California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) became effective on January 1, 2020. California consumers can also request information from businesses in respect to personal information (PI) that the business has collected since January 1, 2019.

Eight Consumer Rights

  1. Abbreviated Right to Know About the PI Collection
    • Businesses will need to disclose and deliver the required information including:
      • Categories of PI collected
      • The specific pieces of PI collected about the California consumer
  2. Expanded Right to Know About the PI Collection
    • Businesses will also need to disclose and deliver the following:
      • Categories of PI collected
      • Categories of sources from which PI is collected
      • The business or commercial purposes for the collection or selling of PI
      • The categories of 3rd parties with whom the business shares PI
      • The specific pieces of PI that it has collected about that consumer
  3. Detailed Right to Know About PI Sales and/or Disclosures for a Business Purpose
    • Within 45 days, disclose and deliver the following covering the previous 12 months:
      • Identify by category or categories the consumer's PI sold by the business in the previous 12 months
      • Identify by category or categories the consumer's PI disclosed for a business purpose in the previous 12 months
      • Provide the category or categories of third parties to whom the consumer's PI was disclosed for a business purpose in the previous 12 months
  4. Right to Opt Out of PI Sales for Adults
    • Stop selling consumer's PI unless the consumer subsequently provides express authorization for the sale of consumer's PI
    • Respect consumer's decision to opt out for at least 12 months before requesting that the consumer re-authorize the sale of consumer's PI
    • Use PI collected in connection with consumer's exercise of an opt-out request solely for complying with the opt-out request
  5. Right to Opt In to PI Sales to Children
    • Obtain opt-in consent from children between the ages of 13 to 16 or their parents/guardians if under the age of 13
  6. Right to Access and Portability

    A business is not required to provide PI to a consumer more than twice in any 12-month period.

    • Upon receipt of a verifiable request to access PI, the business shall do the following:
      • Take steps to disclose and deliver the PI requested
      • Either by postal mail, electronically, or portably, and to the extent technically feasible, in a readily usable format that allows the consumer to transmit this PI to another entity without hindrance (promptly … within 45 days)
  7. Right to Deletion
    • Business must delete a consumer's PI upon receipt of a verifiable request
  8. Right Not to be Discriminated Against for Asserting Rights 1 Through 7
    • Business cannot do the following:
      • Deny goods or services based upon exercise of consumer's CCPA rights
      • Charge different prices for goods or services based upon the exercise of consumer's CCPA rights
      • Provide different levels or quality of goods based upon the exercise of consumer's CCPA rights
      • Suggest that consumers will receive a different price or rate for goods or services for a different level or quality of goods or services

How Monetate Assists Clients in Compliance

  • Monetate will process any requests/notices sent by the client within 72 hours.
  • Monetate will not process any requests made by the consumer directly to Monetate. It will forward all such notices to the client immediately upon receipt so the client can determine whether it constitutes a "verifiable request."
  • Monetate will update its Platform Privacy Statement as necessary.
  • Monetate prepares Privacy Impact Assessments (PIAs) for all its products and updates these PIAs as necessary when new product features become generally available. Monetate will share these PIAs with any client that requests them. The current intent of the PIA is to make it easier for the client to prepare its own assessments as required by GDPR or the CCPA.
  • While not specifically required under the CCPA, Monetate's product development team practices Privacy by Design and Privacy by Default (as required under GDPR).
  • Monetate will conduct periodic training on data privacy (in general) and the CCPA (specifically) for all Monetate personnel who may have access to any PI (beginning in the autumn of 2019; all Monetate personnel have already undergone similar training for GDPR).
  • Monetate's privacy practice is currently based on compliance with GDPR since it is currently the strictest data privacy governing standard affecting its clients worldwide. Monetate will continue to take this holistic compliance approach and supplement it as new regulations and laws (like the CCPA) come into effect.