Suggested Section: Privacy
The California Consumer Privacy Act ("CCPA") is the first comprehensive privacy law in any state or federal jurisdiction in the United States. The CCPA applies to entities conducting business in California that either directly or indirectly control the collection of Personal Information of California residents and meet one or more of the following:
-
annual gross revenues >$25mm (adjusted for inflation);
-
derive 50% or more of their annual revenues from selling Consumers’ (natural persons) Personal Information; or
-
annually buy, receive for a commercial purpose, sell or share the Personal Information of 50,000 or more Consumers, households or devices.
Therefore, it is likely that many of Cint’s clients will be subject to the CCPA.
The law imposes European-style requirements (currently governed pursuant to the General Data Protection Regulation (GDPR) to provide high levels of transparency to California-resident Consumers regarding how their Personal Information is used and shared, and gives individual Consumers rights to access, delete and prevent the sale of their Personal Information, among other things. Businesses can continue collecting Consumer data in the same manner as it had been prior to the law taking effect, however, the notification and disclosure requirements (including requirements for a privacy policy) are far more robust under the CCPA.
Cint places the highest priority on managing Personal Information in compliance with CCPA. This document provides essential information about Cint's CCPA Compliance program.
Expansive Definition of Personal Information
CCPA includes an expansive definition of Personal information. Under the CCPA, Personal Information means Personal Information about a California resident that “identifies (e.g., name or other “unique identifiers” including device ID, IP address, etc.), describes (e.g., protected class characteristics), relates to, is capable of being, associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household”, including, but not limited to:
-
social security number, driver’s license and passport numbers;
-
commercial/transaction information (e.g., purchasing history);
-
internet activity (cookies, pixel tags, etc.);
-
geolocation data;
-
professional or employment-related information; and
-
inferences drawn about a California resident (i.e., using what is otherwise Personal Information to create a profile of a Consumer, such as preferences, intelligence or abilities).
California Consumer's Rights
Who is protected and how are rights exercised (i.e., right to access information, opt-out, deletion, etc.)?
-
Consumers, who are CA residents by way of either being in CA for other than a temporary purpose or who are domiciled in CA (whether or not in CA during the time of data collection). “Consumers” includes customers of household goods/services, employees, and business-to-business transactions.
-
Consumers who are CA residents have certain rights under the CCPA with respect to businesses that collect their Personal Information, as follows:
a. the right to know (and right to disclosure upon verifiable request to the business), what Personal Information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
b. the right to “opt out” of allowing a business to sell their Personal Information to third parties (or, for Consumers who are under 16 years old, the right not to have their Personal Information sold absent their or their parent’s, opt-in);
c. the right to have a business delete their Personal Information, with some exceptions; and
d. the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act. In other words, the CCPA forbids businesses from “discriminating” against Consumers for exercising their privacy rights; specifically, businesses cannot deny goods or services, charge different prices for goods or services, or provide a different quality of goods or services to those Consumers who exercise their rights. However, the Act does permit businesses to charge a different price, or provide a different level of service, to a customer “if that difference is reasonably related to the value provided to the Consumer by the Consumer’s data.”
CCPA Enforcement
The CCPA is enforced by the California Attorney General, and currently provides businesses thirty (30) days to comply if accused of noncompliance. Civil penalties may be imposed of up to $2,500 per violation or $7,500 for intentional violations. The CCPA extends a private right of action to Consumers, giving businesses exposure not only to government fines but also to lawsuits from Consumers. Cint sees that the risks associated with enforcement must be taken very seriously.
Cint's CCPA Compliance Program
Cint has developed and implemented a compliance program that addresses CCPA's requirements. Key components of the program include:
-
Senior management awareness and sponsorship
-
Mapping of consumer data
-
Data Protection Officer appointment
-
Regular privacy notice review and update
-
Evaluation of subcontractors
-
CCPA-compliant contract frameworks
-
Consumer request handling
-
Breach notification
-
Data Protection by Design
-
Staff training
-
On-going program governance
Children
Cint complies with the opt-in requirement for children. Between 13 and 16 years of age, the Consumer must affirmatively authorize the sale of their personal information. If the child is under the age of 13 years old, a parent or guardian must affirmatively authorize the sale of information.
Consent
As with GDPR, Cint uses consent is for the collection and processing of Personal Data. Cint will collect, validate and store consent by purpose for all Panelists and participants. Panel Members can review, modify or revoke their consents at any time.
Information Security
Cint supports the information security requirements mandated by CCPA including appropriate physical, technical and organizational measures (using the ISO 27001 framework) to ensure a level of security appropriate to risk. This also includes CCPA requirements such as data breach notification. Cint has implemented encryption of Personal Data in transit and encryption at rest.
Cint’s Data Protection Officer
For more information, please contact Cint's Data Protection Officer (DPO):
Peter Milla
peter.milla@cint.com
Comments
0 comments
Article is closed for comments.