This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.
On January 1, 2020, an important piece of privacy legislation will go into effect in the US called the California Consumer Privacy Act. Designed to give California residents more control over their personal information, the CCPA may have a country-wide impact as many companies are likely to adopt it as a national standard of privacy compliance.
Criteo is a global company and as such, has adopted the General Data Protection Regulation (GDPR) regulations, passed in 2016 and implemented in 2018, as the worldwide standard for all its services. Consequently, we have processes to handle user rights and adopted best-practice data protection principles that go well beyond what is required by the CCPA.
The CCPA adopts a very broad definition of personal information and introduces transparency requirements. In this post, we’ll tackle a few aspects every business should know.
How is Personal Information defined under the CCPA?
The CCPA explicitly covers data such as “online identifiers”, “IP addresses”, “browsing history”, “information regarding a consumer’s interaction with a website, application, or advertisement” and “geolocation data” if it can be reasonable linked, directly or indirectly, with a particular consumer or household.
Criteo does not collect any data, such as first and last name or postal address or even email address in plain text, that would allow us to identify a person. However, our technology is able to recognize a particular device or browser and this type of data falls under CCPA’s “Personal Information” scope.
As such, we expect that most data collected by Criteo, which is already considered Personal Data under the GDPR, will be considered Personal Information under the CCPA.
What rights does the CCPA grant to consumers?
The CCPA adopts a very broad definition of personal information and introduces transparency requirements. It offers new protections to consumers in California, including:
- The right to know; Users can gain access to the “specific pieces of personal information the business has collected about that user”.
- The right to delete; Users can request that a business delete any or all personal information about the consumer which the business has collected from the consumer.
- The right to opt out; Users will be able to instruct a company not to “sell” their personal information to third parties.
Who should be preparing for the CCPA?
The territorial and material scopes of the CCPA are complex so you should seek legal advice.
Criteo’s advertisers and retailers shipping to California, as well publishers who operate websites and apps of interest for Californians may fall within the definition of “businesses” under the CCPA, if any of the following are true:
The CCPA will also apply, at least to some extent, to affiliates of companies that fall themselves within the above definition.
What is Criteo’s status under the CCPA?
Because Criteo “determines the purposes and means of the processing of consumers’ personal information” but it is not the entity which the users intend to interact primarily with, we expect Criteo will be considered both a ‘business’ and a ‘third party’.
At the core of Criteo technologies are its AI-driven algorithms and its Shopper Graph, which both rely on a ‘network effect’ to bring shared value to its customers and partners. This is why Criteo does not expect to act as a Service Provider as it would limit is ability to operate such technologies.
What should advertisers and publishers to do next?
- Determine to what extent the CCPA will apply to them and seek legal advice if required.
- Be ready to update their privacy disclosures and implement choice mechanisms.
At Criteo, we are a privacy-first organization that adheres to the highest levels of data compliance and industry best practices. We see the CCPA as a positive move toward furthering transparency, control, and trust for both businesses and consumers. As a global company that’s accustomed to adhering to strict EU standards, we’re more than prepared to support our clients and publisher partners as they navigate new privacy regulations and ultimately, build stronger relationships with their customers.
To learn more, download our CCPA report.
Disclaimer: This summarizes the main requirements related to the CCPA, without going into full details. We advise our clients and publisher partners to consult with legal counsel to ensure compliance of their practices.