Cross Country Computer
California Consumer Privacy Act (CCPA) Practices & Considerations 7/9/2020
Note: The following does not offer legal advice.
The CCPA grants California residents the right to control how their personal information is used, including directing businesses to delete information they have collected. Cross Country Computer (CCC) is committed to complying with the law in a manner that serves both consumers and your business.
How to Send CCPA Requests to CCC:
- The data CCC requires depends on the data originally sent to CCC. This typically includes all Name and Address fields. To increase the chances of our locating the desired record, first locate it on your own source system and provide CCC with any available details including the transaction date and order number (where available).
- Deliver CCPA files separate from all other update files.
- Name files as follows (Note: Please end each file name with a date stamp):
CCPA Deletions: “<Company name>_CCPA_Permanent_Deletion”
Do Not Sell/Rent: “<Company name>_CCPA_Do_Not_Sell_Or_Rent”
Return of Data: “<Company name>_CCPA_Right_To_Know”
If Combined: “<Company name>_CCPA_Mixed_Requests"
- Transmit CCPA files through existing SFTP.
- Important Note: All CCPA requests must be sent and received using this process. Requests transmitted in any other manner cannot be processed with the same assurances. Never send confidential PII unencrypted, or via email.
CCC’s Application of CCPA Requests:
- As a default, application is at the household level at the specific postal address provided, during your next scheduled update cycle and at the end of each subsequent cycle. If an update is not imminent, coordinate with your CCC Account Executive to discuss considerations regarding off-cycle deletions.
- CCC will add the provided postal record to the permanent Do Not Rent file that we may maintain for you. If the CCPA request is a ‘Deletion’, then CCC will also add the postal record to your permanent Do Not Mail file. Please instruct your CCC Account Executive to update these lists accordingly.
Other Important Caveats:
- Build/Application Level: Most databases consolidate and update using name & address at the individual or household (surname) level. If CCC supports a different process for you, contact us to refine scope.
- Data Variations: Data can vary over time due to routine conversion and hygiene processing. Names may get parsed and addresses standardized or changed. Similar records may consolidate, with one retained as the ‘driver’. For example, in a household (surname) database where JOHN and SUE SMITH (same address) have both purchased, CCC may retain and attribute all activity to one. If a Change Of Address (COA) was applied, the subject may not be located at the provided address. Spelling variations, vanity addresses and typos can also challenge location. There is no assurance that the information provided by the consumer in their CCPA submission will match to the data points that you collected or passed to CCC. It is important that you attempt to locate each target record within your source systems of record – the ones from which data are extracted to send to CCC. If you identify multiple variations within your internal systems then include each of them on the file sent to CCC to increase the likelihood of finding a match. Include details like transaction date and order number. Industry-standard matching algorithms allow for reasonable variations, but automated solutions are not foolproof. Our process is designed to commercially reasonable standards.
- Request to Know/Return of Data: If an individual exercises their right ‘to know’ and requests that you return a copy of their personal information to them, where reasonably possible we suggest that you return the specific data points from your own internal system(s) of record, as opposed to from ours. CCC would typically only have a subset of the data you already have and the data in your source systems will most closely align with the data that you collected from the consumer. There are several reasons for this, including the caveats noted herein concerning consolidation and ‘Data Variations’. Consider proposed CCPA §999.318(a) titled “Requests to Access or Delete Household Information” when evaluating this because it speaks to requests that may involve legalities concerning multiple individuals from a common household (which is how CCC often stores data). When responding to a ‘Request to Know’, CCC will search your active database and, if found, provide you with information to help you to cross reference to your own database.
- Timing Considerations: CCPA §1798.130(2) provides a 45 day window for businesses to comply with certain obligations, with an ability to extend that “once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period.” Proposed CCPA §999.315(f) states a 15 business day window for the application of opt-outs. Where regulation allows (and to minimize costs to our clients), CCC prefers to apply requests in batch, as part of your regularly scheduled projects. If you encounter a situation where you receive CCPA requests that are applicable to CCC, but you do not have an upcoming project scheduled, please coordinate with your CCC Account Executive to discuss considerations regarding off-cycle application.
- Completed and Interim Work Files: Adding delete requests to your Do Not Mail file will help stop the delivery of FUTURE promotions, but be sure to advise consumers that they may still receive promotions that were already in process. It is not commercially reasonable to scan through all historical completed files or interim work files, as those are already designated to age-out to deletion. See also, ‘Backup Systems’.
- Backup Systems: Due to CCC’s DR obligations we routinely take full image backups of our entire environment including data, applications and operating systems, which age-out to deletion. These images are confidential, fully encrypted, and securely managed. It isn’t commercially viable to cherry pick specific data points for deletion from backup images, so CCC continues to safeguard data until its purge. Proposed CCPA §999.313(d)(3) reads: “If a business stores any personal information on an archived or backup system, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.”
- Returning Customers: It is possible that someone who has requested that their information be deleted will return to your brand in the future. Consider proposed CCPA §999.316 titled “Requests to Opt-In After Opting Out of the Sale of Personal Information” to determine how you will handle this internally. CCC’s intent is to add deletion requests to your permanent Delete and postal Do Not Mail/Rent lists to help prevent retargeting. If a delete request does return while a mailing campaign is still ‘open’ then it may still show as a responder.
- Notification to Third Parties (Co-Ops, etc.): CCC is not a contractual party to your agreements with the co-ops or your other 3rd party vendors. Send required CCPA requests directly to co-ops and other third parties in your supply chain. CCC may assist with third party transfers or communications, however this should not be relied on to ensure your own compliance. Particularly because CCC’s role is often limited to just forwarding your raw files and the cadence of CCC’s processing may differ from what is appropriate for your other third parties.
- Additional Costs to CCC: CCC may include aspects of our processing as it relates to commercially reasonable application of CCPA/GDPR requests at no cost. However, for clients requiring additional processing beyond such inclusions, pricing will be provided on an as-needed basis commensurate with effort and scope.
- What is the difference between a DO NOT SELL MY PERSONAL INFORMATION and a DELETE MY PERSONAL INFORMATION request?
In context to our role as your service provider, a DO NOT SELL request is most similar to a traditional DO NOT RENT request. Unless other arrangements are made, we would not assume that a DO NOT SELL/RENT requestor would also be considered a DO NOT MAIL request. This is because it seems reasonable to assume that even if someone doesn’t want you to sell/rent their personal information, they may still enjoy receiving offers from (and interacting with) your brand. In contrast, a DELETE request would typically also be considered a DO NOT RENT and a DO NOT MAIL.
- Why would a DELETE request also be coded as DO NOT MAIL? If they are deleted, then how could we mail them?
Even if someone is no longer on YOUR database, you could still ‘rent’ them from a third party as a prospect. While a position can be taken that you are not obligated to suppress them when later acquired through separate channels, it seems prudent to defer on the side of caution and “not poke the proverbial bear”.
- Does CCC own its own CCPA regulated PII?
No. CCC does not own our own response lists, nor do we compile data. Our clients are commercial entitles, not consumers. We maintain a modest list of business contacts for our own sales prospecting.
- Is CCC governed by CCPA?
In the context of the CCPA, CCC is considered a ‘Service Provider’. As per Section §1798.145(6)(h) of The California Consumer Privacy Act of 2018, “a service provider [shall not] be liable under this title for the obligations of a business for which it provides services as set forth in this title.”
- Is CCC CCPA Compliant?
Yes. We are compliant in that we don’t meet the criteria outlined in Section §1798.140(c), but of more direct relevance to our clients, we are compliant because we have the ability to take commercially reasonable measures to honor our clients’ requests to ‘Delete’ their consumers’ personal information, apply appropriate ‘Do Not Sell/Rent/Contact’ opt-out requests and cooperate with our clients’ own compliance obligations.
- Will CCC act on a request directly from a consumer?
- Will CCC share our company’s requests with other clients, or apply other CCC clients’ CCPA requests to our data?
No. That is not a legal requirement, nor would it make sense to remove or prevent you from marketing to someone just because they made a request to an unrelated business. Each CCC client is managed separately.
- If we are supposed to ‘Delete’ data then can we still ‘maintain’ it so that we can honor the opt-out requests!?
CCPA Section §1798.135 (a)(6) allows a business to “Use any personal information collected from the consumer in connection with the [opt-out] request solely for the purposes of complying with the opt-out request.’ Additionally, per §1798.140 (t)(2)(B), a Business does not sell personal information when “The Business uses or shares an identifier for a consumer who has opted out… for the purpose of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.”
- What if we receive GDPR requests?
The European Union’s (EU) General Data Protection Regulation (GDPR) became effective on May 25th, 2018. GDPR is an EU law on data protection and privacy for all individuals within the EU. It also addresses the export of personal data outside the EU. The GDPR gives citizens and residents control over their personal data. While CCC’s Customer engagements generally intend to limit or exclude EU data, there may be times that Customer knowingly or unknowingly transmits international data to CCC. While expected to be less frequent, to the extent that GDPR requests may be applicable to your engagement with CCC, they will be handled in the same manner as CCPA requests.
To view the most current version of this procedure bookmark and refer to www.crosscountrycomputer.com/ccpa. Please direct routine questions to your CCC Account Executive. You can also contact Thomas Berger at (631) 851-4214 or via email to TBerger@CrossCountryComputer.com.