Introduction to CCPA
The California Consumer Privacy Act (CCPA) is California’s privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The law became fully enforceable on July 1st, 2020.
Who is affected by CCPA?
Under CCPA, only businesses that earn $50,000,000 a year in revenue, sell 100,000 consumers' records each year, or derive 50% of their annual revenue by selling your personal information must comply. All businesses must comply if they collect or sell Californians' personal information, whether they are located in California, a different state, or even a different country.
Key facts under CCPA
1. Own Your Personal Information
Right to Know What Personal Information is Being Collected
As a consumer, you have the right to request that a business that collects personal information about you disclose to you the categories of personal information that it has collected about you.
Right to Know Whether Personal Information is Sold or Disclosed and to Whom
As a consumer, you have the right to request that a business that sells your personal information or discloses it for a business purpose, disclose to you:
- The Personal Information that is sold to third parties and the identity of such third parties
- The Personal Information that is disclosed for a business purpose to third parties and the identity of such third parties
2. Control Your Personal Information
3. Secure Your Personal Information
A business that owns, licenses, or maintains personal information about a California resident needs to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
4. Hold Big Corporations Accountable
Under CCPA, only businesses that earn $50,000,000 a year in revenue, sell 100,000 consumer records each year, or derive 50% of their annual revenue by selling your personal information must comply. All businesses must comply if they collect or sell Californians' personal information, whether they are located in California, a different state, or even a different country.
5. How is PI (Personal Information) defined under CCPA
The CCPA defines “personal information” as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
CCPA documentation goes on to provide specific examples of personal data. The list includes, but is not limited to, the following identifiers:
- Identifiers such as a real name, alias, address, email address, social security number, license number, passport number, or similar identifiers.
- Commercial information including property records, product purchases, and other consumer histories and tendencies.
- Biometric data such as fingerprints and facial recognition data.
- Internet or network activity data, such as IP addresses, browsing history, search history, and interactions with online sites or advertisements.
MoEngage compliance with CCPA
1. Right to Know What Personal Information is Being Collected
This can be done by downloading user data from the Segmentation module. You can also write to firstname.lastname@example.org to get a copy of all the data we are saving for any user. To export a user's data from MoEngage, we allow you to navigate to our dashboard and download the data of users as required. Follow the steps mentioned in this document to know more about downloading data from MoEngage.
2. Right to Know Whether Personal Information is Sold or Disclosed and to Whom
We only send the information to the below third-party platforms if you have opted in for MoEngage email/SMS sending:
- Email Connector (Sendgrid or any other as per the client setup)
- SMS Connector (Gupshup or any other as per the client setup)
3. Right to Say No to the Sale/Disclosure of Personal Information
4. Data Deletion
You can delete the data of your users when required. To do this, we have hosted an API that will remove all the personal data associated with specific users who have requested to be erased from MoEngage. For more information on using this API, refer to GDPR/CCPA API.
The API accepts one of the following parameters as input:
- ID (required for logged-in users)
- Mobile Number
- GAID (required for anonymous users)
- IDFA (required for anonymous users)
Removing a user’s personal data will erase personal data from MoEngage. In order to maintain the integrity of campaign and application usage analytics, anonymous aggregated data will not be modified when an end user is removed (for example, MoEngage will not decrement an app’s MAU numbers or Campaign Stats when an end user is deleted). However, this data will not be connected in any way to the profile of the forgotten end user, ensuring that this anonymized and aggregated data cannot be tied back to any individual user.
Once the API request is made to remove personal data for specific users, it will take up to 7 days for completing this request. It may, however, take 60 days to remove this data from all our logs and backups. We need to maintain the data for 60 days to justify our processing of erasure requests of personal data related to every user.
CCPA and GDPR
GDPR applies to all activities involved in the processing of personal data — including storing, accessing, and transferring data. CCPA, however, only applies to the collection, “sale,” and disclosure of personal information for business purposes.