Data Privacy Regulations

New data privacy laws and regulations—such as the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Privacy and Electronic Communications Regulations (PECR)—are designed to help consumers have more visibility and control over the data that companies are collecting. As a personalization vendor which, by default, collects anonymized user data and, with the enablement and use of certain features, can identify specific customers, Monetate is responsible for helping clients comply with these regulations. This documentation contains details about Monetate's stance on data privacy laws and what tools it provides to aid in compliance.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) became effective on January 1, 2020. California consumers can also request information from businesses in respect to personal information (PI) that the business has collected since January 1, 2019.

Eight Consumer Rights

1. Abbreviated Right to Know About the PI Collection
   • Businesses will need to disclose and deliver the required information including:
     • Categories of PI collected
     • The specific pieces of PI collected about the California consumer
2. Expanded Right to Know About the PI Collection
   • Businesses will also need to disclose and deliver the following:
     • Categories of PI collected
     • Categories of sources from which PI is collected
     • The business or commercial purposes for the collection or selling of PI
     • The categories of 3rd parties with whom the business shares PI
     • The specific pieces of PI that it has collected about that consumer
3. Detailed Right to Know About PI Sales and/or Disclosures for a Business Purpose
   • Within 45 days, disclose and deliver the following covering the previous 12 months:
     • Identify by category or categories the consumer's PI sold by the business in the previous 12 months
     • Identify by category or categories the consumer's PI disclosed for a business purpose in the previous 12 months
     • Provide the category or categories of third parties to whom the consumer's PI was disclosed for a business purpose in the previous 12 months
4. Right to Opt Out of PI Sales for Adults
   • Stop selling consumer's PI unless the consumer subsequently provides express authorization for the sale of consumer's PI
   • Respect consumer's decision to opt out for at least 12 months before requesting that the consumer re-authorize the sale of consumer's PI
   • Use PI collected in connection with consumer's exercise of an opt-out request solely for complying with the opt-out request
5. Right to Opt In to PI Sales to Children
   • Obtain opt-in consent from children between the ages of 13 to 16 or their parents/guardians if under the age of 13
6. Right to Access and Portability

   A business is not required to provide PI to a consumer more than twice in any 12-month period.

   • Upon receipt of a verifiable request to access PI, the business shall do the following:
     • Take steps to disclose and deliver the PI requested
     • Either by postal mail, electronically, or portably, and to the extent technically feasible, in a readily usable format that allows the consumer to transmit this PI to another entity without hindrance (promptly … within 45 days)
7. Right to Deletion
   • Business must delete a consumer's PI upon receipt of a verifiable request
8. Right Not to be Discriminated Against for Asserting Rights 1 Through 7
   • Business cannot do the following:
     • Deny goods or services based upon exercise of consumer's CCPA rights
     • Charge different prices for goods or services based upon the exercise of consumer's CCPA rights
     • Provide different levels or quality of goods based upon the exercise of consumer's CCPA rights
     • Suggest that consumers will receive a different price or rate for goods or services for a different level or quality of goods or services

How Monetate Assists Clients in Compliance with CCPA

• Monetate will process any requests/notices sent by the client within 72 hours.
• Monetate will not process any requests made by the consumer directly to Monetate. It will forward all such notices to the client immediately upon receipt so the client can determine whether it constitutes a "verifiable request."
• Monetate will update its Platform Privacy Statement as necessary.
• Monetate prepares Privacy Impact Assessments (PIAs) for all its products and updates these PIAs as necessary when new product features become generally available. Monetate will share these PIAs with any client that requests them. The current intent of the PIA is to make it easier for the client to prepare its own assessments as required by GDPR or the CCPA.
• While not specifically required under the CCPA, Monetate's product development team practices Privacy by Design and Privacy by Default (as required under GDPR).
• Monetate will conduct periodic training on data privacy (in general) and the CCPA (specifically) for all Monetate personnel who may have access to any PI (beginning in the autumn of 2019; all Monetate personnel have already undergone similar training for GDPR).
• Monetate's privacy practice is currently based on compliance with GDPR since it is currently the strictest data privacy governing standard affecting its clients worldwide. Monetate will continue to take this holistic compliance approach and supplement it as new regulations and laws (like the CCPA) come into effect.

EU (GDPR)

The European Union's General Data Protection Regulation (GDPR) and the CCPA share many of the same concepts. Both laws only apply to their respective constituents. However, companies have begun to incorporate these concepts into their operations in anticipation of broader adoption.

In general, these laws apply to Monetate in two ways. In each case, consumers submit a request to you. Those requests are then passed to Monetate in the form of customer IDs via an API endpoint.

1. Right to Be Forgotten
   • What is it? Consumers can request that a company erases their personal data so that they are no longer being tracked and to ensure the consumer's data is deleted across their full ecosystem.
   • Monetate's actions After receiving the request through the API, the user for each customer ID is erased from Monetate's database and will be removed if identified in any future sessions.
   • Consumer Data Privacy API
2. Right to Access
   • What is it? Consumers have the right to access their personal data and can submit a request to companies to view what data they've collected.
   • Monetate's actions After receiving the request through the API, Monetate then outputs all the data it has collected for each customer ID to a CSV, which you can receive via SFTP and then aggregate into a customer profile.
   • Consumer Data Access API

UK (PECR)

In the UK, The Privacy and Electronic Communications (Amendment) Regulations 2018 (ePrivacy Regs), or PECR, came into force on 17 December 2018.

The PECR covers several areas, including marketing by electronic means, the use of cookies and similar technologies, security of public electronic communication services, and the privacy of customers using such communication networks and services. The GDPR does not replace the PECR but sits alongside them. They give people specific privacy rights in relation to electronic communications. All applicable companies that use cookies, or similar technology in interacting with UK customers, must now comply with the PECR.

The PECR prohibits companies from transmitting or instigating the transmission of unsolicited electronic communications to consumers for the purposes of direct marketing, unless that individual has given their prior consent to receive such communications or if the sender can demonstrate an existing commercial relationship with the recipient.

If a site uses cookies to interact with UK customers, then it must do the following:

• State what cookies will be set
• Explain what the cookies will do
• Obtain consent to store cookies on devices, and consent must be actively and clearly given

Cookies don't require consent if they are classified as essential and meet one of the two criteria:

• They are used solely for the purpose of carrying out or facilitating the transmission of a communication over an electronic communications network
• The storage or access is strictly necessary for the provision of an information society service requested by the user

Monetate recommends that clients classify Monetate cookies as essential because the platform is used to carry out and facilitate communication related to customers' experiences on the website. This includes but is not limited to the visual display of imagery, text, and UX/UI layout. Some of the experiences hide images and content on the landing page that the client doesn't want the customer to see. If the Monetate ID (the mt.v cookie) isn't classified as essential, then the information that needs to be hidden isn't hidden. While Monetate believes that consent is not required, it does recommend explaining to visitors that cookies are being used to track engagement and to refine user experience as a means of enhancing their future site experience.

Additional Documentation

Refer to these resources for more information about the regulations discussed in this documentation:

• Guide to the UK General Data Protection Regulation (UK GDPR)
• California Consumer Privacy Act (CCPA)
• Guide to Privacy and Electronic Communications Regulations