May 11th 2020

The California Consumer Privacy Act Explained and Its Impact to Our Partners

In response to the recent global trend of enhanced data privacy regulation, the Ad Tech industry continues improving efforts to provide end users with more transparency and control in the way personal data gets used. The effectiveness of the GDPR in May 2018 was a big step in this direction, which continues with the California Consumer Privacy Act (CCPA). 

As the enforcement date of the CCPA quickly approaches, we at Vungle are taking a moment to discuss the impact this will have on our partners and other members of our industry.

Introduction: What is the CCPA?

The California Consumer Privacy Act (CCPA) is California’s new comprehensive privacy and data protection law. It broadly governs the collection of California residents’ “personal information” by for-profit businesses meeting certain criteria, along with the service providers and third parties who may receive or process personal information on their behalf. The CCPA applies to “personal information,” and defines this as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  CCPA became effective on January 1, 2020, and the California Attorney General may begin enforcement efforts as early as July 1, 2020.

 How CCPA Affects Our Industry 

Where the CCPA applies, it provides new rights to California consumers with respect to their personal information:

  • Transparency: The right to have companies subject to the CCPA maintain a privacy policy transparently describing generally (A) what personal information they collect and how it’s used and shared or, if applicable, sold, and (B) California consumers’ rights under the CCPA.
  • Access: The right to know, upon request, what personal information is collected, used, shared, or sold, by the company with respect to that consumer, both as to the categories and specific pieces of personal information.
  • Deletion: The right to have personal information deleted.
  • Opt-Out: The right to opt-out of “sale” of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with parent or guardian consent for children under 13.
  • Non-Discrimination: The right (with certain exceptions) to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

 Is CCPA like GDPR but for California?

Yes and no. Similar to the General Data Protection Regulation (GDPR), which became effective for the European Union in May 2018, the CCPA is a sweeping new privacy law to provide California residents with more transparency and control over how their personal information may be used and shared by businesses. The GDPR and CCPA also provide many of the same basic rights with respect to personal information such as transparency, access, and deletion.

 However, the GDPR differs with respect to certain administrative, record keeping, and logistical requirements that are not present under the CCPA. Additionally, the scope of data considered personal information and regulated by the CCPA, while similar, is actually broader than under the GDPR. 

 Probably the biggest difference is that the GDPR concept of a “legal basis” to lawfully process personal information is not required by the CCPA, except under the limited case of the sale* of personal information of data subjects under 16 years of age, for which explicit opt-in “consent” is required. (*Note – Vungle does not “sell” personal information, as defined by the CCPA.)

 Vungle’s Commitment to CCPA

Vungle takes its data privacy obligations seriously, and has taken or planned the following actions in preparation for CCPA compliance:

  • Privacy policy updates to satisfy the specific transparency requirements in the CCPA.
  • Contractual updates with partners to ensure that Vungle’s partners are required to comply with the CCPA’s requirements, particularly with respect to preventing the downstream “sale” of any data Vungle may need to share from time-to-time with other parties.
  • Mechanisms to address data subject requests such as access and deletion requests, including an email address and web portal where data subjects can (upon verification) exercise their rights under the CCPA.
  • Even though Vungle does not sell data as defined under the law, Vungle is preparing product updates to honor any “sale opt-out requests” it may receive from its business partners, as well as honor commitments to partners where Vungle has agreed to act as a “service provider.” 

Our team is closely monitoring the latest updates that the California Attorney General is making to proposed regulations under the CCPA to ensure our clients have the tools they need to be in compliance with the law as we enter enforcement.

Tony Ouk

Director of Product Marketing