California Consumer Privacy Law (CCPA)
Resonate Privacy Update: California Consumer Privacy Law
California recently adopted a new law on consumer privacy that will create new requirements related to data collected from or about California residents. The law also creates a limited private right of action for certain violations of the law. The California Consumer Privacy Act of 2018 (“CCPA”) went into effect on January 1, 2020.
Historically, Resonate and similar digitally-native organizations have been governed by the self-regulatory industry standards established by the DAA. These guidelines have always centered around the definition of a consumer’s personal information as the traditional offline facts and identifiers of someone – their name, address, phone number, social security number, and so on. This data has historically been referred to by the legal name “Personally Identifiable Information” or “PII.”
CCPA changes the game. For the first time, CCPA expands the definition of personal information to include the anonymous identifiers that exist in the digital world, as well as the online behavioral observations that power digital. This is referred to in the legislation as “Personal Information.” It includes IP address, browsing history, purchase history, and inferences about consumers. This expanded definition comes with obligations for handling and accessibility as stated above but does not modify Resonate's current use cases.
The CCPA law does not change any part of the Resonate product experience or capabilities as enjoyed by our clients today. Resonate’s only impact is to develop functionality to manage the obligations surrounding the direct Resonate-to-consumer relationship. In other words, in order to ensure we’re compliant with CCPA’s requirements, we’ve had to create a new set of disclosures and processes to satisfy consumer requests; but this new work does not negatively impact Resonate’s capabilities or product offerings.
In order to protect consumer privacy, Resonate has historically only collected anonymous data about consumers through an anonymous digital ID. We have deliberately not gathered the name, address, phone number, or other offline identifiers of a consumer. Therefore, Resonate would only need to remove the relevant digital IDs when appropriate in order to comply with CCPA.
The CCPA regulations require that multiple pieces of consumer information must be verified before disclosing any specific Personal Information data to a consumer. However, Resonate only knows one anonymous piece of information about a consumer, and as a result we cannot reliably verify any consumer. When that one piece of Personal Information known about the Consumer can be verified, we will provide the appropriate disclosures and take the necessary actions as required under the law.
What actions is Resonate taking to be compliant with CCPA?
Resonate has taken numerous actions to comply with the CCPA legislation:
- Access to Information: Resonate has developed a consumer request form which allows California consumers to submit their requests for access to information to Resonate. That form can be found here - https://www.resonate.com/ccpa-consumer-request/
- Right to Deletion: Through the same consumer request form referenced above, California consumers have the right to request the deletion of their personal information.
- Right to Opt-Out of Sale: Resonate provides any California consumer the right to opt out of the further sale of any of their personal information from Resonate to another third party. This is supported both through a link on the footer of the Resonate website – found here – or by going to the industry’s centralized tool for Opting Out of Sale under CCPA. This DAA tool can be found at https://optout.privacyrights.info/.
What happens when a consumer submits a CCPA request to one of Resonate’s customers? Doesn’t a business need to ensure that any personal information shared with and/or maintained by its Service Providers is covered under CCPA?
The following information outlines Resonate’s specific positions that relate to a consumer’s request to exercise their rights under CCPA with a business (e.g. Resonate’s client). The scenario goes something like this:
- A California consumer reaches out to a company with whom they do business (e.g. Apple). The consumer requests to exercise their rights under CCPA with Apple.
- Apple will take actions to satisfy the client’s requests under CCPA.
- In this example, Apple may be a Resonate client. Apple may have used Resonate tags to create segments in the Resonate platform to learn more about their website visitors. Or Apple may have provided a customer file of all US-based iPad owners and iPhone owners to be onboarded into the Resonate platform to learn more about the commonalities or differences in these customers to make their marketing more effective.
- Apple may reach out to Resonate with concerns about personal information, and about data that Resonate may have in its software based on Resonate’s role as a Service Provider to Apple.
Described below are the actions Resonate can or cannot take related to each of the consumer’s rights under CCPA:
ACCESS TO INFORMATION: A client (e.g. Apple) receives an Access to Information request from a consumer. Apple takes action on that request at the company. Apple requests access to Personal Information about the consumer from Resonate, that Resonate gathered on Apple’s behalf, to share with the consumer.
- Resonate has no way to verify the identity of the consumer. As a result, Resonate cannot identify any personal information associated to that consumer that was gathered on behalf of Apple.
- Apple may direct its customer to the Resonate website, where the consumer could submit a request for information with Resonate directly, but the same inability to verify the consumer will exist in this scenario as well.
DELETION REQUEST: A client (e.g. Apple) receives a Deletion Request from its customer. Apple takes action on that request at the company. Apple may request that the consumer Personal Information which may have been gathered by Resonate on behalf of Apple to be deleted.
- Resonate has no way to verify the identity of Apple’s customer. As a result, Resonate cannot delete the information associated to a customer of Apple.
- Apple may direct its customer to the Resonate website, where the consumer could submit a request for deletion with Resonate directly, which would result in the deletion of the customer’s Personal Information.
OPT-OUT OF SALE: Consumers have a general right to request that their Personal Information not be re-sold to another third-party. In this scenario, the request is actually a request that Resonate does not re-sell the data collected as a Service Provider on behalf of Resonate’s client (e.g. Apple). For example, A client (e.g. Apple) receives an Opt-Out of Sale request from a consumer. Apple takes action on that request at the company. Apple requests that Resonate opt the consumer out of sale.
- Under Resonate’s standard contractual terms and conditions, Resonate does not have any right to resell the data gathered on behalf of a client as a Service Provider. As a result, there is no scenario under which Resonate would be reselling our client’s data (e.g. Apple’s data) to another third party. As a result, there is no Opt-Out to effect at Resonate.
- Apple may direct its customer to the Resonate website, where the consumer could submit a request to be Opted out of Sale at the Resonate level. This would opt the consumer out of any sale of data at Resonate, but would still not affect an Apple-specific opt-out. Apple could also choose to point consumers to the DAA CCPA Opt-Out of Sale tool that has been made available industrywide, which allows a consumer to request Opt-Out of Sale across all participating third parties that use the tool, including Resonate. That tool can be found here: https://optout.privacyrights.info/