Hailing from GDPR’s home of Europe, AB Tasty believes in a secure, opted-in web that is optimized and personalized to enhance the user experience. Our algorithms, machine learning and experiments are all powered by data.
Our commitment to consumer data privacy and security became more assiduous when GDPR was first discussed, and is now baked into the very ideation of our product and feature development. In our role as a Service Provider (according to both GDPR and CCPA), we will never use the data we collect beyond what is required for our services to function. For a full summary of how we process data, you can read our Data Processing Agreement.
With the impending California Consumer Privacy Act (CCPA) becoming enforceable January 1, 2020, we wanted to underline our commitment to full compliance with this act, and also explain where this overlaps with GDPR compliance—and where it diverges.
Below is a summary of CCPA, its differences from GDPR, and how we will remain committed—and adaptive—with our protection of users’ security and privacy as additional data privacy legislation manifests throughout the world.
What is the CCPA?
The California Consumer Privacy Act is a comprehensive data privacy bill that grants Californians a new set of rights when it comes to the data businesses can collect about them. It’s often compared to the General Data Protection Regulation (GDPR), which was passed in the EU in 2018. Though it pertains only to Californians, CCPA is seen as a harbinger for further data privacy legislation in the US.
While the CCPA was passed on June 28, 2018, it has since gone through several amendments (you can track them here), and becomes enforceable on January 1, 2020.
For a more legally-specific scope, the CCPA applies to any for-profit entity that (i) does business in California, (ii) collects personal information of California residents (or has such information collected on its behalf), (iii) determines on its own or jointly with others the purpose and means of processing that information, and (iv) meets one or more of the following criteria:
- has annual gross revenues in excess of $25 million, adjusted for inflation;
- annually buys, receives for a commercial purpose, sells or shares the personal information of 50,000 or more consumers, households or devices;
- or derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Taken from the fact sheet distributed by the California attorney general’s office, this bill gives California consumers the following Consumer Rights and advises these subsequent guidelines to businesses:
- Consumers have the right to know what personal data is collected, used, shared or sold
- Consumers have the right to delete data held by businesses, or by extension a business’s service provider
- Consumers have the right to opt-out of the sale of their personal information.
- Children under age 16 must provide opt-in consent in the first place, while those under age 13 must have the consent of their parent or guardian
- Consumers have the right to non-discrimination of the terms of price or service when they excercise a privacy right under CCPA
- Businesses subject to the CCPA must provide consumers notice at or before data collection
- Businesses must create procedures to respond to requests for consumers to opt-out, know or delete
- For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their mobile app or website
- Businesses must respond to opt-out requests within specific timeframes
- Businesses must verify the identity of the requester
- Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information
- Businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance
Differences Between GDPR and CCPA
In terms of procedural changes companies need to make, these two data privacy acts bear many similarities. Those who prepared for GDPR are in a good place to extend these opt-out provisions to California (or American) citizens. For notable differences, read “CCPA and GDPR” in this fact sheet provided by the California attorney general’s office.
AB Tasty and Clients’ Roles in CCPA
AB Tasty – a Service Provider. A Service Provider is a partner to which a Business discloses a consumer’s personal information for a business purpose pursuant to a written contract. This information is then used for the sole purposes disclosed in the contract. That will never change.
Our Clients – Businesses, and Controllers. Businesses are the data “Controllers” in CCPA, and are defined as entities that determine the purpose and means of processing the collected data. It is primarily Businesses which are responsible for granting the above rights to consumers (e.g. providing a “Do Not Sell My Data” button).
Our Clients’ Customers – Consumers. Those residing in California are the holders of these new rights. However, the CCPA has already spurred additional legislative data privacy action in the US and this evolution should be closely watched. Specifically, additional US states may pass their versions of CCPA, or forthcoming comprehensive federal legislation could supersede (and likely synthesize) the state laws.
Our Current (and Future) Commitment to our Clients and Their Customers
Our vision of the future of consumer interaction rests on optimized, personalized experiences online. As our platform matures, we are committed to these experiences being opt-in on the part of the consumer. In some cases, personal data can be easily anonymized, such as with statistics-based A/B testing. In others, like in 1:1 personalization, the customer experience is bespoke to an individual.
Regardless of the type of data collected, we believe consumers should have the right to privacy, should they choose, and have guaranteed security regardless. We take this responsibility very seriously.
This blog post is neither a complete summary of the California Consumer Protection Act (CCPA) nor legal advice for your company to use in complying with it. It’s intended as background information to help you better understand the CCPA and how it can apply to your business. Keep in mind, the CCPA has not been finalized and will likely face additional amendments in 2020.
Furthermore, we encourage our clients to stay aware of data conversations and be mindful of how data can be used ethically to optimize the consumer experience.
As the author of this blog post, I personally recommend the International Association of Privacy Professionals (IAPP) for staying up-to-date on the latest in the global conversation. They even have a CCPA amendment tracker.