FAQ

Adherence to CCPA & GDPR Compliance 

CCPA OVERVIEW 

Many Capture® customers are reaching out to ask how our products and services are compliant with the California Consumer Privacy Act of 2018, particularly as the January 1, 2020 compliance deadline gets closer. Our communications team has put together this document to help you better answer some of the client questions you’ve received and forwarded to us. 

Since CCPA was first introduced, Capture® has worked closely with other marketing industry leaders to address guidelines that help define what CCPA compliance looks like. We’re also watching new developments closely, including how proposed new amendments might affect compliance. 

We’ve put together this Q&A to give you insight into CCPA and how Capture® will serve as a trusted partner to the changing world of privacy compliance. 

IMPORTANT: While CCPA is a California-based set of regulations, history tells us that it’s only a matter of time before most states follow exact or modified stipulations of the regulations. It is also likely that there will federal statutes that are developed from this initiative. Regardless of where a company is based, if it meets the criteria noted below, CCPA-originated regulations will most likely apply. 

CCPA FREQUENTLY ASKED QUESTIONS 

Who must comply with CCPA? 

If you do business in California and your company meets one of the criteria below, you must comply with the California Consumer Privacy Act of 2018: 

• Your company has a gross revenue of $25 million; 
• It buys, receives, sells or shares person information of more than 50,000 consumers, households or devices for commercial marketing purposes; or 
• It makes 50% or more of its annual revenue from selling the personal information of consumers. 

What rights does CCPA give consumers? 

Generally speaking, the CCPA gives consumers the right to know and/or request: 

• Whether data is being collected about them 
• The Categories and specific pieces of personal information a business has collected 

• The sources of Categories where that personal information was collected 
• What purpose the data is being used for 
• The Categories of third parties with whom the business shares/sells the personal information 
• That the personal information be deleted 
• That the personal information not be sold 

In addition, consumers cannot be discriminated against for exercising any of these rights (although a business can provide financial incentives in exchange for data and can offer different prices based on a consumer’s data). Businesses also face more stringent regulations for consumers under 16. 

The CCPA also expands the definition of protected personal information/personally identifiable information (PII) to include information such as IP addresses, geolocation data and Internet activity such as browsing. And it requires businesses to protect personal data with “reasonable” security. 

In general, how is Capture® preparing for CCPA? 

Capture® is: 

• Creating new processes, policies and technology to ensure compliance with CCPA. 
• Working closely with its partners to ensure they will be compliant with the new law. 
• Working with other marketing industry leaders to help define CCPA compliance and to stay abreast of new industry developments. 

Where does Capture® get its data? 

All input data used (owned or acquired) is opt-in only or aggregated and anonymized to ensure privacy. Sourcing spans across multiple business and consumer categories ensuring marketers have the ability to deliver optimal scalable and targeted reach. 

All Capture® data has been responsibly sourced data collected from: 

Capture® Owned Data 

• Public Sourced Data from Gov’t agencies (Census, BLS, etc.). 
• Proprietary Syndicated Track Surveys are opt-in and Capture® is permitted use. 
• Client authorized data collection is only possible if client privacy policy states what is being collected and aligns with permitted use. 

3rd Party Licensed Data 

• Capture® only works with reputable sources for its data 
• Capture® requires privacy reviews for all data licensed from third parties. Third parties are evaluated through a rigorous vetting process. 
• All data is obtained from consumers who have opted-in or the data is aggregated to protect PII 
• Vendor privacy and security policies must be in alignment with Capture® 

How do you ensure the Capture® segmentation adheres to privacy and compliance standards? 

Capture® segmentation solutions are built with responsibly sourced data, all data used (owned or acquired through 3rd party partners is opt-in only or aggregated and anonymized to ensure privacy. 
 

Behavioral segments are modeled or aggregated with no personal information used or transmitted. Capture® does not target an individual specifically based on their actual purchase behavior or any PII. A segment is modeled as a Predictor or likelihood scores are applied based on consumer behavior or relevant consumer data attributes. 

Do you have any PII in your identity graph? If so, where did you get it? 

Yes, we have PII data in our identity graph, which was responsibly sourced as explained in question #3. When we work with third parties to obtain data, we follow an in-depth auditing/vetting process that uses verification tools such as time/date stamps, privacy policy reviews and/or contractual agreements to ensure customers have opted in and agreed to provide the data in question. 

How does Capture® tie other data to a physical address or other PII data in a privacy-compliant manner? 

Capture® uses consistent, privacy-compliant techniques to link the data in its identity graph – both PII and otherwise – to outside data, using multidimensional graph science techniques that are proprietary to Capture®. 

How do you ensure privacy-compliance when you use website pixels (that identify even “anonymous” visitors) and then combine that data with PII back data such as postal/IP/email addresses or mobile IDs? 

One of Capture® key differentiators is being able to provide our clients with insight into formerly “anonymous” customers while still remaining compliant with privacy guidelines. How this is done: 

• First, we ONLY work with clients that provide consumers with the proper notification that their activity on a website is being tracked. Following that, we make sure they are collecting the data appropriately. 

• Second, we link that pixel-based website data to the Capture® identity graph, which has been built with responsibly sourced or public record data. 
• Third, we make sure we analyze and use that data in a privacy-compliant manner, which includes stripping out or obscuring PII data when needed.  

In general, how do you plan to ensure privacy compliance given the expanded definition of PII – which now includes information such as IP addresses, geolocation data and some Internet activity? 

Capture® already has processes in place to protect data that falls under the current definition of PII. We understand and fully agree that CCPA is critical for consumer privacy and are working diligently and proactively to implement the new process and technology changes required to comply with new PII definitions under CCPA. We fully expect to be compliant months in advance of the January 1, 2020 deadline. 

How do you notify consumers that you are collecting data and obtain their consent? 

We notify consumers in our privacy policy and also require that similar language is included in the privacy policies of our partners. 

What is your opt-out policy for consumers? 

Capture® gives consumers the opportunity to opt out directly from our website along with all other media touch points. We are currently updating both our data and portal policies to fully comply with CCPA, a process that will be completed before the end of the year. Specifically, CCPA requires companies to give consumers the ability to either: 

• “Opt Out,” which means a consumer’s information CANNOT be sold to another company for use. 

• Or be “Forgotten About,” which means that the consumers data CANNOT be used for any purpose.  

Do you track the location or movement of customers? 

Capture® as company is willing to help our clients identify consumer location within a geofence as a one-off service, working through third-party vendors. Capture® does NOT track movement of consumers from one location to the next, nor do we keep that information in-house. 

How do you currently ensure your data is protected and eliminates risks associated with data privacy, confidentiality breach or other security risks? 

We take the threat of data breaches seriously, and we will have SOC 2 certification to support data security and privacy before CCPA goes into effect on January 1, 2020. We also contractually protect our data and our rights to the data. 

Does Capture® have access to cardholder data? 

No, Capture® does NOT have access to cardholder data.  

Does Capture® have a security audit available? 

That will be available as part of the Capture® SOC 2 certification. 

Will there be any naming changes required for the Capture® segmentation models to adhere to CCPA? 

No. Our segmentation or segment names are not regulated, nor do they need to change for CCPA. Segmentation by its very nature is privacy friendly. Each segmentation schema  represents all 120MM+ households in the US fairly. We represent all adult ages, all incomes, etc. If we built segmentation schema for only households 55+, then it would be discriminatory, but this is NOT what Capture® does. 

Therefore, for CCPA compliance, Capture®s position is that we do not need to change the names of any of our syndicated segmentation names. 

Is Capture® prepared for the discoverability requirement/aspect of CCPA? If a customer asks for information on his/her personal data, how long do you expect it will take you to comply? 

We will be 100% prepared to provide client data upon request before CCPA goes into effect on January 1, 2020. Capture® expects the turnaround time in providing that data will be less than 24 hours. 

How are you prepared to quickly adapt as other privacy regulations are put into place? 

Capture® has taken a leadership role in the compliance area. We are working with many industry groups to help create guidelines for CCPA compliance, and we are proactively watching new developments in California, other states and on the Federal level. We anticipate other states will come online in the next few months with their own privacy legislation and eventually expect intervention on the Federal level. 

Have you sought legal counsel on your own privacy policy? 

Yes.

Are you willing to indemnify my company when it comes to privacy compliance? 

Capture® is willing to indemnify clients for the aspects of privacy compliance that we provide to you, and we expect our clients to follow the privacy guidelines (like website tracking notification) that are under their control. 

How are you ensuring your partners meet their CCPA obligations? 

We are working closely with our partners to make sure they are updating their policies, processes and technology to support CCPA companies. It is part of the ongoing in-depth auditing/vetting process that we put all of our partners through, particularly as new requirements come online.  

GDPR OVERVIEW 

Capture® is committed to offering our clients sophisticated products and solutions that are both innovative and legally compliant. As part of this commitment, we have conducted an analysis regarding whether and how the European Union’s General Data Protection Regulation (GDPR) may impact our organization. As outlined in greater detail below, based on our review we have determined that Capture® is not subject to the GDPR at this time and therefore is not legally required to comply with the Regulation.  

GDPR FREQUENTLY ASKED QUESTIONS 

What is the GDPR? 

The GDPR is a complex and comprehensive overhaul of European data protection law. The GDPR was designed to harmonize privacy regulation across the EU and to address emerging risks associated with the processing of personal data in an evolving technological landscape. The GDPR applies to a broader array of companies than were subject to the 1995 EU Data Protection Directive, including some companies that have no physical operations in the EU or whose activities were not covered by the 1995 Directive. 

Businesses that are subject to the GDPR must adhere to a number of specific requirements, among them heightened data security standards and transparency regarding their processing of EU personal data. EU data subjects have a variety of data protection rights they may exercise under the GDPR, including the right to know how their personal data may be collected, used, disclosed, transferred, shared, and retained, as well as the ability to control these data processing activities under certain 

circumstances. A company’s failure to meet its GDPR obligations could result in regulatory 

investigations and potentially steep financial penalties.  

Does the GDPR apply to Capture®? 

At this time, the GDPR does not apply to Capture® or the organization’s data collection and processing activities. Broadly speaking, there are three ways a business located in the United States may be subject to the GDPR: 

• If the business is “established” in the EU (for example, if it has a physical presence or 

• employees in the EU); 

• If the business is not established in the EU, but is processing EU personal data in conjunction with offering goods or services in the EU (whether or not the business is charging money for the goods or services); or 

• If the business is processing EU personal data to monitor or track behavior in the EU. 

GDPR. We have completed this analysis and determined that Capture® does not have to comply with the GDPR because: 

• Capture® is not established in the European Union. We do not have any offices or employees outside the U.S., nor do we conduct business activities in the EU. 
• Capture® does not offer goods or services to individuals or entities in the EU. Our business is focused exclusively on providing our U.S. clients with products and solutions that help them better identify, understand, and target consumers located in the United States. Though our website may be accessible to someone located in the EU who has access to the Internet, we do not market to people in the EU, nor do we target audiences in other countries. 
• Capture® does not monitor the behavior of persons in the EU. The data portfolios that serve as the basis for our products and services consist solely of information collected in the U.S. We do not process EU personal data or otherwise track data subjects located in the European Union. 

If we were to discover that we had inadvertently obtained EU personal data, we would promptly and securely delete such personal data in accordance with applicable law.  

Looking Ahead 

Capture® has examined its potential obligations under the GDPR and confirmed that it is not subject to the Regulation. Our organization has always focused exclusively on the U.S. market, and we will continue to offer our U.S.-focused services to our clients. Capture® is aware that the scope of the GDPR may implicate certain organizations in the U.S., including some of our data partners and other entities with which we may do business; however, our operations do not fall within that scope, and we have no plans at this time to expand operations to include the processing of EU personal data. 

To help ensure our continued compliance with applicable laws and regulations, we have added training for our employees and are implementing additional monitoring and other procedures that will assist Capture® in identifying potential compliance risks as we continue to develop and grow our business.