Cross Country Computer
Consumer Data Privacy Law Considerations 1/3/2023
Note: The following does not offer legal advice.

Meeting the requirements of data privacy laws is essential for companies using personal data to initiate and nurture consumer relationships. Consumer privacy laws grant their respective state’s residents the right to control how their personal information is used, including directing businesses to delete information they have collected. Cross Country Computer (CCC) is committed to complying with law in a manner that serves both consumers and your business.

Consumer Data Privacy Laws

Five consumer data privacy laws go into effect in 2023:

• CPRA (California Privacy Rights Act), amends the CCPA, effective January 1, 2023
• VCDPA (Virginia Consumer Data Protection Act), effective January 1, 2023
• CPA (Colorado Privacy Act), effective July 1, 2023
• CTDPA (Connecticut Data Privacy Act), effective July 1, 2023
• UCPA (Utah Consumer Privacy Act), effective December 31, 2023

How to Send Privacy Requests to CCC:

1. The data CCC requires depends on the data originally sent to CCC. This typically includes all Name and Address fields. If name & address are not available, email is acceptable, but the more information provided the better the likelihood of being able to locate the record(s). Please use this layout:
2. Deliver Privacy Request files separate from all other update files in tab delimited txt format. The combined ‘Mixed_Requests’ format with fields specifying ‘request type’ is preferred. Name files as follows:

• Deletions: “<Company name>_PRIVACY_Permanent_Deletion”.Date
• Do Not Sell/Rent: “<Company name>_PRIVACY_Do_Not_Sell_Or_Rent”.Date
• Return of Data: “<Company name>_PRIVACY_Right_To_Know”. Date
• If Combined: “<Company name>_PRIVACY_Mixed_Requests”. Date st
• Corrections: Discuss specific cases with your CCC Account Executive.

Alternatively, because California’s CCPA was the first applicable state law, we have found that some clients prefer to continue to use a ‘CCPA’ designation in all Privacy Request files regardless of the applicable state (e.g. …CCPA_Mixed_Requests…). If requests are combined, separate fields specifying the type of request (Do Not Sell, Delete, Return Data) must be added to the file and coded with a “Y” to designate which apply.

3. Transmit Privacy Request files through existing SFTP.

4. Important Note: All Privacy Requests must be sent and received using this process. Requests transmitted any other way cannot be processed with the same assurances. Never send confidential PII unencrypted or via email.

CCC’s Application of Privacy Requests:

1. As a default, application is at the household level at the specific postal address provided, during your next scheduled update cycle and at the end of each subsequent cycle. If an update is not imminent, coordinate with your CCC Account Executive to discuss considerations regarding off-cycle deletions.
2. CCC will add the provided postal record to the permanent Do Not Rent file that we may maintain for you. If the Privacy Request is a ‘Deletion’, then CCC will also add the postal record to your permanent Do Not Mail file. Please instruct your CCC Account Executive to update these lists accordingly.

Other Important Caveats:

1. Build/Application Level: Most databases consolidate and update using name & address at the individual or household (surname) level. If CCC supports a different process for you, contact us to refine scope.
2. Data Variations: Data can vary over time due to routine conversion and hygiene processing. Names may get parsed and addresses standardized or changed. Similar records may consolidate, with one retained as the ‘driver’. For example, in a household (surname) database where JOHN and SUE SMITH (same address) have both purchased, CCC may retain and attribute all activity to one. If a Change Of Address (COA) was applied, the subject may not be located at the provided address. Spelling variations, vanity addresses and typos can also challenge location. There is no assurance that the information provided by the consumer in their Privacy Request submission will match to the data points that you collected or passed to CCC. It is important that you attempt to locate each target record within your source systems of record – the ones from which data are extracted to send to CCC. If you identify multiple variations within your internal system(s) then include each of them on the file sent to CCC to increase the likelihood of finding a match. Industry-standard matching algorithms allow for reasonable variations, but automated solutions are not foolproof. Our process is designed to commercially reasonable standards.
3. Request to Know/Return of Data: If an individual exercises their right ‘to know’ and requests that you return a copy of their personal information to them, where reasonably possible we suggest that you return the specific data points from your own internal system(s) of record, as opposed to from ours. CCC would typically only have a subset of the data you already have and the data in your source systems will most closely align with the data that you collected from the consumer. There are several reasons for this, including the caveats noted herein concerning consolidation and ‘Data Variations’. Also consider legalities concerning multiple individuals from a common household (which is how CCC often stores data). When responding to a ‘Request to Know’, CCC will search your active database and, if found, provide you with information to help you to cross reference to your own database.
4. Right to Correct Data: If any individual submits a request to ‘correct’ data then consider whether you instead wish to have it processed as a ‘Delete’ (and if so, code the request to CCC accordingly). If, however, you wish to have us attempt a correction then contact your CCC Account Executive to review the specific request.
5. Timing Considerations: Where regulations allow, CCC prefers to apply requests in batch, as part of your regularly scheduled projects. If you encounter a situation where you receive Privacy Requests that are applicable to CCC, but you do not have an upcoming project scheduled within a designated legal window, please coordinate with your CCC Account Executive to discuss considerations regarding off-cycle application.
6. Completed and Interim Work Files: Adding delete requests to your Do Not Mail file will help stop the delivery of FUTURE promotions but be sure to advise consumers that they may still receive promotions that were already in process. It is not commercially reasonable to scan through all historical completed files or interim work files, as those are already designated to age-out to deletion. See also, ‘Backup Systems’.
7. Backup Systems: Due to CCC’s DR obligations we routinely take full image backups of our entire environment including data, applications and operating systems, which age-out to deletion. These images are confidential, fully encrypted, and securely managed. It isn’t commercially viable to cherry pick specific data points for deletion from backup images, so CCC continues to safeguard data until its purge. Personal information stored on an archived or backup system may therefore delay application of the consumer’s Privacy Request until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.
8. Returning Customers: It is possible that someone who has requested that their information be deleted will return to your brand in the future. Consider how you will handle this. CCC’s intent is to add deletion requests to your permanent Delete and postal Do Not Mail/Rent lists to help prevent retargeting. If a delete request does quickly return while a mailing campaign is still ‘open’ then it may still show as a responder.
9. Notification to Third Parties (Co-Ops, etc.): CCC is not a contractual party to your agreements with the co-ops or your other 3rd party vendors. Send required Privacy Requests directly to co-ops and other 3rd parties in your supply chain. CCC may assist with 3rd party transfers or communications, however this should not be relied on to ensure your own compliance. Particularly because CCC’s role is often limited to just forwarding your raw files and the cadence of CCC’s processing may differ from what is appropriate for your other 3rd parties.
10. Additional Costs to CCC: CCC may include aspects of our processing as it relates to commercially reasonable application of Privacy Requests at no cost. However, for clients requiring additional processing beyond such inclusions, pricing will be provided on an as-needed basis commensurate with effort and scope.

Other FAQs:

• What is the difference between a DO NOT SELL MY PERSONAL INFORMATION and a DELETE MY PERSONAL INFORMATION request?

In context to our role as your service provider, a DO NOT SELL request is most similar to a traditional DO NOT RENT request. Unless other arrangements are made, we would not assume that a DO NOT SELL/RENT requestor would also be considered a DO NOT MAIL request. This is because it seems reasonable to assume that even if someone doesn’t want you to sell/rent their personal information, they may still enjoy receiving offers from (and interacting with) your brand. In contrast, a DELETE request would typically also be considered a DO NOT RENT and a DO NOT MAIL.

• Why would a DELETE request also be coded as DO NOT MAIL? If they are deleted, then how could we mail them?

Good question. Even if someone is no longer on YOUR database, you could still ‘rent’ them from a 3rd party as a prospect. While some parties may take a position that you are not obligated to suppress consumers that are later acquired through separate channels, it seems prudent to defer on the side of caution and “not poke the proverbial bear”.

• What if someone says they already sent us a request that has not been honored?

If someone is taking the time to question a potential prior request, then it is important to do some additional research. In these cases, any additional data points that you can provide us with will help the process. This includes sending us specific order dates and order numbers if you can locate them in your source systems. Please also refer to the earlier bullets on ‘Data Variations’ and ‘Timing Considerations’.

• Does CCC own its own PII that is subject to these Privacy Regulations?

No. CCC does not own our own response lists, nor do we compile data. Our clients are commercial entitles, not consumers. We maintain a modest list of business contacts for our own sales prospecting.

• Is CCC Compliant with these Privacy Regulations?

Yes, we have the ability to take commercially reasonable measures to honor our clients’ requests to ‘Delete’ their consumers’ personal information, apply appropriate ‘Do Not Sell/Rent/Contact’ opt-out requests and cooperate with our clients’ own compliance obligations.

• Will CCC act on a request directly from a consumer?

No, potentially except where Privacy Regulations allow for exceptions to “Comply with a legal obligation.” CCC is a Service Provider and Consumers are not a direct party to our client contracts. Our publicly-facing privacy policy educates and offers guidance on how consumers can properly direct such requests. http://www.crosscountrycomputer.com/http://www.crosscountrycomputer.com/privacy-policy#nosale

• Will CCC share our company’s Privacy Requests with other clients, or apply other CCC clients’ Privacy Requests to our data?

No. That is not a legal requirement, nor would it make sense to remove or prevent you from marketing to someone just because they made a request to an unrelated business. Each CCC client is managed separately.

• If we are supposed to ‘Delete’ data then can we still ‘maintain’ it so that we can honor the opt-out requests!?

Privacy Regulations generally allow a business to use personal information collected from the consumer in connection with the [opt-out] request solely for the purposes of complying with the opt-out request. Similarly, a Business does not sell personal information when it uses or shares an identifier for a consumer who has opted out for the purpose of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information. In other words, it is reasonably understood that some data will need to be maintained for tightly scoped purposes as part of the compliance process itself.

• How does CCC handle Virginia, Colorado and Connecticut’s Opt-in to Processing Sensitive Personal Data.

CCC’s role does not include directly collecting opt-in preferences from your consumers, so our assumption is that you have secured the proper legal permission to direct us to process the data that you provide. As such, you should consult with your own compliance or legal team to discuss proper handling of data elements such as ethnic origin, race, religion, language or other elements that some states may consider Sensitive Personal Data. If in doubt, you may want to discuss discontinuing sending CCC Sensitive Personal Data and/or having us remove certain elements from the existing databases we may maintain for you.

• Is there a uniform way to handle multiple states with differing Privacy Regulations?

You should consult with your own compliance team and legal counsel to determine your own approach. As requirements are fundamentally similar as it relates to our processing/role, in order to be consistent and to streamline the process, CCC is currently taking an approach similar to many other organizations which is to use our California procedure to apply requests from other states as well.

• Can we include consumer records from states that have not yet enacted their own Privacy Regulations?

Yes, any records you provide to CCC on a designated Privacy Request file will be applied as outlined herein. Conversely, if records are only provided through a more traditional DO NOT MAIL or DO NOT RENT process, then those requests will not be processed in accordance with this document, regardless of their state.

• What if we receive GDPR requests?

The European Union’s (EU) General Data Protection Regulation (GDPR) became effective on May 25th, 2018. GDPR is an EU law on data protection and privacy for all individuals within the EU. It also addresses the export of personal data outside the EU. The GDPR gives citizens and residents control over their personal data. While CCC’s Customer engagements generally intend to limit or exclude EU data, there may be times that Customer knowingly or unknowingly transmits international data to CCC. While expected to be less frequent, to the extent that GDPR requests may be applicable to your engagement with CCC, they will be handled in the same manner as US domestic Privacy Requests.

To view the most current version of this procedure bookmark and refer to www.crosscountrycomputer.com/ccpa. Please direct routine questions to your personal CCC Account Executive. You can also contact Thomas Berger at (631) 851-4214 or via email to tberger@crosscountrycomputer.com.