The CCPA has a big impact on the digital ecosystem, putting guidelines on personal information collection and post-data-acquisition data usage by businesses. CCPA compliance deadline commenced January 2020 and it’s critical to know how this will impact your business in order to avoid violations. If you haven’t started redoing your privacy policy, that’s your next step now that California residents have more control over what happens to their personal information that companies collect. We had a live Q&A session where we address your most burning questions and unpack the key requirements and considerations to keep in mind in order to stay compliant. See how CCPA impacts all advertisers, not just Californians.
2. 2
● Session recording and slides will be sent out
● Log back in anytime with the same link
● Resources available as handouts
Eyebrow Text
Today’s Logistics
Persephanie Arellano
Webinar Coordinator
3. Experts-Only Approach
Strategic acquisitions have positioned us as the
leading independent performance marketing agency
Search • Social • Amazon • Email • Display • Shopping & Data Feed • SEO • Affiliate •
Conversion Rate Optimization • Creative Services • Analytics & Marketing Science
5. What is your readiness level for the
CCPA regulations?
Poll Question
● I'm just learning about it now
● I'm aware of it but have not taken action on it
● I'm aware of it & planning my approach
● I've already begun implementing the required solutions
● I'm aware of it and desperately need help
6. 6
1. The CCPA In Detail
2. Who is Impacted & What Makes a Company Liable
3. Recommendations to Consider for Your Next Steps
4. How CCPA is Indicative of Future Changes Likely to Come
From Other States
5. Live Q&A session
Agenda
8. Law that will go into effect January 1, 2020 that outlines new regulations for data protection
and consumer privacy for Californians
Part of a global trend towards more stringent data privacy and protection
Offers some GDPR like individual rights
California represents 12% of the US population and along with an oversized market, it is
considered a nationwide regulation
What is the CCPA?
California Consumer Protection Act
9. CCPA spells out the following:
• Businesses with annual gross revenues of at least $25 million
• Businesses that buy, receive, sell, or share the personal information of 50,000 or
more consumers, households or devices
• Businesses that get at least 50% of their annual revenue from selling
consumers’ personal information
• Note: exceptions for personal data covered by HIPAA and GLBA
Who is Impacted?
California Consumer Protection Act
10. ● Several other states (e.g. WA, FL, VA, NE) are in the process of developing
similar regulations
● If no state location is collected on a consumer, assume that California residency
is possible and CCPA applies
● Consider growth potential for your business
● Broad definition of the term “selling” requires thorough review of third party data
● Consider customer expectations
Who is Impacted?
California Consumer Protection Act
11. The law uses the term “personal information” broadly, so it pertains to traditional information
as well as behavior and preference based information
• Birthdate, SSN, email address, address, etc. are considered “traditional” personal
information
• GeoLocation, IP address, consumer behavior, browse and search history,
preferences, open / click behavior, etc. also qualify as personal information
What is “Personal Information?”
California Consumer Protection Act
12. Individual Rights Under CCPA
The law gives Californians the right to:
Know what personal information is being collected about them
Know whether their personal information is being sold or shared and to whom
Say no to the sale of their personal information
Access their personal information
No discrimination if exercise individual rights
The legislation further requires companies that collect personal information to delete all of it
upon request (with some exceptions) and disclose more detailed information about data
collection in privacy policies
California Consumer Protection Act
13. Privacy policies must include:
Categories of personal information collected about the consumer
The sources from which that information is collected
The commercial or business purpose for which the personal information is collected
The categories of third parties the information will be shared with
Specific pieces of personal information collected about the consumer
Key Requirements to be Compliant
California Consumer Protection Act
15. CCPA GDPR
Scope -California residents
-Minimum thresholds
-European residents
-No minimum thresholds
Definition of
Personal
Information /
Data
-“Identifies, relates to, describes, is capable of being
associated with, or could reasonably be linked, directly
or indirectly, with a particular consumer
or household”
- Includes online identifiers, profiling data, probabilistic
data, etc
-Uses “Personal Data”
-Refers to identified or identifiable natural person
Lawful basis &
data
processing
principles
-No lawful basis requirement and no data processing
principles.
-For example, B2C emails do not require opt-in
-Requires a legal basis processing prior to using
data (consent, legitimate interests,
contract, etc)
For example, B2C emails require opt-in consent
Comparison Between GDPR & CCPA
16. CCPA GDPR
Privacy Notice -Specific requirements including contact information to
exercise individual rights
-Do not sell link on homepage
-Specific requirements including contact
information to exercise individual rights
Individual
Rights
-Disclosure, access, delete, opt out of sale of information.
Respond within 45 days.
-Access, delete, rectification, data portability,
object. Respond within 30 days
Fines -Civil fines $2500-$7500
-Private Right of action: for data breaches if failure to maintain
reasonable security. Statutory damages $100-750
-Up to 4% global turnover or $20M
CCPA Lingo -Consumer
-Business (meets certain requirements)
-Service Provider (meets certain requirements)
-Third Party (not a business or service provider – for example
may be an entity that was sold data from the business)
-Data subject
-Controller
-Processor
Comparison Between GDPR & CCPA
18. Perform a data inventory audit
Determine what type of data you are collecting, using, sharing, and storing
Determine if you sell data per CCPA
Identify if your business practices qualify as “selling” data. If it does, your business will need to
comply with the regulations. It might consider a risk/benefit analysis on the sale of this data.
Reconsider the use of any third party data
Any data sold or purchased about a consumer would qualify for CCPA and your business would be
required to comply to the regulations.
Review data fields on forms and profiles
If you are currently using any third party data to append to consumers, you may want to consider
requesting that data directly from the consumer as possible.
Review privacy policies to ensure detailed information about data collection practices are disclosed
Considerations
California Consumer Protection Act
19. Ensure consumers can access data collected and that you can easily delete consumer
information if requested
As with GDPR, consumers have the right to know what personal information is being
collected, where it is stored and ask for it to be deleted permanently
Create a process to honor do not sell requests
CCPA requires you keep record of all sales of consumer information for up to 12
months, plus have a clear option to opt out of their information being sold via a link
on your website’s homepage plus an email*
Consider developing an official individual rights process
Documentation outlining how your business will comply with the access and deletion
of personal data upon request, as well as training of employees, is recommended
Considerations
California Consumer Protection Act
* amendment may change requirement to be email or phone number
20. Request a Data Privacy Audit
hello@tinuiti.com
Request a CCPA consultation
jodi@redcloveradvisors.com
Next Steps: Compliance Deadline has passed
California Consumer Protection Act
23. What needs to be in the footer of the site? Does it
have to say, "Do not sell my information?"
24. How does CCPA impact our remarketing search
campaigns?
25. How does CCPA impact sellers on marketplaces
such as Amazon, eBay, Walmart, etc.?
What will be required of marketplace sellers to
follow the required guidelines and how will this
impact advertising through marketplace platforms?
26. Once we've updated our privacy policy, do we need
to email or actively communicate it to all California
customers/contacts?
33. If a user asks to be deleted from a brand's database,
how can that brand ensure that the user will not be
re-acquired in the future?
34. If there is an ongoing data collection method, and a
contact requests their information be deleted, it's
possible that they will then again have their data
collected, as there will no record of the contact. Is
there any provision for storing the information of
users for use as a exclusion or "do not collect" list?
35. Does the messaging that appears on your site have
to use specific language or even specific words? Is
the messaging required to be at the top of the page?
In other words, how prominent does this messaging
have to be to California residents on the website?
36. Will CCPA block all remarketing from paid media or
just make pools smaller?
37. How do we handle user requests to opt out of
Google and Facebook cookies? Is the onus on the
consumer to go in their browser settings and
disable third-party cookies? Or is there a
mechanism for advertisers to exclude specific user
IDs from targeted advertising lists?
38. How does the CCPA impact companies outside of
California?
39. How has CCPA impacted the more recent news from
Google where they plan to get rid of 3rd party
cookies in the Chrome browser?
40. How does the CCPA impact email marketing
efforts? What actions should our company take to
remain compliant when sending out promo emails?
41. What are the key differences between GDPR and
CCPA? If we've already put GDPR compliance in
place, is that functionally enough to cover CCPA
compliance and we'd just need to expand our
Privacy and Cookies Policy text to cover
CCPA-required legal copy?
46. 46
Find the Tinuiti Team at:
eTail West
February 24-27, 2020
Palm Springs, CA
NEMOA Spring
Summit
March 18-20 | Boston, MA
Shoptalk
March 22-25, 2020
Las Vegas, NV
Hero Conf
April 7-10, 2020
Austin, TX
Tinuiti Live
May 5 2020 | New York, NY
Register at:
tinuiti.com/live2020
SMX West
February 19-20, 2020
San Jose, CA