The California Consumer Privacy Act ("CCPA") is a comprehensive data privacy law that imposes new obligations on certain businesses that collect, use, or share information related to California residents. The new law goes into effect on January 1, 2020.
LiveIntent has been preparing intently for the CCPA, and we offer this overview to help our partners — publishers, advertisers, agencies, and others — understand how the CCPA may affect their relationships with us. We have broken down this article into the following topics:
- What is the CCPA, and when does it apply? While many of our partners may be covered, others might not. Either way, we are flexible and able to support your needs.
- What is LiveIntent’s role under the CCPA? The CCPA covers different categories of entities known as businesses, service providers, and third parties. For some of our Services, LiveIntent is considered a business under the CCPA. For other Services that we offer to our partners, LiveIntent is considered a service provider.
- What is personal information under the CCPA? The CCPA defines personal information broadly. In order to provide our Services, LiveIntent receives a number of data points from and related to consumers on behalf of our partners. The data points differ depending on the Services used, but many of the data points are likely to be considered personal information, as defined under the CCPA.
- How does LiveIntent support our partners’ CCPA compliance efforts? Shortly after the CCPA was passed, our team began working to understand the impact of the CCPA on our business and the businesses of our partners. We are prepared to support our partners’ CCPA compliance efforts to ensure our solutions work for LiveIntent, our business partners, and their customers.
What is the CCPA? When does it apply?
The CCPA is a comprehensive information privacy law that goes into effect on January 1, 2020. The CCPA provides California residents with rights to know what personal information about them is collected or disclosed, request that their personal information be deleted from the relevant database, and opt-out of the sale of their personal information.
The sale of personal information is defined broadly to include the sharing of personal information for monetary or other valuable consideration (which could include the provision of Services) to a recipient that is not contractually bound to use the personal information to only provide services to the party that provided it. The CCPA provides that California residents may exercise these rights without facing unreasonable discrimination.
The CCPA applies to businesses that:
- Collect, use, or share information related to California residents.
- Do business in the state of California.
- Determine the purposes or means of processing that information alone or jointly with others.
- And meet one of the below criteria:
- Have greater than $25 million in annual revenue.
- Handle the personal information of 50,000 or more consumers, households, or devices in a year.
- Derive 50% or more of its annual revenue from the sale of personal information.
What qualifies as personal information under the CCPA?
Personal information is broadly defined under the CCPA as
|information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked (directly or indirectly) with a particular consumer or household. Examples include, but are not limited to, a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.|
Today, there is no clear, quantitative threshold of what can be defined as “reasonably linked”.
Generally speaking, if data relates to a consumer or household, even if that data cannot directly identify that consumer or household on its own, the data may still be considered personal information. Personal information may, therefore, include (along with other data elements) precise geolocation, IP address, browsing history, online identifiers, and information about how consumers’ interact with websites.
While LiveIntent does not have a first-party relationship with consumers, our partners do pass along information regarding their customers so that we can continue to deliver targeted advertising or sell advertising space on behalf of our partners. Some of the information we receive will be considered personal information.
What is LiveIntent’s role under the CCPA?
The CCPA establishes requirements related to three different types of entities:
- Businesses: for-profit organizations doing business in California that collect and determine the purposes and means of processing personal information and meet the revenue or processing requirements noted in the 'What is the CCPA' discussion above.
- Service providers: for-profit organizations that process personal information on behalf of businesses and subject to written contracts.
- Third parties: entities other than 1) the business that collects personal information governed by the CCPA; and 2) organizations that receive personal information from the business pursuant to a written contract (e.g., service providers).
Generally, LiveIntent is considered a “business” under CCPA, as LiveIntent buys, receives for commercial purposes, sells, or shares for commercial purposes personal information including IP addresses and hashed email addresses in order to provide some of our Services. In particular, LiveIntent maintains an Identity Graph containing linkages between identifiers that are associated with our partners’ customers. Many of our partners contribute to the LiveIntent Identity Graph in order to benefit from the linkages for audience-targeted campaigns.
Some of our offerings involve collecting and using personal information solely to provide Services to a specific partner. For those offerings, we act as a “service provider” to our partners.
We are happy to discuss with our partners the ways in which we can support their goals by providing Services as a business or a service provider.
How will LiveIntent support our Partners’ CCPA compliance efforts?
LiveIntent will work with our partners to comply with obligations under the CCPA, including but not limited to, ensuring notice is provided to California residents at or before the collection of personal information and building solutions to act upon consumer rights requests including opt-outs, access, and deletion requests. Our technology teams are developing solutions involving industry-led efforts, such as the proposed IAB CCPA Compliance Framework, as well as our own compliance solutions. In addition, our legal team is working to ensure that our contracts contain clear provisions articulating our responsibilities and expectations of our partners related to being compliant with the CCPA.
How will LiveIntent ensure its compliance with the CCPA on January 1, 2020?
LiveIntent’s CCPA compliance efforts began soon after the CCPA was enacted in summer 2018. Since then, our internal and external privacy leaders have been working to understand and address CCPA compliance requirements by:
- Developing processes for responding to data requests from California residents to access, delete, or opt-out of the sale of their personal information.
- Updating agreements and attestations with our business partners.