(d)
A business or service provider is not required to comply with a consumer’s request to delete personal information if it is necessary for the business or service provider to maintain the consumer’s information in order to, among other things:
- Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
Cal. Civ. Code §1798.105(d)
Nothing in the CCPA prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of services to consumers, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. However, if the difference in price or service is unrelated to the value received by the consumer, then the business may not discriminate against the consumer for exercising any of their CCPA rights.
Cal. Civ. Code § 1798.125(a)
Cal. Civ. Code § 1798.125(b)
CCPA establishes a narrow private right of action for certain data breaches of nonencrypted or nonredacted personal information. However, companies have a 30-day grace period to cure violations. Consumers may seek the greater of actual damages or statutory damages ranging from $100 to $750 per consumer per incident. Courts may also impose injunctive or declaratory relief.
Cal. Civ. Code § 1798.150