#What is CCPA?
The California Consumer Privacy Act, or CCPA, is a data regulation enacted in 2020 by the US state of California to safeguard the rights of California residents.
According to NPR, the law...
... applies to any company that meets any one of three thresholds annually: It has at least $25 million in revenue, makes at least half its money by selling data or gathers information on at least 50,000 consumers.
According to CNN, California residents may now...
... demand those companies disclose what data they have collected on them, and the law requires companies delete that data when users ask them to. Companies must disclose how their customers can contact them to request their data be forgotten. [Companies may], for example, list an email address to use specifically for privacy issues.
More information about CCPA can also be found at California's Office of the Attorney General here.
The CCPA governs the collection, storage, transfer or use of "personal information", where "personal information" is defined very broadly to include any information relating to an identified or identifiable Californian individual, or to an identified or identifiable California household.
The CCPA gives Californians greater rights and control over personal information, by regulating how businesses obtain, handle, store and transfer the personal information they collect.
Of particular interest under CCPA to publishers and analytics companies (like Parse.ly) are the regulations that deal with collection; sharing; use; and, deletion of personal information. Further, the regulations recognizing users' rights to access; correct or amend; delete; restrict processing of; and, port their personal information.
#Key changes under the CCPA
Beginning in 2017, Parse.ly underwent a number of changes to its data privacy processes in order to comply with GDPR. We'll briefly describe those changes, since they are relevant to our general handling of personal information. We'll then describe the further actions we took as part of our CCPA compliance.
To comply with GDPR, Parse.ly...
- Expanded rights for individuals: the right to be forgotten (aka "right of erasure") and the right to request a copy of any personal data stored in their regard (aka "data portability").
- Implemented and upgraded additional data handling protocols: ensured there was a process in place for reviewing and handling data requests, and reviewed the data security architecture across the company.
- Improved recordkeeping and other compliance obligations: established process to keep detailed records on data activities and enter into written agreements with vendors that require vendors to commit to the same compliance obligations as the contracting organizations.
- Implemented a data breach notification process: established process to report data breaches to data protection authorities within 72 hours of discovery, and in serious cases to the affected individuals.
#Is Parse.ly a "first-party" analytics vendor?
Yes. At Parse.ly, we've always taken consumer data privacy and data security seriously since we started operating a large-scale analytics service in 2010.
Although Parse.ly does not rely on the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as a legal basis for transfers of personal data in light of the judgment of the European Court of Justice in Case C-311/18, nonetheless we are self-certified under the Privacy Shield, which concerns transfer of data between the EU (and Iceland, Liechtenstein, Norway and Switzerland) and the US and, for as long as we are self-certified to the Privacy Shield, we will process personal data in compliance with the Privacy Shield Principles. We have also worked with several companies in Europe on the privacy requirements to be their first-party analytics vendor of choice.
We avoid storing extraneous data on visitors, only instrumenting sites with collection mechanisms that enhance our first-party reporting capabilities.
#What changed at Parse.ly under CCPA?
Parse.ly's Information Security (Infosec) Team performed a full internal audit for compliance with CCPA.
Our Information Security Team evaluated our systems and data storage to ensure CCPA readiness, following up on the exercise we had done in years prior for GDPR compliance.
Whether it comes to our own internal data, data prepared and processed for use by our customers, or data collected by visitors to those websites, we now ensure that it meets the appropriate privacy standards set by CCPA.
- Enhanced data integrity and security: We adopted security practices that are broadly recognized as industry standard.
- Consent requirements: We audited for compliance with consent rules for any new data we capture, to ensure we continue to lawfully process personal information that is sent to us by clients, or that we collect ourselves from our own sites and services.
- Providing visibility and transparency: As a "service provider" to our customers under CCPA, we must provide our customers (the "businesses") with access to effectively manage and protect their data. We are also exploring product enhancements to provide better transparency, in order to also provide all reasonable assistance to our customers to comply with their own transparency and data rights access obligations.
- Revised process for data subject access requests: Under CCPA, California residents have the right to reach out to Parse.ly for information on the personal information we collect. We have revised our processes to support these rights.
#Security and Privacy
At Parse.ly, we've always focused on a privacy-minded implementation of analytics. GDPR and CCPA are a welcome codification of practices our engineering teams already follow. But, we used the GDPR and CCPA to ensure all the details are covered.
One key aspect of this is system security. We made sure that the data we hold is kept in safe and secure hands, and that our security policies and software are up to date with industry standard best practices.
As for privacy, we've always been a privacy-first company; we've long had additional privacy measures, such as limiting IP Address collection and Third-Party Cookies on customer request, even before it was mandated by any privacy agency. We allow customers to control the data they send to us: a customer's development team can send along in our tracking pixel only the minimum information necessary to do analytics properly, which makes us an attractive option already for security and privacy-conscious publishers and clients.
Our public stance on analytics and privacy can be found in a piece of writing by our Chief Technology Officer, entitled "Analytics and Privacy Without Compromise.".
#Data Protection Team
To comply with GDPR, we created a Data Protection Team which is focused on engineering improvements to our systems, processes and our products to comply with the standards required. This team's mandate has been expanded to now include the CCPA.
This team focused on organizational changes for handling data protection issues, including compliance with consent and other requirements for how to lawfully collect personal data; improvements to systems and processes to comply with rights of individuals to access, review, correct or delete any personal data that is processed in our systems; ensuring that our own data collection privacy disclosures and data processing agreements are revised, as necessary; and, improving disaster response procedures and notification processes for responding to potential data breaches.
#Customer guidance related to CCPA and Parse.ly services
All organizations processing personal information of California residents have their own separate compliance obligations. This is true for our customers as much as it for us, and our customers must look to their own advisers to guide them through these processes.
Nonetheless, in relation to our customers' use of our systems and services, there are several important things our customers should be doing to meet their own CCPA compliance obligations:
- Update terms of service and privacy policies: On your websites or apps, these should be updated to communicate to your own customers and other users how you are using our systems (and any other similar services). These disclosure obligations are more important than ever under the CCPA, including the important obligation to be transparent about the third parties (including us) with whom you are sharing personal information of your users, even if only in the service provider relationship.
- Confirm consent requirements: As a business collecting personal information of California residents, our customers have ultimate control over the data we store and process for our customer's monitored domains and apps. Customers need to manage their visitor/user experience to make sure they have robust privacy notices and, where necessary, implement compliant consent and opt-out experiences.
- Formalize data "service provider" relationship: Our customer contracts contain appropriate provisions for the personal information we store, and balance the risks and responsibilities between our customers (the "businesses") and us (the "service provider"). If you have an older offline contract with Parse.ly, we ask that you sign or update a contract with us incorporating terms to clearly establish our respective data processing roles, in compliance with the CCPA and other generally applicable privacy laws. This reflects our role as a "service provider" under CCPA (and a "data processor" under GDPR, if applicable), processing data on your behalf as the data "business" under CCPA (or "data controller" under GDPR, if applicable). This can typically be done with an addendum to our 2018 standard product terms.
#Note on GDPR
We have information available here about Parse.ly's compliance with the EU's General Data Proection Regulation (GDPR), the regulation related to data privacy for the European Union.
It is often convenient to achieve legal compliance with CCPA and GDPR at the same time, since both regulations concern personal information/data of internet visitors, including disclosures, access rights, and so on.
#Reach out for help
Parse.ly considers it a core operational responsibility to ensure first-party analytics is used responsibly and within the guidelines set by CCPA and other privacy frameworks.
We ask that customers reach out to their account representative if they need the direct help of our Infosec Team or our Data Protection Team.