California Consumer Privacy Act (CCPA)

Introduction to CCPA

The California Consumer Privacy Act (CCPA) is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The law became fully enforceable on July 1st, 2020.

 

Who is affected by CCPA?

Under CCPA, only businesses that earn $50,000,000 a year in revenue, sell 100,000 consumers' records each year, or derive 50% of their annual revenue by selling your personal information must comply. All businesses must comply if they collect or sell Californians' personal information, whether they are located in California, a different state, or even a different country.

 

Key facts under CCPA

  1. Own Your Personal Information:
    Right to Know What Personal Information is Being Collected: As a consumer, you have the right to request that a business that collects personal information about you disclose to you the categories of personal information that it has collected about you.

    Right to Know Whether Personal Information is Sold or Disclosed and to Whom: As a consumer, you have the right to request that a business that sells your personal information or discloses it for a business purpose, disclose to you:
    - The Personal Information that that is sold to third parties and the identity of such third parties
    - The Personal Information that is disclosed for a business purpose to third parties and the identity of such third parties

  2. Control Your Personal Information: If you don’t want a corporation to sell your information, you can stop them by clicking on a link that says “do not sell my data.”  The corporation can’t hide this in a privacy policy — they have to display it clearly at the bottom of any page where they collect your information. If you tell them not to sell your info, they can’t discriminate against you. This means they can’t charge you more, deny you access to services, or change the quality of the service you get.

  3. Secure Your Personal Information: A business that owns, licenses, or maintains personal information about a California resident needs to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

  4. Hold Big Corporations Accountable: Under CCPA, only businesses that earn $50,000,000 a year in revenue, sell 100,000 consumer’s records each year, or derive 50% of their annual revenue by selling your personal information must comply. All businesses must comply if they collect or sell Californians' personal information, whether they are located in California, a different state, or even a different country.

  5. How is PI (Personal Information) defined under CCPA: The CCPA defines “personal information” as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

    CCPA documentation goes on to provide specific examples of personal data. The list includes, but is not limited to, the following identifiers:

    • Identifiers such as a real name, alias, address, email address, social security number, license number, passport number, or similar identifiers.

    • Commercial information including property records, product purchases, and other consumer histories and tendencies.

    • Biometric data such as fingerprints and facial recognition data.

    • Internet or network activity data, such as IP addresses, browsing history, search history, and interactions with online sites or advertisements.

MoEngage compliance with CCPA

  1. Right to Know What Personal Information is Being Collected: This can be done by downloading user data from the Segmentation module. You can also write to support@moengage.com to get a copy of all the data we are saving for any user.

    To export a user's data from MoEngage, we allow you to navigate to our dashboard and download the data of users as required.

    Follow the steps mentioned in this document to know more about downloading data from MoEngage.

  2. Right to Know Whether Personal Information is Sold or Disclosed and to Whom: We only send the information to the below third-party platforms if you have opted in for MoEngage email/SMS sending:
    - Email Connector (Sendgrid or any other as per the client setup)
    - SMS Connector (Gupshup or any other as per the client setup)
    You can also refer to our privacy policy for more information on this.

  3. Right to Say No to the Sale/Disclosure of Personal Information: We do not sell personal information at all. If a user requests to opt out of data processing, you can do so by following the SDK methods listed in our integration documents:
    Android | iOS | web

  4. Data Deletion: You can delete the data of your users when required.

    To do this, we have hosted an API that will remove all the personal data associated with specific users who have requested to be erased from MoEngage.

    For information on using this API, please refer to our implementation docs here.

    The API accepts one of the following parameters as input:

    - ID (required for logged in users)
    - Email
    - Mobile Number

    - GAID (required for anonymous users)

    - IDFA (required for anonymous users)

    Removing a user’s personal data will erase personal data from MoEngage. In order to maintain the integrity of campaign and application usage analytics, anonymous aggregated data will not be modified when an end user is removed (for example, MoEngage will not decrement an app’s MAU numbers or Campaign Stats when an end user is deleted). However, this data will not be connected in any way to the profile of the forgotten end user, ensuring that this anonymized and aggregated data cannot be tied back to any individual user.

    Once the API request is made to remove personal data for specific users, it will take up to 7 days for completing this request. It may, however, take 60 days to remove this data from all our logs and backups. We need to maintain the data for 60 days to justify our processing of erasure requests of personal data related to every user.

     

     

    You can refer to this article for more details on the erase API.

 

CCPA and GDPR

GDPR applies to all activities involved in the processing of personal data — including storing, accessing, and transferring data. CCPA, however, only applies to collection, “sale,” and disclosure of personal information for a business purpose.

Was this article helpful?
0 out of 0 found this helpful