What is the CCPA?
The California Consumer Privacy Act (“CCPA”) was passed by the California Legislature on June 28, 2018, and takes effect from January 1, 2020.
The CCPA brings in significant new requirements for organisations to identify, manage, secure, track, produce and delete consumer personal information. Further, it introduces (for the first time) a number of rights for individuals in the State of California.
Enforcement of the CCPA will generally be conducted by the California attorney general, which shall adopt regulations on or before July 1, 2020, and shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020. This means there will be developments in regulations in early 2020 which should also be monitored.
Who does the CCPA affect?
The CCPA applies to the personal information of all “natural persons” who are California residents. “Residents” in this context means any individual in the state for other than a temporary or transitionary purpose and every individual domiciled in the State but located outside of the State for a temporary or transitionary purpose.
Compliance with the CCPA applies to any businesses operating for-profit that collect and/or control California residents’ personal data and meet one of the three criteria below:
- Have annual gross revenues in excess of US$25 million; or
- Receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or
- Derive 50 percent or more of their annual revenues from selling California residents’ personal information.
What are the penalties for non-compliance?
Any violation of the CPPA may result in an injunction and liability for a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.
Furthermore, a consumer has the right to bring a civil action amounting to not less than $100 and not greater than $750 per consumer per incident or actual damages (whichever is higher). This action relates to unauthorised access or disclosure of nonencrypted/nonredacted as a result of a business's failure to implement and maintain reasonable security procedures.
What is “personal information”?
Personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, and the CCPA describes various types of personal information.
Specific examples include names; aliases; unique personal identifiers; postal, IP, and email addresses; account names; social security, passport, and driver’s license numbers.
The CCPA grants consumers the right to request details of the information held about them and how it is used.
On request from a consumer, a business that collects personal information needs to disclose the following:
- Categories of personal information the business has collected about that consumer;
- Categories of sources from which the personal information is collected;
- The purpose for collecting or selling personal information;
- Categories of third parties with which the business shares personal information; and
- Specific pieces of personal information the business has collected about that consumer.
A business that sells or discloses a consumer's personal information for a business purpose needs to disclose the following in response to a consumer’s request:
- Categories of personal information the business has collected about that consumer;
- Categories of personal information the business has sold about that consumer;
- Categories of third parties to which the personal information was sold by category or categories of personal information for each third party to which the personal information was sold; and
- Categories of personal information the business has disclosed about that consumer for a business purpose (if the business has not disclosed consumers' personal information for a business purpose, it shall disclose that fact).
Consumers are also able to request that their information is deleted. On receipt of such a request, a business is required to delete their personal information.
There are some important exceptions to this where a business is permitted to retain a consumer’s personal information, as summarised below, where the personal information is required to:
- perform a contract, complete a transaction or is otherwise reasonably required within the context of the business relationship;
- detect or protect against security incidents;
- debug to identify and repair errors that impair existing intended functionality;
- research in the public interest;
- compliance with a legal obligation (e.g. obligations to retain data, requirements under lawsuits); and
- internal uses that is compatible with the context in which the consumer provided the information.
The CCPA offers companies a 30-day opportunity to cure violations before the Attorney General may file an enforcement action. If an organization incorrectly interprets the law and fails to appropriately delete an individual’s information, the cure provision may nevertheless offer the organization the ability to avoid enforcement action by subsequently deleting the required information properly.
A business that collects a consumer's personal information must inform the consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. This must be at or before the point of collection.
Consumers are also granted a right to opt out of the sale of personal information to third parties. There are additional requirements on businesses as to how this needs to be affected (see below).
In addition to the obligation to respond to valid consumer requests in exercising their rights, there are further obligations on businesses under the CCPA.
As well as the notice requirements specified above, a business that sells consumers' personal information to third parties needs to provide notice to consumers of the same and that consumers have the right to opt-out of the sale of their personal information. A business must provide a "Do Not Sell My Personal Information" link on the homepage of its website that links to an Internet webpage that enables a consumer to opt-out of the sale of the consumer's personal information.
A business must not sell the personal information of consumers less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or their parent or guardian (where the consumer is less than 13 years of age) has positively provided permission to the sale of the consumer's personal information.
- The rights of consumers under the CCPA, including the right to opt-out / “Do Not Sell My Personal Information” requirements.
- Details of how to submit a request to exercise their rights; and
- A list of categories of personal information relating to consumers that is collected, sold and disclosed for business purposes.
Businesses cannot discriminate against a consumer who exercises any of their rights under the CCPA.
However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the consumer by the consumer's data. A business may also offer financial incentives to a consumer for the collection, sale, or deletion of personal information on a prior opt-in consent basis.
What are the key things to consider when handling personal data?
As well as the exercise of rights that the CCPA provides and the specific online requirements, there are security measures organisations need to consider due to the liability that the CCPA places on business.
The CCPA holds businesses liable to consumers directly and open to penalties from the Attorney General when a consumer’s “nonencrypted or nonredacted personal information […] is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
What is meant by “reasonable security procedures and practices” is not defined under the CCPA and is likely to be subject to further development by the Attorney General. However, a number of security measures have historically been endorsed by the Attorney General that may be a useful point of reference in order to mitigate any risks by incorporating these into a CCPA compliance program.
In 2016, emphasis was placed on the Center for Internet Security controls as a baseline for any information security program. Full details can be viewed in the then Attorney General’s 2016 Data Breach Report here.
While assessing your overall CCPA compliance efforts, we understand that Dotdigital is one of many tools your organisations uses to store and process personal information. There are a number of features built into the Dotdigital platform that help support your compliance requirements.
Responding to disclosure requests
When responding to valid disclosure requests, businesses need to provide details of categories of information held about a particular consumer.
Dotdigital makes it simple to export the information held in the platform in relation to a specific contact. You can export an individual contact from the contact editor, and exports additionally contain all Insight data you hold for them. This means that when you export a contact, you’ll now get a zip file with everything from the Email area of Dotdigital – which will also be in a usable format for responding to disclosure requests, should you need to fulfil one.
Note that if you have data held in the other areas of Dotdigital (surveys and forms, SMS or transactional email) you’ll still have to export that separately.
In the event that we receive a disclosure request from one of your clients (a consumer), we will pass on any request for data for which you are the organisation managing their data so that you can manage the request.
Responding to deletion requests
Dotdigital will be one of the places where you hold data about your clients and will need to be considered when responding to deletion requests. You can delete data in your account at any time (including when responding to a request for a consumer to be deleted).
All data is kept until either:
- You delete it, via the app or the API; or
- You close your account, where any remaining data is held for 90 days before deletion).
- You can optionally choose to expire pending contacts 30 days after our last contact attempt.
At the end of a contract, all client accounts are terminated, and associated data is deleted after 90 days. The platform enables clients to delete data during the term of the contract through the platform and in response to a request to be forgotten at no extra cost.
When deleting a contact, the contact will be placed in the account's recycle bin for 30 days (unless manually removed from the recycle bin or in relation to a suppressed contact, which is immediate), after which time they're deleted permanently.
Deleting suppressed contacts
A suppressed contact is one you can’t email (maybe because they unsubscribed, your previous emails to them have bounced, or another one of a handful of reasons).
Suppressed contacts can also be deleted but differ in one crucial way to deleting a normal contact: we won’t delete the email address. This is so we can continue to keep her suppressed, and so you don’t unintentionally email her in the future (by accidentally re-importing the contact to your account, for example). This is in compliance with best practices and supports your legal obligations to ensure the contact is no longer in contact.
Security is an integral part of the CCPA and you need reassurance that your suppliers have appropriate processes and measures in place to support your compliance obligations. Dotdigital takes the security of our clients’ data very seriously and a summary of our processes and policies is below.
Our process for reporting breaches concerning the data of individuals is addressed in our Data Processing Agreement and more specifically addressed in our Incident Reporting Policy.
In relation to the data our clients store with us (where we are a data processor), we will notify any affected client (data controller) of a data breach as soon as practically possible, and in any event, within 24 hours of discovering the breach.
Where is data stored?
To safeguard the confidentiality, integrity and availability of data, the core Dotdigital platform is hosted on high security Microsoft Azure data centres. All Azure facilities meet a broad set of compliance standards, details of which can be found here. A map showing the Azure data center locations can be found here.
The Google Cloud platform is also used for some of Dotdigital's more processing-intensive features such as Insight Data. Client data remains in the same region as the Dotdigital account.
More information on Googles regions can be found here.
What security measures does Dotdigital have in place?
Please see our Trust Centre for high-level information on how we protect the confidentiality, integrity and availability of the Dotdigital services and the data held on our platform at www.dotdigital.com/trust.
Details of our technical and organisational security measures are provided below:
Dotdigital employs dedicated privacy & compliance and security teams (with a nominated Data Protection Officer) to oversee the security, privacy and compliance programs of the organisation.
Personnel Security (Human Resources Security)
Dotdigital maintains starter/leaver policies and procedures which will include the conducting of background checks (where available) on employees joining the organisation and revocation of access rights on termination of employment.
Physical & Environmental Security
Dotdigital restricts access to workspaces, and secure data centre facilities where information systems that process personal data are located to identified authorised individuals.
Workstation Security & Server Security
Within Dotdigital, we:
- Employ a maintenance schedule that facilitates the timely installation of security
- Install and regularly update anti-virus
- Commission annual independent build reviews of workstations and
- Use role-based permissions to restrict access to
Within Dotdigital, we:
- Deploy firewalls at network perimeters; running management authorised rule
- Maintain a vulnerability management program to regularly assess the security of network perimeters.
- Subject both internal and external networks to annual independent security assessments
- will undergo annual independent technical security reviews and shall maintain at a minimum the Cyber Essentials Plus Certification.
Full copies of our information security policies are available under NDA. If this is required, please reach out to your account manager or our support teams.
If you have any further queries in relation to Dotdigital and CCPA compliance, please contact firstname.lastname@example.org.
The information in this document is for general guidance and is not legal advice. If you need more details on your obligations or legal advice about what action to take, please contact your legal advisor or attorney.