Understanding frequently asked questions about the CCPA and CPRA

read
Last updated at:

You will learn

Learn about frequently asked questions regarding the CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act).

 The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers — and all ecommerce merchants — to seek legal advice for counsel on how they specifically should comply with the CCPA and CPRA.   

What is the CCPA?

The CCPA is a law that took effect on January 1, 2020 and governs how businesses handle the personal information of California residents.

The CCPA is a response to a perceived gap in privacy protections in the United States. Companies that handle the personal information of California residents are required to inform residents of the company’s privacy practices and residents’ privacy rights, including the right to:

  • Know about the personal information a business collects about them and how it is used
  • Delete the personal information collected (with some exceptions)
  • Opt-out of the sale of their personal information
  • Non-discrimination for exercising their CCPA rights

What is the CPRA?

The CPRA is a law that amends and expands the requirements of the CCPA, including:

  • Adding a "sensitive personal information" category 
  • Establishing the right to limit use and disclosure of sensitive personal information
  • Establishing the right to correct inaccurate personal information
  • Expanding the “Do Not Sell” opt-out requirement to “sharing” of personal information for purposes of cross-context (or third party) advertising

The CPRA becomes operative January 1, 2023.

Who must comply with the CCPA and CPRA?

Businesses

Most CCPA and CPRA requirements apply to “businesses”, defined as companies that collect California consumers’ personal information either on their own or using vendors. 

The CCPA applies to business that meet any of the following conditions:

  • Handles California residents’ personal information
  • Is “doing business” in California (including engaging with individuals located in California though an ecommerce or interactive website or application)
  • Satisfies one or more of the following thresholds:
    • Has annual gross revenues greater than $25 million
    • Buys, receives, or sells personal information of 50,000 or more California residents, households, or devices annually
    • Derives 50 percent or more of its annual revenues from “selling” California residents’ personal information (i.e., selling includes disclosing, making available, transferring or communicating personal information to third parties for monetary or other valuable consideration)

The CPRA amends this applicability as follows:

  • Satisfies one or more of the following thresholds:
    • Had annual gross revenues greater than $25 million last year
    • Buys, sells or shares personal information of 100,000 or more California residents or households annually
    • Derives 50 percent or more of its annual revenues from selling or sharing California residents’ personal information (sharing includes disclosing, making available, transferring or communicating personal information to a third party for cross-content behavioral advertising, whether or not for monetary or other valuable consideration.)

Service providers and contractors 

In order to be considered a service provider, a person or legal entity must:

  • Process personal information on behalf of a business 
  • Be bound by a written contract that imposes certain restrictions and obligations around the use of personal information including not further:
  • Be bound by a written contract that imposes certain restrictions and obligations around the use of personal information including not further:
    • Collecting
    • Selling
    • Using the personal information except as necessary to perform the business purpose

Similar to service providers, the exception to a sale or sharing also applies to contractors under the CPRA. Contractors are persons or entities to which personal information is made available by a business, pursuant to a written contract that imposes similar restrictions and obligations that apply to a service provider. Contractors also must have a certification that the contractor understands the restrictions and will comply with them.

Note that a business’ disclosure of data to a service provider or contractor is not considered a sale or sharing when it is necessary to perform a business purpose.

What is classified as personal information?

The CCPA defines personal information very broadly to include information that identifies, describes, or is reasonably capable of being associated with a particular consumer or household. In practice, this broad definition means that information such as contact information, transaction data, Internet Protocol (IP) addresses, mobile device identifiers, clickstream data, and order details may be within the scope of the CCPA’s definition of personal information, and subject to the CCPA’s requirements.

The CPRA creates a new category of personal information, “sensitive personal information,” and provides consumers with a new right to limit the use and disclosure of their sensitive information. 

Sensitive personal information under CPRA includes: 

  • Social security number
  • Driver’s license number 
  • Passport number
  • Account credentials
  • Precise geolocation
  • Racial or ethnic origin
  • Religious beliefs
  • Biometric data
  • Genetic data
  • Health data 
  • Information concerning a consumer’s sex life or sexual orientation
  • The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication 

 Klaviyo does not allow sensitive personal information to be collected or stored in the platform.

What do I need to do to prepare?

The CCPA and CPRA are complex laws. This article provides the key obligations under the CCPA and CPRA as it may relate to the use of Klaviyo services, but it does not take into account all the requirements that may apply to your business. Please contact your legal counsel for specific advice. 

If the CCPA and CPRA is applicable to your business, you should consider the following rights and disclosures.

Notice

Your business must have a privacy policy on your website that is accessible at all points where you collect personal information, such as signup forms. The policy should include, among other things:

  • Categories of personal information it collects, sells and otherwise discloses for a business purpose
  • Categories of sources of the personal information 
  • Business or commercial purposes for collecting or selling the personal information
  • Description of the following consumers’ rights and the designated methods for submitting requests:
    • The right to delete personal information
    • The right to access categories and specific pieces of personal information
    • The right to opt-out of the sale or sharing of personal information
    • The right of non-retaliation

The CPRA expand this list of consumers’ rights to include: 

  • The right to correct inaccurate information
  • The right to limit the use and disclosure of sensitive personal information
  • The right to opt-out of automated decision-making technology

The CPRA also requires businesses to include the following additional disclosures:

  • Whether the individual’s personal information is sold or shared
  • The length of time the business intends to retain each category of personal information or the criteria it will use to determine how long it will retain such information
  • If the business collects “sensitive personal information”:
    • A separate disclosure identifying the categories of sensitive information collected
    • The use and purpose of this data
    • Whether such information is sold or shared

Opt-out rights

Consumers have the right at any time to opt out of the sale of their personal data to third parties. Your business must stop selling personal information upon receipt of the request unless a subsequent express authorization is provided by the consumer. Businesses must wait at least 12 months before asking a consumer to opt back into the sale of personal information. To enable this opt-out right, businesses must, among other things:

  • Provide a clear and conspicuous link on the business’s homepage, titled “Do Not Sell My Personal Information.” The link should enable a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information
  • Not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.

The CPRA expands on this existing opt-out right and opt-in requirements to include both the sale and sharing of personal information. Accordingly, the link posted on a business’ homepage should be updated and titled “Do Not Sell or Share My Personal Information.”

Consumers also have the right at any time to opt-out of their personal data being sold by a third party who has purchased the consumer's personal data from a business. The third-party must stop selling upon receipt of the opt-out request unless a subsequent express authorization is provided by the consumer.

Other consumer rights

Businesses must have processes to verify a California resident’s identity when responding to requests to access or delete personal information. Once a request is received from a California resident and their identity is confirmed, make sure to include the following when completing the request as applicable, to honor their rights. 

Right to know: A consumer may request that the business disclose its collection and treatment of its personal information, including the 

  • Categories of personal information collected about that consumer (in the preceding 12 months)
  • Categories of sources from which the personal information is collected 
  • Business or commercial purpose for collecting or selling personal information
  • Categories of 3rd parties with whom the business disclosed personal information
  • Categories of information that the business sells or discloses to third parties
  • Specific pieces of personal information it has collected about that consumer

The CPRA modifies and expands this right to require:

  • Providing information about the categories of personal information “shared” with third parties
  • Removing the 12-month look-back limitation by requiring a business to provide more than 12 months of information, so long as such a disclosure would not be "impossible" or "involve a disproportionate effort" (this requirement would not apply to any data collected by the business prior to January 1, 2022)

Right of deletion: The business must delete the consumer’s information (subject to certain exceptions) and notify its service providers to delete the consumer’s information. Under the CPRA, the business must notify its service providers and contractors and also notify any third parties to whom the business has sold or shared (for cross-contextual advertising purposes) the consumer’s personal information, unless this “proves impossible or involves disproportionate effort.” Additionally, each service provider must also notify its own downstream service providers to delete the consumer’s information. 

Right to correct inaccurate personal information: Once a business receives a verified request to correct inaccurate personal information, the business must use “commercially reasonable efforts” to correct said personal information as directed by the consumer. Additional guidance on this obligation is expected from the California Attorney General

You should also note that if the consumer is less than 13 years old, then a parent or guardian's express consent (opt-in) is required before selling his or her personal information. If the consumer is between 13 but less than 16 years old, then express consent is required from the individual before selling his or her personal information.

Fulfilling consumer requests 

You must have at least 2 designated methods for consumers to submit requests for information.

These should include, at a minimum:

  • A toll-free telephone number (certain businesses that operate exclusively online and have a direct relationship with the consumer from whom it collects personal information are exempt from the toll-free number requirement)
  • Web address, if the business has a website 

Consumer requests must be addressed within 45 days of receiving the request, by mail or electronically (in a format that allows the consumer to provide it to another entity) or through a user account. Response time may be extended by an additional 45 days if reasonably necessary based on complexity and the number of requests, and if the requestor is notified of the extension (detailing the reasons why). The request process must also be free of charge.

Businesses are not required to carry out more than two requests per consumer in a 12-month period.

What is Klaviyo's role under the CCPA and CPRA as it relates to the Klaviyo service?

Klaviyo has no direct relationship with the individuals whose personal information is collected by our customers and stored on our platform. Klaviyo serves as a service provider, while our customers are the businesses because we process the personal information on behalf of our customers.

Klaviyo’s obligations to customers as a service provider are set forth in our Data Processing Agreement

What is Klaviyo doing to enable customers to comply?

Klaviyo customers have the ability and tools to accommodate requests from California residents to exercise their consumer rights to access, delete or correct personal information under the CCPA and CPRA. Specifically:

If you require additional assistance, Klaviyo is prepared to reasonably accommodate where technical limitations may require support.

Additional resources

x
Was this article helpful?
17 out of 26 found this helpful