CCPA

What Is CCPA?

The California Consumer Privacy Act (CCPA) is California’s privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The law became fully enforceable on July 1st, 2020.

Who Is Affected by CCPA?

Under the CCPA, businesses that earn $50,000,000 a year in revenue, sell 100,000 consumers' records each year, or derive 50% of their annual revenue by selling your personal information (PI) must comply. All businesses must comply if they collect or sell Californians' personal information, whether they are located in California, a different state, or even a different country.

Key Facts of CCPA

The following are the key facts of the CCPA:

Own Your Personal Information

Right to Know What Personal Information Is Being Collected

As a consumer, you have the right to request the business that collects your personal information to disclose to you the categories of personal information that it has collected about you.

Right to Know Whether Personal Information Is Sold or Disclosed and to Whom

As a consumer, you have the right to request that the business that sells your personal information or discloses it for a business purpose, to disclose to you:

  • The personal information that is sold to third parties and the identity of such third parties
  • The personal information that is disclosed for a business purpose to third parties and the identity of such third parties

Control Your Personal Information

If you do not want a corporation to sell your information, you can stop them by clicking the do not sell my data link.  The corporation cannot hide this in a privacy policy—they have to display it clearly at the bottom of any page where they collect your information. If you tell them not to sell your info, they cannot discriminate against you. This means they cannot charge you more, deny you access to services, or change the quality of the service you get.

Secure Your Personal Information

A business that owns, licenses, or maintains personal information about a Californian resident needs to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. The business needs to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Hold Big Corporations Accountable

Under the CCPA, only businesses that earn $50,000,000 a year in revenue, sell 100,000 consumer records each year, or derive 50% of their annual revenue by selling your personal information must comply. Such businesses must comply if they collect or sell Californians' personal information, whether they are located in California, a different state, or even a different country.

How Is Personal Information Defined Under the CCPA

The CCPA defines “personal information” as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The CCPA documentation provides specific examples of personal data. The list includes, but is not limited to, the following identifiers:

  • Identifiers such as a real name, alias, address, email address, social security number, license number, passport number, or similar identifiers.
  • Commercial information including property records, product purchases, and other consumer histories and tendencies.
  • Biometric data such as fingerprints and facial recognition data.
  • Internet or network activity data, such as IP addresses, browsing history, search history, and interactions with online sites or advertisements.

MoEngage Compliance with CCPA

Right to Know What Personal Information Is Being Collected

You can accomplish user data retrieval in several ways:

  • The Get User API of MoEngage provides all collected data for the specified users. For more information, refer to Get User API.
  • You can export user data from MoEngage. Navigate to the Segmentation module on the MoEngage dashboard and download the data as required. For more information, refer to User Data Exports.
  • You can also reach out to our Support Team for a copy of all data we have for any user. You must raise a support request. For more information, refer to Raise a Support Ticket Through MoEngage Dashboard.

Right to Know Whether Personal Information Is Sold or Disclosed and to Whom

We only send the information to the following third-party platforms if you have opted in for MoEngage email or SMS sending:

  • Email Connector (Sendgrid or any other as per the client setup)
  • SMS Connector or Service Provider (Gupshup or any other as per the client setup)

For more information on this, refer to privacy policy.

Right to Say No to the Sale or Disclosure of Personal Information

We do not sell personal information at all. If a user requests to opt-out of data processing, you can do so by following the SDK methods listed in our integration documents:
Android | iOS | Web

Data Deletion

You can delete the data of your users when required. To do this, we have hosted the GDPR/CCPA API that removes all personal data associated with specific users who have requested their data to be erased from MoEngage. For more information, refer to GDPR/CCPA API.

The API accepts one of the following parameters as input:

  • ID (required for logged-in users)
  • Email
  • Mobile Number
  • GAID (required for anonymous users)
  • IDFA (required for anonymous users)

Removing a user’s personal data erases their personal data from MoEngage. To maintain the integrity of campaign and application usage analytics, anonymous aggregated data is not modified when an end user is removed (for example, MoEngage does not decrement an app’s MAU numbers or Campaign Stats when an end user is deleted). However, this data is not connected in any way to the profile of the forgotten end user, ensuring that this anonymized and aggregated data cannot be tied back to any individual user.

After the API request is made to remove personal data for specific users, it takes a maximum of 7 days for completing this request. It may, however, take 60 days to remove this data from all our logs and backups. We need to maintain the data for 60 days to justify our processing of erasure requests of personal data related to every user.

CCPA and GDPR

The General Data Protection Regulation (GDPR) applies to all activities involved in the processing of personal data—including storing, accessing, and transferring data. The CCPA, however, only applies to the collection, sale, and disclosure of personal information for business purposes.

Was this article helpful?
1 out of 3 found this helpful

How can we improve this article?