Last Updated Date: April 26, 2020
This FAQ is for informational purposes only. It is intended to provide information on PurpleLab’s approach to addressing the potential obligations imposed by the CCPA on PurpleLab’s business model. It is not intended to provide legal or business advice to any other company or individual. The obligations imposed by the CCPA depend on how your company collects and uses personal information and you are solely responsible for seeking your own advice as needed for your company’s compliance needs under the CCPA or otherwise.
The California Consumer Privacy Act (CCPA) is a comprehensive privacy law that came into effect on January 1, 2020. The law is enforced by the California Attorney General (AG), who is also tasked with issuing regulations under the CCPA. Enforcement can begin six months after the AG issues final regulations or on July 1, 2020, whichever is sooner.
The CCPA applies across all industry sectors, imposing obligations on companies that handle personal information. The CCPA’s requirements include:
The “sale” opt out right impacts more than just traditional sales of data for money. The CCPA defines “sale” broadly to include many commonplace data sharing arrangements, even where no money is exchanged. However, data sharing with a business’s service provider is not considered a “sale,” as long as certain contractual terms are in place between a business and its service provider.
PurpleLab has been actively assessing its obligations under the CCPA and has a core team focused on leading CCPA efforts, as well as privacy and regulatory in general. This core team has been working closely with outside privacy counsel who focus on CCPA compliance and the changing privacy regulatory environment. Among other activities, PurpleLab is preparing processes for receiving and responding to consumer rights requests we may receive, revising applicable privacy policies, and reviewing and modifying contracts to align with applicable CCPA requirements.
As currently defined under the CCPA, a “service provider” processes California consumers’ personal information on behalf of another business. To be a service provider, the entity must receive the personal information under a written contract that limits the service provider’s processing to purposes specified in the contract or otherwise permitted by the CCPA. A “business” is a for-profit entity that determines the purposes and means of processing California consumers’ personal information and that meets certain thresholds around revenue and similar factors.
PurpleLab plans to:
Please visit our Privacy Page on our main website at PurpleLab.com for more information and resources.