Last updated: September 2020
The California Consumer Privacy Act of 2018 (CCPA) is a law that addresses the privacy rights of California consumers. If you do business in California, including operating a website that's accessible to California residents, you may need to comply with the CCPA.
The CCPA extends specific notice, disclosure, deletion and opt-out rights to California consumers for personal information collected by certain businesses. This includes providing notice of the personal information that a business collects, discloses for a business purpose, and (where applicable) sells to a third party. The CCPA also allows California consumers the right to request access to and deletion of their personal information held by a business.
Effective Date and Enforcement
- The effective date of the CCPA is January 1, 2020.
- The California Attorney General began enforcement on July 1, 2020.
- There are additional regulations drafted by the California Attorney General to provide guidance on the application and implementation of the CCPA. These additional regulations became effective on August 14, 2020.
The CCPA defines “personal information” and “sale” to cover a wide range of information and activities you may not expect.
- Personal information is defined in the CCPA to include significantly more than a name, address, email or even IP address.
- “Personal information” includes information such as: a consumer’s interaction with a website, application, or advertisement; browsing or search history; and a consumers’ purchasing or consuming histories or tendencies (among other things).
- A “sale” of “personal information” is defined broadly to include any exchange of personal information for either money or other “valuable consideration” (in other words, as long as the exchange provides value in exchange for the information, it could be considered “valuable consideration”).
Do Not Sell My Personal Information link
If your business:
- Must comply with the CCPA; and
- Sells the personal information of a California consumer (as defined by the CCPA), your website must include a link stating “Do Not Sell My Personal Information” that allows California residents to exercise the right to opt-out of the sale of their personal information.
How do I know if CCPA applies to my business?
The CCPA focuses on whether your business collects the personal information of California consumers, so the CCPA may apply even if your business is located in a state other than California, or a country other than the United States.
However, not all businesses are subject to the CCPA. Only for-profit businesses that meet certain criteria described below must comply.
Check if your business qualifies!
Businesses that May Be Exempt: Some health and financial businesses that are already operating under federal data security laws are exempt from complying with CCPA in certain circumstances:
- Health providers and insurers already under HIPAA;
- Banks and financial companies covered by Gramm-Leach-Bliley; and
- Credit reporting agencies operating under the Fair Credit Reporting Act.
Even if your business is not required to comply with the CCPA, if California consumers visit your website(s) your privacy notice must disclose NextRoll as a business within the scope of the CCPA and include a link to NextRoll’s Privacy Notice CCPA Section. (See how you can comply below)
How NextRoll complies with CCPA
Prior to January 1, 2020, NextRoll updated its Privacy Notice to include the required CCPA notices and disclosures. NextRoll will update it’s Privacy Notice as necessary to address any additional CCPA requirements and guidance made from time to time.
- Our privacy notice includes the CCPA-required notices and disclosures.
- NextRoll will continue to honor consumers’ choice to opt out of interest-based advertising, regardless of how the definition of "sale" is applied to the disclosure of personal information for advertising, marketing, and analytics by making its opt-out publicly available via the “Ad Opt-Out” link:
- on each page of its websites;
- NextRoll’s Privacy Notice;
- and accessible by clicking the blue AdChoices icon on any ad served by NextRoll.
- NextRoll is registered as a California data broker;
- NextRoll allows California consumers to opt-out of the sale of their business email contact information (if maintained or obtained by NextRoll);
- In addition, NextRoll’s Terms of Service require its customers to include a section in their Privacy Notice that provides a link to the California Residents’ section of NextRoll’s Privacy Notice. This is required to disclose NextRoll as an entity collecting personal information under CCPA and ensure the appropriate CCPA-mandated notices and disclosures to customers’ end users.
Do I "sell" my customer's information to NextRoll?
With one potential exception, NextRoll’s interpretation of the CCPA is that the data NextRoll collects via the pixel does not constitute a sale of personal information by NextRoll’s customers to NextRoll.
What’s the exception?
Clear emails NextRoll collects via the pixel are customer data the customer owns. Specifically, if your customer enters email@example.com on your website, you now own that clear email.
However, if you use any of the products listed below, the pixel will collect the “clear email” address firstname.lastname@example.org if entered into a web form on your site and NextRoll will create a hashed version of that clear email in order accomplish different types of services, such as:
- to track consumers across devices;
- to measure or otherwise give attribution credit for sales activity or conversions;
- to deliver targeted advertising; and
- to allow customers to connect their CRM-marketing products to identify existing and prospective customer interest and engage in direct marketing activities.
These activities may be interpreted as a “use” or “transfer” of personal information from you (the customer) to NextRoll because hashed emails are pseudonymous information that is considered personal information under the CCPA.
The NextRoll products or services that collect clear emails via the pixel and hash the email include:
- The cross device asset
- AdRoll Email
- RollWorks contact reporting
Why is using hashed emails a “potential” exception that “may be interpreted” as a sale? Can you be more certain?
Unfortunately, there is not more specific guidance from the California Attorney General at this time. Because the law is still new (and newly enforced), not all applications of the CCPA have been conclusively resolved. We encourage you to seek legal advice and consult the information we provide about the functionality of our products and services in order to determine how the CCPA applies to your business.
The following options are available to address the potential risk that a “transfer” of hashed emails from you to NextRoll could potentially amount to a sale under CCPA:
- Implement a “Do Not Sell My Personal Information Link” to allow consumers to opt-out of the alleged “sale” of their hashed email used as part of cross device; or
- At the time of collecting the end user’s email on a web form on your site, ask the consumer to consent to the hashing and sharing of their email with NextRoll. Suggested disclosure language is set out in our Policy Notice Requirements article under the section “Additional Information for AdRoll Email and Cross-Device”
Clear emails provided to NextRoll via a Customer’s CRM list (not the pixel) are not added to the cross device asset and therefore do not (even potentially) create a sale under CCPA. Instead, NextRoll’s CCPA Service Provider Addendum governs NextRoll’s use of customer CRM whereby NextRoll acts as a “service provider” to its customers with respect to CRM data.
What is a "service provider?" Is NextRoll my service provider?
Under the CCPA, disclosures of personal information do not constitute a sale when the party to whom the personal information is transferred is operating as a “service provider” pursuant to a service provider agreement that prohibits using the information for most independent purposes.
To qualify as a service provider under the CCPA, several specific circumstances must be met.
NextRoll acts as a service provider to its customers with respect to any personal information disclosed to NextRoll via submission of a customer CRM list (clear emails and other CRM data).
NextRoll is not a CCPA “service provider” with respect to personal information collected directly via the NextRoll pixel.
How you can comply
You know your business better than we do, but here are some tips for complying with the CCPA:
- Be sure to include a California Residents section in the Privacy Notice you post on your site that discloses the fact that you work with NextRoll and includes a link to NextRoll’s CCPA section of its’ Privacy Notice.
- Your customers may not be familiar with NextRoll’s data collection practices, and NextRoll is likely invisible to them when they visit your site.
- Surfacing to consumers the fact that third party companies are engaged in the collection of their personal information and disclosing all the rights available to California consumers under CCPA gives your customers appropriate notice (should they seek out that information in your Privacy Notice).
- NextRoll’s Terms of Service require this disclosure.
- To discuss the service provider exception to the CCPA, describe the functionality of any “Do Not Sell My Personal Information” link you may be posting, and to ensure that NextRoll can honor the opt-out you provide, please reach out to our support team at email@example.com.
- If your company receives a verifiable consumer request to delete personal information AND your company provides, or directs NextRoll to collect clear email(s) (i.e. firstname.lastname@example.org), you may direct us to delete the consumer's clear email(s) from our records by submitting a request here.
NextRoll does not provide the above as legal advice or as a substitution for legal advice. We strongly advise that you consult with an attorney or privacy professional to understand whether (and how) to comply with the CCPA.
- California Consumer Privacy Act
- Text of the final CCPA regulations (and other resources): https://oag.ca.gov/privacy/ccpa/regs
- Blog articles on the cross device asset:
- AdRoll Blog: Why Use a Cross-Device Campaign Strategy?
- RollWorks Blog: When Work IP No Longer Works: COVID-19’s Impact on ABM and Ad Tech