Understanding the CCPA
Paul H. Müller
Co-Founder & CTO
Sep 24, 2019
The California Consumer Privacy Act is a bill designed to enhance privacy rights and consumer protection for residents of California, United States. The CCPA becomes effective on January 1, 2020.
But what impact does it have for you as an app marketer? What are your users’ rights and what are your duties when processing their personal data? And how does Adjust help you to comply with this law?
Who is it for?
Before we go any further, let’s address the question you’re probably already asking yourself; “Does this law even affect me?”
The CCPA has a simple checklist to see if you fall under the definition of “business” and thus have to conform with the law.
- Operated for profit
- Does business in California
- One or more of the following characteristics
- gross revenue of over $25M per year
- buys/sells/receives/shares personal information from over 50,000 consumers/households/devices per year
- makes half or more of its revenue per year from selling personal information
As you may have guessed, it is the “receives personal information of over 50,000 consumers per year” element that will require most app marketers to adhere to the CCPA.
And just in case you think: “But I only have a few people in California using my app.”
A consumer is defined as:
- Anyone who is in the State of California for anything other than a temporary transitory purpose
- Any individual domiciled in California who is outside the state for a temporary transitory purpose
This means that unless you can somehow be sure that none of your users who are using your app is in California or from outside California and does have an address inside the state, the CCPA is most likely something you need to address.
An easy way to understand the CCPA is to compare it to the GDPR. Most marketers will already be familiar with its language and intent.
In case you aren’t up to date on the GDPR, here’s our checklist.
In their basic intent both laws are quite similar. They aim to give consumers the right to control and understand what personal data gets collected and with whom it may be shared. Unsurprisingly, the definition of personal data outlined by the two laws are very similar.
Another important concept carried over is the relationship between entities that own the users personal data and entities that process data for them. In the GDPR the terms are quite straight forward. “Data Controller” and “Data Processor”, both of which do pretty much what it says in the name. The CCPA uses the terms “Business” and “Service Provider”, but essentially mean the same thing as their GDPR counterparts.
Simplified, this means a “Business” needs a data processing addendum with a “Service Provider” to let them handle their users data.
This may sound straightforward, but this definition brings some interesting changes for marketers using certain Service Providers.
Service Providers under the CCPA, much like Data Processors under the GDPR, are defined as processing personal data for a Business without having ownership of the data themselves. This allows companies to use mobile attribution providers or analytics tools and the like to improve their business. Indeed, Adjust is already in the process to update all client agreements to include data processing under the CCPA.
However, both laws define what you are allowed to do with personal data you process as a Business or as a Service Provider. If a Service Provider would take data collected for a Business and sell it to its other clients, it would be in violation of the CCPA.
Section 1798.140 (t)
(1)“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring (...) a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
(2) For purposes of this title, a business does not sell personal information when:
(C) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purposes if both of the following conditions are met: services that the service provider performs on the business’ behalf, provided that the service provider also does not sell the personal information.
A good example of such personal data selling is “people-based attribution”, something Adjust has decided against providing for legal and ethical reasons.
For marketers this means they need to vet any Service Provider and their practices when it comes to handling personal data.
Opt in vs. opt out
The biggest difference between the CCPA and the GDPR is to do with user consent - specifically, the assumption of said consent before any action is taken by the user.
The GDPR made huge waves when it required all personal data processing to be “Opt In”. Only in its recitals were exceptions such as “legitimate interest” clarified, allowing digital marketing to operate much like before.
The CCPA does not have the same strict definition and instead focuses on the rights of users and the duties of Businesses.
Another difference is the amount of additional clarifications and explanations given by lawmakers for the GDPR. Many details not outlined in the original law were added later. For example, the GDPR has over 170 recitals laying out its legal intentions in practical terms.
At the moment the CCPA is still lacking a lot of those explanations and clarifications. But as we get closer to 2020 we can expect the Attorney General to release more information.
So what do you need to be ready for CCPA?
The core of the CCPA are consumer rights you need to respect. Let’s have a look at those rights:
- The right of the Consumer to know what personal information is being collected about them
- The right of the Consumer to know whether their personal information is sold or disclosed and to whom
- The right of the Consumer to say no to the sale of personal information
- The right of the Consumer to access their personal information
- The right of the Consumer to equal service and price, even if they exercise their privacy rights
The first two will require adding a disclaimer to your app that informs the user of what personal data you collect, who you are sharing it with and what will be done with it.
This should be handled by a legal counsel and should be analog to your existing data privacy disclaimers.
The right to opt out of the sale of personal information, including the deletion of already collected data, should be available to users from inside your app. A good idea is to build a programmatic interface for own data warehouse and the service providers you share data with. This way you can easily propagate a users’ decision to be forgotten.
To quote the law:
Section 1798.135. (a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:
Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer (...) to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
Adjust offers APIs from within the SDK and via S2S that allow you to delete a users’ data and opt them out from any further data collection. At the moment they are named after the GDPR that made them a requirement, but we might update the naming in the future to a more neutral term.
To access their personal data users can reach out to you via a process or interface you need to provide. Adjusts’ data will be a part of your response to the consumer and can be easily accessed through account management team.
The right to equal price and service should be clear and something to consider when designing your app.
In a nutshell
Much like for Adjust, complying with the CCPA will be an easy exercise for most of our customers, as we are already GDPR compliant and respect the same user rights for all personal data collected.
This means Adjust is complying with the CCPA and all its requirements.
For clients that deal with privacy rights for the first time the good news is that Adjust offers all necessary processes and interfaces to make compliance as easy as possible.
On top of that Adjust is also the only measurement partner that follows the strictest of interpretations when it comes to our duties as Service Provider. We will only process your users’ personal data within the scope of your app and never share or sell any information.
We believe that this is the best strategy going forward as the new Californian law only presents the beginning of consumer privacy regulations in the US market.
If you have any questions around the CCPA and how Adjust ensures your users’ rights, reach out to us.