California Consumer Privacy Act (CCPA) Frequently Asked Questions
Last Updated Date: April 26, 2020
This FAQ is for informational purposes only. It is intended to provide information on PurpleLab’s approach to addressing the potential obligations imposed by the CCPA on PurpleLab’s business model. It is not intended to provide legal or business advice to any other company or individual. The obligations imposed by the CCPA depend on how your company collects and uses personal information and you are solely responsible for seeking your own advice as needed for your company’s compliance needs under the CCPA or otherwise.
1. What is the CCPA?
The California Consumer Privacy Act (CCPA) is a comprehensive privacy law that came into effect on January 1, 2020. The law is enforced by the California Attorney General (AG), who is also tasked with issuing regulations under the CCPA. Enforcement can begin six months after the AG issues final regulations or on July 1, 2020, whichever is sooner.
The CCPA applies across all industry sectors, imposing obligations on companies that handle personal information. The CCPA’s requirements include:
- Providing privacy notices
- Implementing processes for individuals to access and delete their personal information
- Allowing individuals to opt out from “sales” of their personal information
The “sale” opt out right impacts more than just traditional sales of data for money. The CCPA defines “sale” broadly to include many commonplace data sharing arrangements, even where no money is exchanged. However, data sharing with a business’s service provider is not considered a “sale,” as long as certain contractual terms are in place between a business and its service provider.
2. How is PurpleLab preparing for the CCPA?
PurpleLab has been actively assessing its obligations under the CCPA and has a core team focused on leading CCPA efforts, as well as privacy and regulatory in general. This core team has been working closely with outside privacy counsel who focus on CCPA compliance and the changing privacy regulatory environment. Among other activities, PurpleLab is preparing processes for receiving and responding to consumer rights requests we may receive, revising applicable privacy policies, and reviewing and modifying contracts to align with applicable CCPA requirements.
3. How can our Clients continue to use PurpleLab’s services consistent with the CCPA?
As currently defined under the CCPA, a “service provider” processes California consumers’ personal information on behalf of another business. To be a service provider, the entity must receive the personal information under a written contract that limits the service provider’s processing to purposes specified in the contract or otherwise permitted by the CCPA. A “business” is a for-profit entity that determines the purposes and means of processing California consumers’ personal information and that meets certain thresholds around revenue and similar factors.
4. What additional information will PurpleLab provide in the future?
PurpleLab plans to:
- Provide a process for submitting requests for exercising applicable rights under the CCPA, including “sale opt-out” and “deletion” requests.
- Notify you if we need to put into place any new terms which are required by the CCPA regulations thus far.
- Continue to work closely with our outside privacy counsel to address any obligations arising out of updates or changes to the CCPA regulations and will notify you of material changes which may affect the processes we have outlined above or implemented.
Please visit our Privacy Page on our main website at PurpleLab.com for more information and resources.