This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.
On Jan 1, 2020, the California Consumer Privacy Act (CCPA), the most comprehensive privacy law to date in the US, will go into effect. The goal of the CCPA is to give Californians more control over their personal information.
With our strong commitment to data privacy, we at Criteo are fully engaged with our clients and partners to help them navigate through their CCPA compliance journey through proactive communications and best-practice compliance tips. Below are three protections the CCPA grants to consumers in California, and how Criteo is prepared to support them:
1. The Right to Know
The CCPA introduces the right of access/portability. It allows a specific user to gain access to the “specific pieces of personal information the business has collected about that user”.
Should a client receive such a request from a user with respect to data collected by Criteo, then they will be able to advise them to check Criteo’s Privacy Policy which contains full details on how the user can obtain this information and submit a request directly to Criteo.
Upon receipt of a request from a data subject, Criteo asks for user identification and then provides an Excel spreadsheet containing all personal information related to that user.
Criteo would not send this information directly to the client acting on the user or consumers behalf.
2. The Right to Delete
The CCPA introduces a right to request that a business delete any or all personal information about the consumer which the business has collected from the consumer.
As with the right to know procedure, should a client receive such a request from a user with respect to data collected by Criteo, then our clients will be able to advise the requestor to check Criteo’s Privacy Policy where they will be able to submit the request directly to us.
Some clients may feel that they should pass on deletion requests they receive to Criteo, however this is not the case as Criteo does not act as a Service Provider.
3. The Right to Opt-Out
Users have the right to be able to instruct a company not to “sell” their personal information to third parties.
If our clients and partners will be considered as “selling” data to Criteo, they will have to provide users with a way to exercise their right to opt-out.
The draft AG regulations are also requiring that our clients and partners notify all third parties to whom personal information has been “sold” within the last 90 days prior to the user requesting to opt out.
In order to make this process as simple as possible for users, industry trade associations such as the DAA and the IAB are currently working on standards to stipulate how the opt-out and its notification to third parties should be handled.
For over 14 years, Criteo has been adhering to strict levels of data privacy and security.
Criteo has an extensive number of certifications and supports initiatives that deliver greater transparency and control to users. We are a proponent of the IAB Transparency and Consent Framework and were early adopters of industry best practices such as the AdChoices program, as well as:
We’re well aware and prepared for the implications of the CCPA, and we’re ready to help our advertising clients and publisher partners understand our products and services. By working together to understand and prepare for the regulations, we can all look forward to a future where consumers trust every business to treat their data fairly and securely.
To learn more, download our CCPA report.
Disclaimer: This summarizes the main requirements related to the CCPA, without going into full details. We advise our clients and publisher partners to consult with legal counsel to ensure compliance of their practices.