Centro’s POV on CCPA from our Legal VP, Derek Zolner

THREE MAIN CONSUMER RIGHTS UNDER CCPA

1. Right to Know
2. Right to Deletion
3. Right to Opt-Out

 

1. RIGHT TO KNOW

WHAT IS IT?

Consumer has right to know:

1. Specific pieces of personal information that a business has about the consumer
2. Categories of personal information it has collected about the consumer
3. Categories of sources from which the personal information is collected
4. Categories of personal information that the business sold or disclosed for a business purpose about the consumer
5. Categories of third parties to whom the personal information was sold or disclosed
6. The business or commercial purpose for collecting or selling personal information

HOW DOES A CONSUMER MAKE THE REQUEST?

Two required methods:

1. Toll free #
2. Interactive webform

WHAT DO WE NEED TO DO UPON RECEIPT OF A REQUEST?

1. Confirm receipt within 10 days and provide information about how we will process the request, the consumer verification process, and an estimated response date
2. Verify the request
3. Respond within 45 days
4. If we are unable to verify the customer’s identity, we must inform them of that fact

WHAT SHOULD OUR RESPONSE INCLUDE?

The six items identified above, provided however, that for items (2)-(5) above, we may refer to our privacy policy if our response would be the same for all consumers and the privacy policy discloses all the information that is otherwise required to be required in a response to a request to know

HOW DO WE VERIFY THE REQUEST?

Open question:  A business shall generally avoid requesting additional information from the consumer for purposes of verification. If, however, the business cannot verify the identity of the consumer from the information already maintained by the business, the business may request additional information from the consumer, which shall only be used for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, and for security or fraud-prevention purposes.

If a business maintains consumer information that is de-identified, a business is not obligated to provide or delete this information in response to a consumer request or to reidentify individual data to verify a consumer request.

 

2. RIGHT TO DELETION

HOW DOES A CONSUMER MAKE THE REQUEST?

We must have 2 methods from among the following:  toll-free #, a link or form via website, an email address, an in-person form, or a mailed form (Recommend toll-free # and webform to have uniformity with request to know)

A business shall use a two-step process for online requests to delete where the consumer
must first, clearly submit the request to delete and then second, separately confirm that they want their personal information deleted

WHAT DO WE NEED TO DO UPON RECEIPT OF A REQUEST?

Same as Request to Know:

1. Confirm receipt within 10 days and provide information about how we will process the request, the consumer verification process, and an estimated response date
2. Verify the request
3. Respond within 45 days
4. If we are unable to verify the customer’s identity, we must inform them of that fact

Important difference: if we are unable to verify the identity of the consumer, we should treat the request as an opt-out request.

WHAT DOES IT REQUIRE OF US?

Upon verified request, we can comply with the request by:

1. Permanently and completely erasing the information
2. De-identifying the personal information
3. Aggregating the personal information

WHAT SHOULD OUR RESPONSE INCLUDE?

1. The manner in which customer data has been deleted
2. We must disclose that we will maintain a record of the request
3. If we deny the request because we cannot verify identity, we must inform the consumer of such and that we are treating the request as one to opt-out

HOW DO WE VERIFY THE REQUEST?

Open question:  A business shall generally avoid requesting additional information from the consumer for purposes of verification. If, however, the business cannot verify the identity of the consumer from the information already maintained by the business, the business may request additional information from the consumer, which shall only be used for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, and for security or fraud-prevention purposes. If a business maintains consumer information that is de-identified, a business is not obligated to provide or delete this information in response to a consumer request or to reidentify individual data to verify a consumer request.

 

3. RIGHT TO OPT-OUT

WHAT OPT-OUT METHODS MUST WE PROVIDE?

At least 2.

1. “Do Not Sell My Personal Information” Link on Website (Required)
2. If we collect information from consumers online, we must treat user-enable privacy controls, such as browser plug-in or privacy setting or other mechanism as an opt-out request. (Required)

Optional: toll-free #, email address

WHAT ARE OUR OBLIGATIONS?

1. Must process within 15 days.
2. Within 90 days, must notify all parties to which we have sold the opted-out consumer data of the opt-out and instruct them to no longer sell it

HOW DO WE VERIFY THE REQUEST?

We are not required to verify opt-out requests.

 

RECORD MAINTENANCE

WHAT RECORDS ARE WE REQUIRED TO MAINTAIN AND FOR HOW LONG?

We must maintain records of all requests to know, delete, and opt-out for 24 months.

WHAT INFORMATION ARE WE REQUIRED TO DISCLOSE?

If we annually share or sell information about more than 4,000,000 consumers, we must post within our privacy policy, for the previous 12 month period:

1. The number of each type of request we received.
2. The number of requests with which we’ve complied.
3. The number of requests that we’ve denied, in whole or in part.
4. Median # of days to respond to each request.

 

RESOURCES:

• The DAA and IAB are both rolling out competing resources to help publishers (and others in the ad-tech ecosystem) with compliance.  You can find links to their tools here:  https://www.iab.com/guidelines/ccpa-framework/ and here:  https://digitaladvertisingalliance.org/ccparesources.  The DAA tool is available as a link that publishers can drop on their website, which will allow consumers the ability to exercise their right to opt-out.
• eMarketer CCPA is Here, But Many Companies are Not Compliant
• Will CCPA have GDPR-Like Effect?

FAQS:

• How do things like geofencing fall under the new privacy law in California?
  
  • Geofencing, audience targeting, retargeting, etc. all fall under personally identifiable information (PII) as indirect identifiers under the new law in California. As such, you must comply with their regulations. Centro/Basis DSP is in compliance with CCPA, but any entities utilizing the data we collect should also update their privacy policy to reflect that they use data to target advertising. There is a helpful site (One Trust link here) that can help you get in compliance, but we’d also recommend hiring legal counsel to review your Privacy Policy, especially if you’re conducting business/targeting California.
• Customers who are pixeled and retargeted to… Are we required to share what data we have on them, is there a way for them to know that they have been cookied ?
  • Here is our legal team’s POV (they thought this was a really good question!): You can’t!  You can’t verify that information, so they can’t provide in response to a Right to Know or Right to Delete request. For requests like this (re: cookie type, indirect identifiers), we’re going to treat those like an opt-out request and direct consumers to the opt-out mechanism on our website. Centro also uses AdChoices that has opt-out options when running campaigns with targeting. Caveat always check with your own counsel, but this is our approach.

https://zp-pdl.com/get-quick-online-payday-loan-now.php