Preparing for the California Consumer Privacy Act (CCPA)
Reputation.com is committed to protecting our customers’ data and to helping our customers comply with all data protection requirements. We welcome the California Consumer Privacy Act (CCPA) as an opportunity to demonstrate Reputation.com’s transparency about its data practices and privacy. We believe that strong data protection is a critical enabler for consumer confidence, which translates into enhanced service offerings and the growth of digital commerce.
In this White paper, we describe the key requirements of the CCPA and how the CCPA may impact your organization:
- If you are a California Consumer, this White paper will help you understand what rights you have under the CCPA with respect to personal data held by Reputation. com and how you will be able to exercise those rights.
- If you are a Business that has engaged Reputation.com as a service provider, this White paper will help you understand what Reputation.com is doing to prepare for the CCPA, whether the CCPA applies to you, and how Reputation.com is working to help you comply with the CCPA.
This White paper does not prescribe all the specific steps or procedures your organization may need to take to become CCPA-compliant. You may be subject to other requirements and considerations, including requirements that apply to your particular industry, nature of your business, and privacy laws in other jurisdictions where you collect, use, store or transfer personal data.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act of 2018 (CCPA) is a data privacy law passed by the state of California on June 28, 2018. It outlines new standards for data collection, new consequences for businesses that fail to protect user data and new rights that California consumers can exercise over their data.
Q. When is the California Consumer Privacy Act effective date?
A. The CCPA becomes effective on January 1, 2020.
Q. Who must comply with the CCPA?
A. The CCPA applies to a “business” that collects the personal information of “consumers” that are California residents.
A “Consumer” is defined under the CCPA as a California resident.
- The California Code of Regulations defines a resident as follows: “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”
A “Business” is defined by the CCPA as a for-profit entity that collects “consumer” data and also meets one of the following criteria:
- Has at least $25 Million in annual gross revenue;
- Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes;
- Derives 50% or more of its annual revenue from selling consumer personal information.
A “Service Provider” is defined by the CCPA as any entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.
Notably, the CCPA applies to all businesses, as defined above, that collect data from California residents — regardless of the location of the headquarters of the business itself. In other words, it applies to businesses that are physically located outside of California.
Q. What is “Personal Information” under the CCPA?
“Personal information” (“PI”) is broadly defined to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- The CCPA specifies that Personal Information includes, but is not limited to:
- Identifiers, such as names, aliases, addresses and IP addresses
- Characteristics of protected classifications under California or federal law
- Commercial information, including records of personal property, products or services purchased, or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information, such as browsing history
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
- Any inferences drawn from any of the information identified to create a profile about a consumer
Q.What information is excluded from the CCPA’s definition of “Personal Information”?
A. The CCPA excludes:
- “Aggregate consumer information,” which is defined as data that is “not linked or reasonably linkable to any consumer or household, including via a device.”
- Information that is publicly available from federal, state or local government records is similarly excluded.
Q. What rights do California consumers have regarding their personal information under the CCPA?
A. For the purposes of this White paper, California Consumers have four main rights.1
- The right to notice and transparency about the personal data collected about the consumer – which includes the right to request that a business disclose what personal information it has collected about them.
- The right to opt out of the sale of their personal information by a business.
- The right to have their personal information deleted.
- The right not to be discriminated against because they opt out of the sale or their personal information.
CCPA Right No. 1: The CCPA Gives Consumers the Right to Notice and Transparency about the Personal Information Collected About Them
A key goal of the CCPA is to give California consumers greater access to and transparency about the information that is collected about them. To achieve these goals of access and transparency, the CCPA requires businesses to:
- Make both affirmative general disclosures to all consumers about its privacy practices.
- Respond to verifiable consumer requests with individualized disclosures about the business’s collection, sale or disclosure of the personal information of the particular consumer making the information request.
In their privacy policies (or on their website if they do not have such policies), businesses must affirmatively disclose:
- At or before the time of collection, what personal Information the business will collect about its consumers and the purposes for which such data will be used.
- The categories of consumers’ personal information that was actually collected in the preceding 12 months.
- The categories of consumers’ personal information that was sold in the preceding 12 months.
In response to verifiable consumer requests, Businesses must disclose:
- The categories of personal information of the requesting consumer that were actually collected in the 12 months preceding the consumer’s verifiable request.
- The categories of personal information of the requesting consumer that were sold or disclosed for business purposes in the 12 months preceding the consumer’s verifiable request.
- The Business must respond and provide this information within 45 days.
Q. What is a “Verifiable Request”?
To exercise his or her rights under the CCPA, a consumer must make a “verifiable request.” A “verifiable consumer request” is a request made by a consumer, a consumer on behalf of a minor, or a person legally authorized to act on behalf of a consumer, that addresses data verifiably collected from or about that consumer.
CCPA Right No. 2: California Consumers Have the Right to Opt Out of the Sale of their Personal Data
According to Section 1798.120 (a) of the California Consumer Privacy Act ofﬁcial text: “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.”
Q. What constitutes “Selling” Personal Information under the CCPA?
A. The CCPA defines “selling” as:
“Renting, releasing, disclosing, disseminating, making available, transferring…a consumer’s personal information by the business to another business or third party for monetary value or other valuable consideration.”
The CCPA also specifically states that the following does not constitute “selling” personal information under the CCPA:
- Consumer-directed disclosure or use that was intended by the consumer.
- Use of personal information for the purposes of identifying a consumer who has opted out under the opt-out provision.
- Sharing personal information with a service provider that is necessary for the performance of a business purpose, if the business has provided notice to its consumers, the service provider is acting on the business’s behalf, and the service provider does not sell the personal information.
- The business transfers personal information to a third-party as an asset that is part of a merger, acquisition, bankruptcy or other transaction where the third- party “assumes control of all or part of the business,” subject to certain conditions.
Reputation.com does not Sell Personal Information. The personal information the Company has is used only for the following purposes:
CCPA Right No. 3: California Consumers Have the Right to Request the Deletion of Their Personal Information
The CCPA allows California Consumers to request the deletion of their Personal Information from a Business’s servers and by that Business’s service providers.
Businesses will be required to honor the deletion request unless keeping the personal information is necessary to do one or more of the following:
- Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or otherwise perform a contract between the business and the consumer.
- Detect and maintain data security.
- Debug to identify and repair errors.
- Exercise a right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Engage in public or peer-reviewed scientific, historical or statistical research in the public interest when deletion would render it impossible or seriously impair the achievement of such research.
- Comply with legal obligations.
- Enable solely internal uses that are reasonably aligned with the expectations of the consumer, based on the consumer’s relationship with the business.
- Otherwise use the consumer’s personal information internally in a lawful manner that is compatible with the context in which the personal information was provided.
CCPA Right No. 4: Consumers have the Right to Opt Out of the Sale of their Personal Information without Being Discriminated Against
Under the CCPA, Businesses may not discriminate against consumers for opting out of the sale of their personal information. Businesses may not deny products or services or offer differential pricing or rates, unless directly related to the value of the data to the consumer. Business may offer and enter into fair and transparent financial incentive programs for the collection, sale, and disclosure of personal information with informed consent of consumers.
Additional CCPA Requirements
Businesses are required to convey all deletion requests to their service providers. The deadline for providing a response to the request to see what personal information a Business has is 45 days from receipt of the request. A business must respect the consumer’s decision to opt-out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s PI again.
Reputation.com Is Taking Action to Comply with the CCPA
Reputation.com is taking the following steps to prepare for CCPA compliance, all of which will be live on or before January 1, 2020:
- We will launch an online Data Protection Request Form to enable California Consumers to make CCPA dataprotection requests.
- We are implementing a toll-free number to enable California Consumers to make CCPA requests.
- We will be amending our terms of service to address the CCPA.
Rest assured, Reputation.com does not sell any Personal Information to any thirdparties. Reputation.com shares Personal Information with certain third-party service providers to assist in delivering its services. Reputation.com will notify these thirdparty service providers of all personal information deletion requests and take steps to ensure the deletion of personal information by these parties.
How Reputation.com Will Assist Business Customers with CCPA Compliance
Reputation.com is taking the following steps to help our business customers comply with the CCPA:
- New Data Protection Feature. Reputation.com customers that receive CCPA requests from their end customers may address those requests with a new Data Protection feature that has been added to the Reputatin.com platform. Using the new Data Protection feature, Reputation.com platform users may search for, view and delete Personal Information for individuals that is stored in the platform, if required.
- Communication of Deletion of Requests to Customers. As a Service Provider, Reputation.com will promptly communicate the CCPA data protection requests to its customers. If you have a designated customer contact who should receive CCPA data protection request emails, please send an email to firstname.lastname@example.org and include the following information:
- The name of your organization
- The name of the contact designated to receive CCPA communications
- The email address of that contact
1 The rights of Consumers and the obligations of Business under the CCPA are extensive. This White paper is not intended to be an exhaustive list of these rights and obligations; rather Reputation.com is focusing on those rights and duties that are particularly relevant to its business.