What is the California Consumer Privacy Act?
The CCPA took effect in California on January 1, 2020. This law impacts for-profit businesses that process data of California residents, and meet one of the following criteria:
Annual revenue greater than $25 million
Process personal information (PI) of 50,000 or more California residents annually
Derive 50% or more of annual revenue from selling PI of California residents
What does the California Consumer Privacy Act Protect?
The CCPA protects the following:
A person living in California, even if temporarily outside of California, or
A person in California for non-temporary/non-transitory purpose
Information that directly or indirectly relates to or could be reasonably linked to a particular person or household.
Does not include deidentified information as long as the business puts in place some technical and organizational measures to prevent reidentification.
Examples of PI:
Identifiers such as name, IP address, email address, social security number, passport number, etc.
Commercial information such as products or services purchased, purchasing or consuming histories or tendencies.
Biometric information, such as DNA, fingerprints, and retinal scans.
Internet and network activity, such as browsing history, search history, and interactions with a website.
Audio, electronic, visual, thermal, olfactory or similar information.
Professional or employment information.
Inferences drawn from any of the above that create a profile about a consumer reflecting preferences, characteristics, trends, behavior, etc.
The CCPA excludes the following:
Information covered under HIPAA
Information covered under Gramm-Leach-Biley Act
Publicly available PI
Information collected during clinical trials
Sale of information to consumer reporting agencies
Information under Driver's Privacy Protection Act
Rights Under the California Consumer Privacy Act
Right to Deletion
Consumers may request that information be deleted, however certain exceptions apply such as complying with a legal obligation.
Right to be Informed
Must notify consumers of categories of PI collected and purposes for which it is collected.
Must affirmatively state if the information is being sold or not.
If information is being sold, then the website must include a "Do Not Sell" link to allow consumers to opt-out.
Right to Opt-Out
Consumers can opt-out of sale of information with a "Do Not Sell" link on the website.
Right of Access
Consumers can request information that business holds on them including:
Categories of PI
Categories of sources
Categories of third parties with whom business shares personal information.
Must have two methods to make this request, toll-free phone number and webpage.
Must be free of charge.
Right to Data Portability
Responses to requests for information must be in a portable and readily useable format.
Right to No Discriminiation
Cannot discriminate against a consumer because a consumer exercises rights under the CCPA.
What is Listrak's role under CCPA?
Listrak is a Service Provider.
Under the CCPA a Service Provider is an entity that processes PI on behalf of a business and to which the business discloses a consumer’s PI for a business purpose pursuant to a written contract.
Under the CCPA, a Service Provider shall not retain, use or disclose the PI for any purpose other than for the specific purpose of performing services specified in the contract.
As a Service Provider, Listrak collects PI pursuant to the contract(s) between us and our clients. Accordingly, Listrak has no direct relationship with any consumers whose PI may be processed through our Services. Listrak will deny any requests received from consumers while acting as a Service Provider. The consumer will be directed to submit the request directly to the Listrak client. Listrak will also notify the applicable Listrak client about such request and denial.
How is the California Consumer Privacy Act being enforced?
Private Right of Action for Data Breaches
California residents have the ability to bring a suit against a business if a data breach occurs. Data breach means non-encrypted/non-redacted PI is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business's violation of security obligations. Consumers can seek $100 to $750 per incident or actual damages, whichever is greater. Consumers must give the business 30-day cure period before filing suit. California residents could begin filing suits on January 1, 2020.
California Attorney General Enforcement
The California Attorney General enforces the remainder of the CCPA provisions by bringing civil actions in court. Courts can issue fines of $2,500 per violation, and $7,500 per intentional violation. Fines will fund the Consumer Privacy Fund which will go to the Attorney General enforcement efforts. The California Attorney General started bringing enforcement actions no later than July 1, 2020. Once in effect, the Attorney General's power was retroactive to January 1, 2020.
Responding to Consumers' Requests Under the California Consumer Privacy Act
Listrak supports the consumers' right to access or delete their PI. If a Listrak client receives a request from a consumer, the client can submit the request to Listrak through email to email@example.com. Listrak clients must verify the identity of the requester, confirm authority to access requested PI, and apply the request to other non-Listrak systems as needed. Listrak will complete the request and respond back to the client.
Listrak can only respond to requests received from Listrak clients. If a consumer directly contacts Listrak, we will deny the request and give notice to the client.
California Consumer Privacy Act and Location Detection for Gmail Users
Listrak uses email campaign engagement activity to determine the location of email contacts including their Region (State). Gmail's proxy servers are located in California, therefore you may see that some non-California residents are considered to be in the California region. This means that in some cases, if you create an audience using the filter criteria System Field - Region = California, the audience will include some Gmail users that are not actually California residents.
Please consult with your company's legal team to develop a plan to ensure CCPA compliance with Gmail addresses.