Is Adjust a CCPA compliant service provider?
Yes. As a Service Provider, we comply with CCPA rules. We can exercise any request of the client’s to provide or delete data with expediency. Data privacy is one of our defining philosophies, and we work tirelessly to ensure that we provide responsible analytics and measurement that does not infringe upon a user’s right to privacy.
What is CCPA?
CCPA is a California state law that introduces new data privacy rights to consumers and imposing limits on the collection and sale of personal information of California consumers by businesses.
Who and what does CCPA cover?
CCPA dictates how businesses and service providers process and store the personal information of California consumers.
A “Business” under CCPA is a company that:
- Does business in California
- Decides how and why personal data is processed
- Has one or more of the following characteristics:
- Gross revenue of over $25 mil per year
- Buys/sells/receives/shares personal information from over 50,000 consumers/households/devices per year
- Makes half or more of its revenue per year from selling personal information.
A “Service Provider” under CCPA is a company that processes personal information on behalf of a Business. Adjust is considered a Service Provider.
“Personal Information” under CCPA includes IP addresses, email addresses, account names, social security numbers, driver license numbers, bank account numbers, credit card numbers, records of personal property, biometric information, browsing history, search history, geolocation data, professional or employment-related information and more.
Do I have to comply with CCPA?
If you’re an app that has a sizeable consumer and business presence in California and the definition of Business, for the purposes of CCPA, applies to you, you’re subject to CCPA compliance.
If you use a Service Provider that handles personal information on your behalf as a Business, both the Service Provider and the Business will also be subject to CCPA compliance. Adjust complies with CCPA regulations.
How do I achieve CCPA compliance?
If you’ve already achieved GDPR compliance, it should be easy for you to comply with CCPA. The consumer rights outlined in GDPR are similar to those enforced in CCPA. You should consult with your legal counsel to identify any (remaining) steps to achieve compliance.
If you aren’t GDPR compliant or don’t know if you are, one of the most important things to ensure is that your consumers can exercise their data privacy rights under CCPA, which include:
- The right to access data and right to “data portability”. This right ensures that consumers can access the personal data being collected and stored by a Business at any given time, twice a year. Data portability is really just ensuring that the data can be delivered in a suitable format for the customer, such as a readily accessed file or by mail.
- The right to be informed. This is in-line with GDPR-led cookie notices. This right compels Businesses to include the consumer’s rights under CCPA within their privacy notice, covering the kinds of personal information the Business is collecting and, if the Business sells or discloses personal information for a business purpose to a third party, what personal information is sold and to whom.
- The right to opt-out/opt-in of data sales. For adults, they must be notified of their right to opt-out of any business practice that sells personal information to third parties.
- For children under 16, the rules get a little trickier. For children under 13, Businesses need strict consent from the child’s guardian before selling the child’s personal data. For children over 13, Businesses must get consent from the child themselves.
- The right to delete data. The consumer has the right to request a Business to delete personal information about them. If a consumer exercises this right, the business has 45 days to comply.
- The right to not be discriminated against for exercising CCPA rights. A Business cannot discriminate against the consumer in any way for exercising their CCPA rights. This includes charging different prices or rates, denying app access in part or in whole, or providing a lower level of app experience and quality (e.g. locking out parts of the app, operating slower for consumers who exercised CCPA rights, etc.).
After implementing these processes to ensure that users can exercise their data privacy rights, you should also consult with your legal counsel to see other areas of CCPA compliance that require your attention.
When should I start worrying about CCPA?
The law goes into effect on January 1st, 2020. While there might be some time for regulatory agencies and the California AG to ramp up enforcement, it’s still smart to start thinking about building compliance before the law goes into effect.