CCPA Compliance

• Gives You Ownership – Protect your right to tell us not to share or sell your personal information.
• Gives You Control – Gain control over the personal information that is collected about you.
• Gives You Security – Responsibility for safeguarding your personal information.

It’s important to check if you meet the following requirements. The CCPA applies to any for-profit entity doing business in California that collects and controls the processing of a consumer’s personal information (“controllers”) and also satisfies ANY one of the following thresholds:

• Exceeds $25 million gross revenue annually,
• Handles the personal information of 50,000 or more California consumers, households, or devices annually, or
• Derives more than 50% of annual revenue from selling consumers’ personal information.

There’s currently a non-exhaustive list of specific categories of personal information defined in section 1798.140 of the law.

ZINFI’s UPM acts as a data processor and utilizes only partner records. ZINFI primarily processes and houses only business contact details such as name, business email, business phone numbers, etc. ZINFI’s system does not have access to, nor does it sell any data concerning its customers’ partners, those partners’ customers or end customers.

The U.S. federal government has passed laws targeted at select areas of data privacy such as Children’s Online Privacy Protection Act (COPPA) and the CAN-SPAM Act, and every state has adopted its own version of a data breach notification law. However, the CCPA is the first and most extensive regulation of its kind in the United States to codify privacy protections for the residents of a particular state.

The CCPA protects privacy by affording Californians the right to access, delete and opt out of the sale of their data. The CCPA protects “consumers,” which are broadly defined as California residents. The term “consumers” extends to both California residents currently in the state and those traveling outside of the state. The term encompasses customers of goods and services, employees and participants in business-to-business transactions.

You might be wondering what type of data is protected. Right now, the data covered can be broadly described as all data collected on consumers. You can think of it as data that directly or indirectly identifies, describes or can reasonably be linked to a particular consumer or household. For example, commercial Internet activity information and any inferences drawn about a consumer apply. There’s currently a non-exhaustive list of specific categories of personal information defined in section 1798.140 of the law.

Individuals’ rights

• The CCPA grants consumers rights to know what personal information a business sells, discloses or collects about them as well as categories of third parties who purchased or received their data. Consumers have the right to obtain a copy of personal information collected about them by making “verified consumer requests.” Customers then have the right to transmit the information from one entity to another.
• Consumers can request that a business delete any of the personal information that the business has collected from them. The CCPA creates certain exceptions to this deletion right, like when personal information is necessary to perform a contract or complete a transaction.
• Consumers are given the right to opt out of the sale of their personal information, and the CCPA prohibits businesses from discriminating against consumers that exercise their opt-out rights. Companies cannot ask consumers to sign contracts that limit their data privacy rights under the CCPA. This includes contract provisions limiting or waiving the right to a specific remedy or means of enforcement for an alleged violation.

Internal expectations for your business

• Make required disclosures: Businesses must notify consumers of their rights under the CCPA, including their right to deletion, right to know, and data portability rights, as well as how to exercise these rights. These required disclosures can either be made via privacy policies, in CCPA-specific notices, or at the time the personal data is collected. Companies’ privacy policies must lay out how the collected data will be used. The CCPA imposes obligations for companies that sell a consumer’s personal information and/or the data of children. However, this document will not cover those exceptions because ZINFI customers are not allowed to use our products to sell data or collect children’s data.
• Respond to consumer rights requests: Businesses must implement processes to respond to verified consumer requests and opt-out requests. For example, responses to customer requests must cover the 12-month period preceding the request, so companies must have a way to date the data they collect.
• Maintain access and portability: Businesses must make at least two methods for submitting requests available to consumers including, at a minimum, a toll-free telephone number and a website address if the business maintains one. Businesses must respond to consumers’ requests for information within 45 days of receiving a request, which may be delivered by mail or electronically in a portable format. However, for online-only businesses, one proposed amendment to the CCPA allows them to make, at a minimum, only an email address available for submitting requests for information.
• Deletion: If requested, businesses must delete a consumer’s personal information from its records unless maintaining the information is necessary to complete a transaction, for security or fraud-prevention purposes or for another purpose listed in the Act.
• Opt-out: Companies that sell data must disclose that they do so to their customers, and include a “Do Not Sell My Personal Information” link giving consumers the opportunity to opt out both in a privacy policy and on the company’s website homepage. If a consumer opts out or refuses to opt in, the business must honor that request and continue to provide equal service and pricing to consumers that opted out.

The Act is enforced by the California Attorney General, and currently provides businesses 30 days to comply if accused of noncompliance. However, a proposed bill removes this time period and allows for enforcement immediately. Civil penalties of up to $2,500 per violation or $7,500 for intentional violations may be imposed. The CCPA extends a private right of action to consumers, giving businesses exposure not only to government fines but also to lawsuits from customers.

Since there is a significant amount of overlap between the CCPA and the GDPR:

• ZINFI’s seven-factor CCPA commitment – Data Protection Office, Data Security, Consent Management & Policies, Data Accuracy, Secure Data Processing Architecture, Data Breach Procedures and Security Training.
• ZINFI has extensive resources on GDPR that explain our product and system features, and the functionality used by us and by our customers to support compliance with GDPR.
• A good portion of the existing product and system features, processes and policies that are currently used for GDPR compliance are used in similar ways for compliance with CCPA. For example, we handle access and deletion requests (these are currently requirements under both bodies of law) by using our existing functionality.
• Consent management:
  • ZINFI has established not only simple consent-obtaining procedures, but also processes that demonstrate that the data subject has consented to processing of his/her data. Records are stored for ready access.
  • Consent requests are presented to consumers in an intelligible and easily accessible form, using clear and plain language. Our “Do Not Sell My Personal Information” policy is presented transparently.
  • Requests for consent clearly reflect the use of the service for which data is collected. The following are clearly defined and mailed to CA clients, prior to processing:
    • Why we collect the specific information
    • What we do with it
    • How long we keep it
    • How we destroy/retain it
    • How individuals can access the information we hold about them
    • Right to be forgotten information: the data subject’s right to withdraw consent at any time; the process for withdrawing consent should be just as easy as that for giving consent