Adherence to CCPA & GDPR Compliance
Many Capture® customers are reaching out to ask how our products and services are compliant with the California Consumer Privacy Act of 2018, particularly as the January 1, 2020 compliance deadline gets closer. Our communications team has put together this document to help you better answer some of the client questions you’ve received and forwarded to us.
Since CCPA was first introduced, Capture® has worked closely with other marketing industry leaders to address guidelines that help define what CCPA compliance looks like. We’re also watching new developments closely, including how proposed new amendments might affect compliance.
We’ve put together this Q&A to give you insight into CCPA and how Capture® will serve as a trusted partner to the changing world of privacy compliance.
IMPORTANT: While CCPA is a California-based set of regulations, history tells us that it’s only a matter of time before most states follow exact or modified stipulations of the regulations. It is also likely that there will federal statutes that are developed from this initiative. Regardless of where a company is based, if it meets the criteria noted below, CCPA-originated regulations will most likely apply.
CCPA FREQUENTLY ASKED QUESTIONS
Who must comply with CCPA?
If you do business in California and your company meets one of the criteria below, you must comply with the California Consumer Privacy Act of 2018:
What rights does CCPA give consumers?
Generally speaking, the CCPA gives consumers the right to know and/or request:
In addition, consumers cannot be discriminated against for exercising any of these rights (although a business can provide financial incentives in exchange for data and can offer different prices based on a consumer’s data). Businesses also face more stringent regulations for consumers under 16.
The CCPA also expands the definition of protected personal information/personally identifiable information (PII) to include information such as IP addresses, geolocation data and Internet activity such as browsing. And it requires businesses to protect personal data with “reasonable” security.
In general, how is Capture® preparing for CCPA?
Where does Capture® get its data?
All input data used (owned or acquired) is opt-in only or aggregated and anonymized to ensure privacy. Sourcing spans across multiple business and consumer categories ensuring marketers have the ability to deliver optimal scalable and targeted reach.
All Capture® data has been responsibly sourced data collected from:
Capture® Owned Data
3rd Party Licensed Data
How do you ensure the Capture® segmentation adheres to privacy and compliance standards?
Capture® segmentation solutions are built with responsibly sourced data, all data used (owned or acquired through 3rd party partners is opt-in only or aggregated and anonymized to ensure privacy.
Behavioral segments are modeled or aggregated with no personal information used or transmitted. Capture® does not target an individual specifically based on their actual purchase behavior or any PII. A segment is modeled as a Predictor or likelihood scores are applied based on consumer behavior or relevant consumer data attributes.
Do you have any PII in your identity graph? If so, where did you get it?
How does Capture® tie other data to a physical address or other PII data in a privacy-compliant manner?
Capture® uses consistent, privacy-compliant techniques to link the data in its identity graph – both PII and otherwise – to outside data, using multidimensional graph science techniques that are proprietary to Capture®.
How do you ensure privacy-compliance when you use website pixels (that identify even “anonymous” visitors) and then combine that data with PII back data such as postal/IP/email addresses or mobile IDs?
One of Capture® key differentiators is being able to provide our clients with insight into formerly “anonymous” customers while still remaining compliant with privacy guidelines. How this is done:
In general, how do you plan to ensure privacy compliance given the expanded definition of PII – which now includes information such as IP addresses, geolocation data and some Internet activity?
Capture® already has processes in place to protect data that falls under the current definition of PII. We understand and fully agree that CCPA is critical for consumer privacy and are working diligently and proactively to implement the new process and technology changes required to comply with new PII definitions under CCPA. We fully expect to be compliant months in advance of the January 1, 2020 deadline.
How do you notify consumers that you are collecting data and obtain their consent?
What is your opt-out policy for consumers?
Capture® gives consumers the opportunity to opt out directly from our website along with all other media touch points. We are currently updating both our data and portal policies to fully comply with CCPA, a process that will be completed before the end of the year. Specifically, CCPA requires companies to give consumers the ability to either:
Do you track the location or movement of customers?
Capture® as company is willing to help our clients identify consumer location within a geofence as a one-off service, working through third-party vendors. Capture® does NOT track movement of consumers from one location to the next, nor do we keep that information in-house.
How do you currently ensure your data is protected and eliminates risks associated with data privacy, confidentiality breach or other security risks?
We take the threat of data breaches seriously, and we will have SOC 2 certification to support data security and privacy before CCPA goes into effect on January 1, 2020. We also contractually protect our data and our rights to the data.
Does Capture® have access to cardholder data?
No, Capture® does NOT have access to cardholder data.
Does Capture® have a security audit available?
That will be available as part of the Capture® SOC 2 certification.
Will there be any naming changes required for the Capture® segmentation models to adhere to CCPA?
No. Our segmentation or segment names are not regulated, nor do they need to change for CCPA. Segmentation by its very nature is privacy friendly. Each segmentation schema represents all 120MM+ households in the US fairly. We represent all adult ages, all incomes, etc. If we built segmentation schema for only households 55+, then it would be discriminatory, but this is NOT what Capture® does.
Therefore, for CCPA compliance, Capture®s position is that we do not need to change the names of any of our syndicated segmentation names.
Is Capture® prepared for the discoverability requirement/aspect of CCPA? If a customer asks for information on his/her personal data, how long do you expect it will take you to comply?
We will be 100% prepared to provide client data upon request before CCPA goes into effect on January 1, 2020. Capture® expects the turnaround time in providing that data will be less than 24 hours.
How are you prepared to quickly adapt as other privacy regulations are put into place?
Capture® has taken a leadership role in the compliance area. We are working with many industry groups to help create guidelines for CCPA compliance, and we are proactively watching new developments in California, other states and on the Federal level. We anticipate other states will come online in the next few months with their own privacy legislation and eventually expect intervention on the Federal level.
Are you willing to indemnify my company when it comes to privacy compliance?
Capture® is willing to indemnify clients for the aspects of privacy compliance that we provide to you, and we expect our clients to follow the privacy guidelines (like website tracking notification) that are under their control.
How are you ensuring your partners meet their CCPA obligations?
We are working closely with our partners to make sure they are updating their policies, processes and technology to support CCPA companies. It is part of the ongoing in-depth auditing/vetting process that we put all of our partners through, particularly as new requirements come online.
Capture® is committed to offering our clients sophisticated products and solutions that are both innovative and legally compliant. As part of this commitment, we have conducted an analysis regarding whether and how the European Union’s General Data Protection Regulation (GDPR) may impact our organization. As outlined in greater detail below, based on our review we have determined that Capture® is not subject to the GDPR at this time and therefore is not legally required to comply with the Regulation.
GDPR FREQUENTLY ASKED QUESTIONS
What is the GDPR?
The GDPR is a complex and comprehensive overhaul of European data protection law. The GDPR was designed to harmonize privacy regulation across the EU and to address emerging risks associated with the processing of personal data in an evolving technological landscape. The GDPR applies to a broader array of companies than were subject to the 1995 EU Data Protection Directive, including some companies that have no physical operations in the EU or whose activities were not covered by the 1995 Directive.
Businesses that are subject to the GDPR must adhere to a number of specific requirements, among them heightened data security standards and transparency regarding their processing of EU personal data. EU data subjects have a variety of data protection rights they may exercise under the GDPR, including the right to know how their personal data may be collected, used, disclosed, transferred, shared, and retained, as well as the ability to control these data processing activities under certain
circumstances. A company’s failure to meet its GDPR obligations could result in regulatory
investigations and potentially steep financial penalties.
Does the GDPR apply to Capture®?
At this time, the GDPR does not apply to Capture® or the organization’s data collection and processing activities. Broadly speaking, there are three ways a business located in the United States may be subject to the GDPR:
GDPR. We have completed this analysis and determined that Capture® does not have to comply with the GDPR because:
If we were to discover that we had inadvertently obtained EU personal data, we would promptly and securely delete such personal data in accordance with applicable law.
Capture® has examined its potential obligations under the GDPR and confirmed that it is not subject to the Regulation. Our organization has always focused exclusively on the U.S. market, and we will continue to offer our U.S.-focused services to our clients. Capture® is aware that the scope of the GDPR may implicate certain organizations in the U.S., including some of our data partners and other entities with which we may do business; however, our operations do not fall within that scope, and we have no plans at this time to expand operations to include the processing of EU personal data.
To help ensure our continued compliance with applicable laws and regulations, we have added training for our employees and are implementing additional monitoring and other procedures that will assist Capture® in identifying potential compliance risks as we continue to develop and grow our business.