Glossary to the CCPA
To get oriented to the California Consumer Privacy Act , the CCPA, it's good to have a grasp of the basic jargonese and concepts around it. Here's a quick glossary to help navigate the basic terms involved with this landmark privacy data protection legislation. You can also get see these terms in a handy infographic chart. Enjoy!
A business can't discriminate against a consumer for exercising their CCPA rights, but may charge different prices or provide a different quality of goods/services if the difference is related to the value provided by the consumer's data.
The fifth-biggest economy in the world, home to the world's leading tech giants, and a traditional wellspring of tech-related trends and regulation for the U.S. and abroad. Its sheer size and number of online consumers mean nearly all marketers anywhere need to consider CCPA compliance.
The California Online Privacy Protection Act, launched in 2003. Initially centered on personally-identifiable information (PII), it required websites and online services to display Privacy Policies. Its scope broadened in recent years, and the CCPA is a further extension to give consumers more control over their data.
The California Consumer Protection Act (CCPA), the first U.S. attempt at a comprehensive data protection law, and likely to be a template for legislation and regulation in other states and even (potentially) for eventual federal legislation.
Multiple proposed bills would add new provisions to supplement the CCPA, addressing areas including data brokering, facial recognition technology, social networking services, disclosing the monetary value of consumer data, and more. None of the proposed changes, however, provide grounds for a business to delay compliance.
Unlike the GDPR, the CCPA does not require websites or online services to obtain opt-in consent before collecting personal data (unless a consumer is under 16) or to provide users a means to opt-out of collection.
Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island have proposed laws largely identical to the CCPA. Other states have laws with key similarities but more pronounced differences. A total of (as of right now) 15 state laws are under consideration, with more likely.
When a consumer makes a verifiable deletion request, a business must delete personal data collected about that consumer, and direct its service providers to follow suit.
Under the CCPA, this means data that's stripped of identifying qualities, "anonymized" so businesses and marketers can safely use it. This data must be incapable of being later re-identified with users, and businesses must put procedures in place to prevent re-identification.
A household, under the CCPA, is defined as a collective of individuals - like a family or occupants at a residential address. Households and individuals are treated the same when it comes to data identification: Using data to narrow a list of consumer identities to a single household is seen as being the same as being able to identify an individual.
A consumer has the right to opt out of the sale of their personal data, and a business must provide notice to consumers that they sell that data. A related requirement: the business' website homepage must have a "Do Not Sell My Personal Information" link to a web page where consumers can opt out.
Violations of the CCPA would be enforced by the California Attorney General's office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after A) notice and B) a 30-day "opportunity to cure" period have been provided. But enforcement will be delayed until six months after publication of the A.G.'s implementation guidelines or July 1, 2020, whichever comes first.
Broadly defined as any type of data that identifies an individual or might be linked to an individual or household; it also includes non-identifying data, such as behavioral and transactional behavior on a website, and even the insights and inferences drawn from that data, such as assigning buyer personas or segmentation.
"Processing" data under the CCPA refers to collection, possession, or other handling of data, whether manually or via automation; the data a consumer enters on a form is processed, just like that collected using cookies. Certain types of data are excluded, but both businesses and service providers are liable for non-compliance with processing protections.
Right of Data Portability
When it's requested, a business must provide personal information in a readily useable format to enable a consumer to transmit the data from one entity to another without hindrance.
Right of Disclosure or Access
Consumers have a right to request disclosure of their personal data and to receive additional details regarding the personal data a business collects and its uses, including any third parties with it shares data.
This includes a wide span of transactions involving the renting, transfer, or trade of private consumer data. Money doesn't have to be exchanged, however: any compensation or benefit the seller receives may violate the CCPA's terms if the data "sold" belongs to consumers who have opted out. So marketers need to stay compliant on all fronts when sharing data.
A "service provider" means a specific type of vendor whose contract states how they can use consumer data; ad agencies and martech firms, for instance. They're prohibited from retaining consumer data once they've delivered services for their client. This limitation still allows the client's business to share that data with other vendors, though.
Defined as any organization other than the first-party business that's gathering data through consumer interaction, or service providers receiving consumer data from a company to fulfill its business goals. These are usually data brokers, and if a large number of consumers opt out of selling data, this will make third-party data less available and less attractive to marketers.