We're not arguing semantics! Understanding the CCPA's terms and definitions is the first step to compliance.
As you pore over the terms of the California Consumer Privacy Act, it’s easy to get lost in the technical jargon. The overall goal of the privacy legislation is easy enough to understand, but when you’re tasked with helping your marketing team come into compliance with the new regulations, the fine details matter.
Further complicating matters is the fact that the CCPA, like other regulatory acts before it, sometimes defines words and phrases on its own terms. In CCPA parlance, for example, the term “personal information” has a somewhat different meaning than how it is used in the European Union’s GDPR, not to mention by the marketing industry in general.
To help you untangle yourself from this jargon, we’ve rounded up some of the most common technical terms you need to know to fully understand the CCPA and its requirements.
Under the CCPA, the definition of personal information is broader, and has much broader applications, than marketers might be familiar with. It refers to any type of data that either identifies individuals or could be reasonably linked to an individual user or household, but it also includes non-identifying information, including inferences drawn from that information.
In effect, this covers every type of data that marketers collect and use. Basic identifying information—like name, address, phone number, IP address, email address, or Social Security numbers—are obvious examples of personal information, but non-identifying data also counts. For marketers, this might include behavioral and transactional data (for example, what someone has purchased or what pages they visited on your website).
Race, gender, sexual orientation, age, and other demographic data are treated the same under CCPA as biometric, geolocation, psychographic, and other types of non-identifying data. Even insights drawn from non-identifying data—for instance, assigning people to buyer personas—qualify as “personal information” under the CCPA, which will require an adjustment from many marketers now being asked to interpret and account for the legislation.
The CCPA defines de-identified data as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” This can include identifying data that has been scrubbed of its identifying qualities, resulting in anonymized data that organizations can safety use for marketing and other purposes.
Marketers can use de-identified data to generate insights and research regarding a company’s audience (for example, evaluating website or campaign performance) without the worry of complying with requests from customers to view, delete, or opt out of the sale of that data. Additionally, de-identified data poses less of a business liability in the event of a data breach.
To qualify as de-identified data, though, the data must be incapable of being re-identified with users at a later date, and businesses must have data management procedures in place to prevent re-identification from occurring. For some companies, this definition may prompt a revised approach to current data management practices.
In the CCPA, a household is a term used to identify a collective of individuals, such as a family or the occupants of a residential address. The CCPA treats households and individual consumers the same in regards to data identification: If businesses can use data to narrow the possible list of consumer identities down to a single household, it’s the same as being able to identify the individual.
This is an important protection given the way multiple devices and users will be connected to a single network and is one of the reasons that the CCPA’s definition of personal information is unprecedentedly broad.
Under the CCPA, a vendor is any for-profit entity that processes information on behalf of a for-profit business. For marketers, these are likely to be agencies and martech and adtech partners. A service provider is a specific kind of vendor that has a contract with a business that limits how they can use consumer information.
These contracts bar service providers from using or retaining personal consumer information for any reason other than to perform their stated services to a business. The terms of managing consumer data are tightly controlled, and service providers are not allowed to retain this data after their services to the business are complete.
A service-provider relationship, as opposed to a vendor relationship, is beneficial to marketers because if a consumer opts out of selling their data, companies are still able to share that data with agencies and other partners for marketing purposes.
The act of “processing” data doesn’t merely correspond to the active use of data for business purposes. Any collection, possession, or other handling of data counts as “processing,” regardless of whether it was collected manually or by automation. For marketers, this means that explicitly declared data, for instance when a consumer fills out a form, is “processed” just like data collected via cookies or other automatic mechanisms.
Processing has a more limited scope in the CCPA than it does in GDPR, and there are certain types of data that are excluded from CCPA processing regulations, such as the personal data used by credit reporting agencies, but both service providers and businesses are liable for penalties if they fail to comply with new protections governing data processing.
So-called “third parties”—essentially, data brokers—are the main target of the CCPA, since one of the primary goals of the legislation is to restrict the sale of consumer data by third-party organizations. The regulation states that any organization that is not either the first-party business that gathers information through interaction with consumers or a service provider receiving and using consumer information specifically for a company’s business purposes qualifies as a third party.
Businesses regulated by the CCPA are required to honor consumer requests to opt out of the sale of their data to these third parties, which in turn re-sell them to other organizations as undeclared (and unverified) data. Where this matters most to marketers is its impact on the availability of third-party data—if a critical mass of consumers opt out of the sale of their personal information, it makes purchasing third-party data a less attractive option for marketers.
The act of selling data encompasses a wide range of activities, including the renting, transfer, trade, or any other transaction involving private consumer information.
It’s important to emphasize that money does not need to be involved to classify as “selling data” under the CCPA. Any sort of compensation or benefit in exchange for this information can violate the terms of the regulation if any of the data being sold belongs to a consumer or consumers who have already opted out.
This could impact marketers in a number of ways. Even though the marketing team isn’t likely to be the ones directly selling data to brokers in the traditional sense, other activities that marketers perform could count—sharing consumer data with vendors and agencies without a service-provider relationship, for example, or sharing data with partners for co-marketing opportunities.
The California Attorney General is expected to provide clarification on the legislation’s murkier aspects, so many of the questions being grappled with now should be resolved by early 2020. In the meantime, companies would be wise to plan with more conservative interpretations in mind, since they will already be on the hook to comply with the regulations by the time the clarifications are released.
Until then, study up on the CCPA and start planning your organization’s improved approach to data management.