California Consumer Privacy Act (CCPA)

GUIDE:


Getting Started

Going into effect January 1, 2020, The California Consumer Privacy Act (CCPA) is the most comprehensive privacy law in the United States to date and is designed to give Californians more control over their personal information (i.e. data) by providing rights that include the right to access information, the right to opt-out of the sale of their information, and the right to deletion, among others. 


The CCPA states that it is designed to provide Californian consumers the rights to:

  • know what personal information is being collected about them

  • know whether their personal information is sold or disclosed, and if so, to whom

  • stop the sale of their personal information

  • access their personal information

  • receive equal service and price, even if they exercise their privacy rights


As a Service Provider, Choozle has worked with all our partners to ensure compliance of the Right to Delete requests and Right to Opt-Out requests. We, along with all our partners, have adopted IAB CCPA Compliance Framework for Publishers and Technology Companies v1.0 as a guideline for technical specifications as well as a continued compliant partner of the Network Advertising Initiative (NAI), who manages Choozle’s cookie-based opt-out process.


Choozle has a long-standing commitment to using quality data sources, providing transparency and supporting our partner’s responsible use of data. We always seek to work within the bounds of local and national laws and regulations, as well as consumer expectations. In fact, Choozle and the partners we work with will aim to look beyond simple compliance with these laws. We believe industry-wide privacy standards can only improve performance and transparency for all advertising technology participants.

We're looking forward to being part of the solution with you and welcome you to reach out to the Choozle Support Center with any additional questions, or email privacy@choozle.com with any concerns.


Details of CCPA

CPA compliance has two components: disclosure obligations and information governance. The disclosure must take place at the point where personal information is collected. Simply having a publicly available privacy policy is not enough—it must be linked to wherever personal information is collected. Companies have to inform consumers of:

  • Their rights under the CCPA
  • What categories of information are being collected
  • How that information will be used (including whether it will be shared or sold to third parties)
  • What categories of information have been shared with or sold to third parties within the last year

In addition, companies have to put in place mechanisms that allow consumers to exercise their rights to obtain and delete their information, as well as to opt-out of the resale of their information. The law specifies that companies must place a “clear and conspicuous link” on their homepage titled “Do Not Sell My Personal Information,” linking to a page that allows consumers to opt-out.


How Choozle Prepared for the CCPAA

  • Worked with all our partners to ensure our processes to recognize and support core stipulations of the CCPA like respecting consumer opt-outs. 
  • We have been a compliant partner of the Network Advertising Initiative (NAI), who manages our cookie-based opt-out.
  • Choozle commissioned an independent audit by Programmatic Advisory consultancy, to review our internal processes related to data collection and deletion. This effort was to validate our commitment to using quality data sources, providing transparency, and supporting our partners' responsible use of data. The audit included:
    • Assessment of all data flows within our workflows - from the external website to first-party data management
    • Review of Choozle's technical partners including their policies and processes
    • Thorough interview and research process of Choozle's product, policies and processes
    • Review of our communication protocols at every type and stage of interaction
  • In 2018, Choozle was confirmed as being Privacy Shield compliant under both the European and Swiss Frameworks.

How You Can Be Prepared for CCPA

  • Confirm your clients’ websites (or your brand’s website) has an updated Privacy Policy on their website that explicitly states the use of and reason for utilizing Choozle’s Smart Container tag and data targeting features. It should include potential purposes that you may use personal information for in the future—for example, include notice of the use of IP addresses for targeted advertising, similar to cookies and mobile IDs. Choozle Terms of Service, Section 4.1
  • Include links opt-out services for Notice at Collection, Notice of Right to Opt-Out of Sale, and Notice of Incentive within Privacy Policy for any partners that are collecting data on your behalf on your website.  All sites that are leveraging Choozle must provide a link to an industry opt-out page such as the NAI (https://www.networkadvertising.org/choices/).Choozle Terms of Service, Section 4.1
  • Ensure all CRM lists (and IP address lists) that might include California residents were collected through permission-based methods if they are uploaded to the Choozle platform. Choozle Terms of Service, Section 4.2

FAQs

Who is subject to the law?

The act will apply to any for-profit business that collects or controls California consumers’ personal information and falls into one or more of the three following categories:

    • Earns an annual gross revenue in excess of $25 million;

    • Buys, receives for commercial purposes, sells, or shares the personal information of 50,000 or more Californian consumers, households, or devices on an annual basis; or

    • Derives 50% or more of their annual revenues from selling Californian consumers’ personal information.

Does GDPR compliance cover CCPA compliance?

No. While efforts made to comply with the GDPR may also be leveraged for compliance with the CCPA, the CCPA is not interchangeable with the EU’s data protection regulation. There are differences between the two pieces of legislation and compliance with one does not equate to compliance with the other. 

    What if my site (or clients’ site) does not comply with the CCPA?

    If a company intentionally violates the CCPA, it will be subject to the maximum civil penalty: $7,500. Otherwise, the max penalty is $2,500 per violation. Additionally, the CCPA entitles consumers to $100-$750 compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach.