Disclaimer: The content in this post is not – and should not be interpreted as – legal advice. For detailed information regarding the technicalities of CCPA, please seek legal counsel.
If you’re a business serving clients within the State of California, you’ve likely heard of the California Consumer Privacy Act going into effect on 1 January 2020 (“CCPA”). The CCPA will essentially change the way businesses can collect and process any personal data from California residents and it follows the trend started by the EU General Data Protection Regulation (GDPR) which was introduced in 2018.
To help your business remain CCPA compliant, we’ve put together a rundown of what you should know (and what you’ve likely asked yourself) regarding CCPA – as well as the tools we at Nosto have put in place to help ensure our clients abide by CCPA regulations.
What is the CCPA?
The California Consumer Privacy Act (CCPA, for short) is a Californian data protection regulation that grants consumers new rights with respect to the collection of their personal information. In the context of the CCPA, the term “consumer” refers to a California resident. The CCPA essentially reshapes the way organizations across the U.S. approach data protection – strengthening data protection for all individuals who interact with these businesses.
Even though CCPA is a Californian regulation, could it also apply to U.S. companies outside of California?
The short answer: yes, it could apply to U.S. companies outside of California. While the CCPA is a regulation binding and applicable across the State of California, it has implications and requirements for all non-Californian businesses processing California residents’ data.
The CCPA obligations apply to an organization (“business”) that:
1. is for-profit
2. collects consumers’ personal information, or on the behalf of which such information is collected
3. determines the purposes and means of the processing of consumers’ personal information
4. does business in California
5. meets any of the following thresholds –
- has annual gross revenue in excess of $25 million
- alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, or
- derives 50% or more of its annual revenues from selling consumers’ personal information.
If an online retailer located outside of California processes the data of a California resident, that data must be processed and stored according to the CCPA, and not only following the legislation of the retailer’s business location. This is why we have applied changes throughout our customer base, regardless of business location; this way all Nosto-powered retailers regardless of their location can be CCPA compliant.
How has Nosto prepared for CCPA?
We take data privacy very seriously. The introduction of the GDPR was an important milestone for us, and in preparation for GDPR, we fine-tuned our processes in order to cater for the needs of the regulation. The CCPA is in many ways quite similar to the GDPR and has therefore not required extensive changes to our infrastructure or processes.
Which data types are gathered?
The Nosto service allows merchants to control the personal data that is gathered from the consumers and has built-in tools to assist the Nosto-powered retailers in fulfilling the requirements of the CCPA.
The Nosto Service has the capability to collect the following data types: first name, last name, email address, user agent (browser), IP address, events, viewed products, order events, cart content, liked products, image files, disliked products, external campaign attributions, clicked recommendations, order information, phone number, zip code, country code and sent emails.
Disabling data types will have a negative impact on the functionality of the Nosto service. For example, disabling emails will prevent Nosto from sending triggered emails.
How do I manage the data that is in the Nosto Service?
Nosto-powered retailers can extract and/or deleted data through the back-end of the Nosto Service. This will assist the retailer in complying with consumers’ disclosure or data deletion requests.
What else do I have to know about CCPA?
Please bear in mind that businesses must inform end-users about the types of information that will be collected from them and how it will be used. They may also be required to post links and information on their websites. Please seek legal counsel in order to ensure that your business fully comply with the relevant obligations.