California Consumer Protection Act (“CCPA”)
Frequently Asked Questions
Note: This document is provided for the convenience of our customers only. It does not, and is not intended to, provide legal advice. Please seek advice from your own legal counsel about how CCPA directly affects your business.
- What is the CCPA?
The California Consumer Protection Act (“CCPA”) is California’s new comprehensive privacy and data protection law. It broadly governs the collection, use and disclosure of California residents’ “personal information” by for-profit businesses (including the third parties who may receive or process personal information on their behalf). The California Attorney General has the primary duty to enforce the law, though there is a limited private right of action for security breaches involving certain categories of sensitive data (not applicable to Vungle). CCPA comes into effect on January 1, 2020, and the Attorney General may begin enforcement efforts potentially as early as July 1, 2020.
- Is CCPA like GDPR but for California?
Yes and no. Similar to the General Data Protection Regulation (“GDPR”), which became effective for the European Union in May 2018, the CCPA is a sweeping new privacy law aiming to provide California residents with more transparency and control over how their personal information may be used and shared by businesses. The GDPR and CCPA also provide many of the same basic “rights” with respect to personal information, such as transparency, access, and deletion.
However, the GDPR differs with respect to certain administrative, record keeping, and logistical requirements that are not present under the CCPA. Additionally, the kind of information regulated by the CCPA, while similar, is actually broader than under the GDPR (see more below). And probably the biggest difference is that the GDPR concept of a “legal basis” (e.g., consent, legitimate interests, performance of a contract, etc.) to lawfully process personal information is not required by the CCPA, except under the limited case of the sale** of personal information of data subjects under 16 years of age, for which explicit opt-in “consent” is required. (**Note – Vungle does not “sell” personal information, as described by the CCPA.)
- Does the CCPA affect Vungle even though Vungle does not process data points like names, phone numbers, and email addresses?
The CCPA applies to “personal information,” and defines this as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA also explicitly includes online identifiers, IP address, information regarding interactions with applications and advertisements in the definition of personal information. These explicit classes of data, along with the concept of information on “households,” is arguably broader than what is covered by the GDPR. Nevertheless, application of this broader definition of “personal Information” does, not vis-a-vis the GDPR, have a different impact on Vungle’s business practices. Also, publicly-available information along with aggregated or de-identified data are excluded.
- What steps is Vungle taking to prepare for the CCPA?
Vungle takes it data privacy obligations seriously. Accordingly, Vungle is planning the following steps to fulfill its obligations under the CCPA:
- Contractual updates with partners to ensure that Vungle’s partners are required to comply with the CCPA’s requirements, particularly with respect to preventing the downstream “sale” of any data Vungle may need to share from time-to-time with other parties.
- Mechanisms to address data subject requests, such as access and deletion requests, including an email address and web portal where data subjects can (upon verification) exercise their rights under the CCPA.
- Though Vungle does not “sell” data as defined under the law, Vungle is preparing product updates to honor any “sale opt-out requests” it may receive from its business partners.
For any other questions, please contact your Sales Account Representative, or email Vungle at CCPA@vungle.com.