CCPA stands for California Consumer Privacy Act. It's a law that will take effect on January 1, 2020 and will govern how businesses handle the personal information of California residents. This article will walk through how the CCPA may impact your business and how Klaviyo will help you comply with this new law.
The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers -- and all ecommerce merchants -- to seek legal advice for counsel on how they specifically should comply with the CCPA.
What is the CCPA?
The CCPA is a response to a perceived gap in comprehensive privacy protections in the United States. Companies that handle the personal information of California residents are required to inform residents of the companies’ privacy practices and to offer residents the ability to:
- Access the information that you maintain about your contacts
- Delete that information in certain circumstances
- Direct you not to share their information with third parties for those parties’ own purposes
The CCPA also restricts the resale of personal information. The law requires that individuals receive notice that their personal information will be resold and are given an opportunity to opt-out.
Who must comply with the CCPA?
Most of the CCPA’s requirements apply to “businesses” – companies that collect consumers’ personal information (on their own or using vendors) and use the information for their own purposes. These businesses determine “the purposes and means” of processing the personal information. The CCPA applies to any “business” that:
- Handles California residents’ personal information
- Is “doing business” in California (for example, engaging with individuals located in California though an e-commerce or interactive website or application)
- Satisfies one or more of the following thresholds:
- Has annual gross revenues of $25 million
- Obtains, sells, or shares personal information of 50,000 or more California residents, households, or devices annually
- Derives 50 percent or more of its annual revenues from “selling” California residents’ personal information (i.e., sharing or giving access to personal information to third parties for those parties’ own purposes)
The CCPA also imposes limited requirements on “service providers” – companies that process consumer personal information on behalf of a business. Businesses disclose personal information to service providers for a specific business purpose pursuant to a written contract. The CCPA requires service providers to process personal information only as necessary to provide their services.
What is "personal information" under the CCPA?
The CCPA defines personal information very broadly to include information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. In practice, this broad definition means that information such as contact information, transaction data, Internet Protocol (IP) addresses, mobile device identifiers, clickstream data, and order details may be within the scope of the CCPA’s definition of personal information, and subject to the CCPA’s requirements.
What do I need to do to prepare?
The CCPA is a complex law. This article provides the key obligations under the CCPA for the benefit of our customers but does not take into account all individual circumstances that may apply to your business. Please contact your legal counsel for specific advice. If the CCPA is applicable to your business, you should consider the following:
- Information regarding a consumer’s right to access, opt-out (if the business sells personal data), right to deletion, right of non-discrimination for invoking CCPA rights, and the right to designate an authorized agent
- Two or more methods for submitting access and deletion requests, including a toll-free number (however, certain businesses that operate exclusively online are exempt from the toll-free number requirement)
- A list of the categories of personal information it has collected about consumers in the preceding 12 months
- A list of the categories of personal information it has sold about consumers in the preceding 12 months (or if the business has not sold consumers’ personal information in the preceding 12 months, the business should disclose that fact)
- A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months (or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business should disclose that fact)
Consumers have the right at any time to opt-out of the sale of their personal data to third parties. You, as a business, must stop selling personal information upon receipt of the request unless a subsequent express authorization is provided by the consumer. To offer this opt-out right, businesses must, among other things:
- Provide a clear and conspicuous link on the business’s homepage, titled “Do Not Sell My Personal Information.” The link should enable a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information
- Not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
If the consumer is less than 13 years old, then a parent or guardian's affirmative consent (opt-in) is required before selling his or her personal information.
If the consumer is between 13-16 years old, then affirmative consent is required before selling his or her personal information.
Consumers have the right at any time to opt-out of their personal data being sold by a third party who has purchased the consumer's personal data from a business. The third-party must stop selling upon receipt of the opt-out request unless a subsequent express authorization is provided by the consumer.
Access & Deletion Rights
Make available to consumers two or more designated methods for submitting requests for information required to be disclosed and/or deleted, including, at a minimum, a toll-free telephone number and a web address (if the business maintains a website).
A business must implement processes to verify a California resident’s identity before providing an individual with the right to access or delete personal information.
Once a request is received from a California resident and their identity is confirmed, complete the following as applicable:
- Right to access: access disclosures must include, among other things, the (i) categories of personal information collected about that consumer (in the preceding 12 months), (ii) categories of sources from which the personal information is collected, (iii) business or commercial purpose for collecting or selling personal information, (iv) categories of third parties with whom the business shares personal information; and (v) specific pieces of personal information it has collected about that consumer.
- Right of deletion: erasure requests must be completed by the business and its direct service providers. A number of exceptions exist, however, such as where the information is necessary to complete a transaction, provide goods or services requested by the consumer, to comply with a legal obligation, or to protect against and prosecute fraud and other illegal activity.
Consumer requests must be addressed within 45 days of receiving the request, by mail or electronically (in a usable format that allows the consumer to provide it to another entity) or through a user account (if the requestor has an active account).
Response time may be extended by an additional 45 days (during the first 45 days) if reasonably necessary (based on complexity and the number of requests) and if the requestor is notified of the extension (detailing the reasons why).
The request process must be free of charge.
Businesses are not required to carry out more than two requests in a 12-month period.
What is Klaviyo's role under the CCPA?
Klaviyo has no direct relationship with the individuals whose personal information is stored within our systems. Klaviyo serves as a service provider, while our customers are the businesses because we process end-user information on behalf of our customers.
What is Klaviyo doing to help customers comply with the CCPA?
We are in the process of updating the Klaviyo Terms of Service and Privacy Notice to more comprehensively explain the scope of the services we provide, and to describe the steps that Klaviyo takes to help customers comply with the CCPA.
Klaviyo customers have the ability and tools to accommodate requests from California residents to exercise their rights to access or delete personal information under the CCPA. Specifically:
- The platform allows customers to report on the personal information it maintains about end-users in response to access requests.
- The platform allows for the deletion of personal information it maintains about end-users in response to deletion requests.
If Klaviyo customers require additional assistance, Klaviyo is prepared to reasonably accommodate where technical limitations may require support.
If you or anyone in your organization has questions about the CCPA or any of Klaviyo’s security and privacy practices, please do not hesitate to contact us.