Disclaimer: The information in this FAQ is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of the CCPA.
Acquia & CCPA
General CCPA Questions
What is CCPA?
The California Consumer Privacy Act (CCPA) was enacted into law on June 28, 2018. The CCPA provides California “consumers” the following privacy rights:
- Right to access
- Right to delete
- Right to opt out of sale
Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an “opt-out” for certain disclosures of personal information and an “opt-in” requirement for minors.
When will the CCPA come into effect?
The CCPA goes into effect on January 1, 2020. However, enforcement by the Attorney General will not begin until July 1, 2020.
Who is protected?
The CCPA offers certain rights to consumers, defined as natural persons who are California residents. There are a number of exceptions in the CCPA, including for personal information collected about a business’s personnel and business-to-business representatives. The precise scope of these exceptions is context-dependent.
Who does CCPA affect?
The CCPA will apply to a business if it, or an entity it controls or that controls it and that shares common branding with it, collects or receives personal information from California residents, either directly or indirectly, determines the purposes and means of the processing of that information, does business in California, and meets one or more of the following criteria:
- Has annual gross revenue that exceeds US $25 Million;
- The entity annually receives, buys, sells or shares, directly or indirectly, the personal information of 50,000 or more California residents, devices, or households;
- 50% or more of its annual revenue is derived from the sale of personal information about California consumers.
What is personal information under the CCPA?
In general, the CCPA defines personal information broadly to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The CCPA provides a non-exhaustive list of categories of personal information, including:
- Name, alias, postal or email address, online identifier, account name, Social Security number, driver’s license number, passport number, or other similar identifiers;
- Signature, physical characteristics or description, state identification card number, insurance policy number, education, bank account number, credit card number, debit card number, and other financial information, medical information, and health insurance information
- Unique personal identifiers (e.g., IP address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers);
- Characteristics of protected classifications under California or federal law;
- Commercial information (e.g., purchase history and “tendencies”);
- Biometric information;
- Internet activity (e.g., browsing and search history);
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information; and
- Education information (as defined in the Family Educational Rights and Privacy Act (FERPA).
Personal information does not include certain publicly available government records de-identified or aggregate consumer information. Certain personal information covered by other sector-specific legislation (e.g., HIPAA) is exempt from the scope of the law.
What are the key rights of consumers under the CCPA?
The CCPA requires regulated businesses that collect, use, disclose, and sell personal information to, among other
- The Right to Know - What personal information is collected, from whom and for what purposes, and with whom is it shared?
- The Right to Access - Request a copy of the specific pieces of personal information collected in a readily useable format
- The Right to Deletion - Delete data collected from a consumer upon request and direct service providers who hold personal data on behalf of covered entity (limited exceptions)
- The Right to Opt Out of Sale - Provide consumers the right to opt out of the sale of their personal data
- The Right to Equal Service - Prohibits covered entities from discriminating against consumers who opt out (limited exceptions)
How is the CCPA enforced? What is the fine for noncompliance?
The CCPA is enforceable by the California Attorney General with the ability to levy a civil penalty up to $2,500 for each violation or $7,500 per each intentional violation. Enforcement will begin on July 1, 2020.
The CCPA also includes a private right of action that is limited to the context of data security breaches under California’s breach notification law. Under this private right of action, Consumers may seek the greater of actual damages or statutory damages ranging from $100 to $750 per incident.
Courts may also impose injunctive or declaratory relief.
How is data “sold” under the CCPA?
The definition of “sale” of personal information under the CCPA is defined broadly to include “selling, renting,releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” the Personal Information of a Consumer to another business or third party “for monetary or other valuable consideration.” Where a consumer has elected to “opt-out”, the business will be required to turn off the flow of personal information to any third party to which it “sells” personal information.
The CCPA does provide a number of exceptions to opt-out of sale right”, including for example, transfers (i) to a Service Provider or(ii) at the direction of the consumer. Even if a consumer has elected to “opt-out”, personal information can continue to transfer to third parties who fit into those carve-outs.
In order to take advantage of the Service Provider exemption, businesses will have to ensure that the transfers are
governed by written contracts containing the specific terms required by the CCPA.
What does Businesses and Service Providers mean in the context of CCPA?
In the context of CCPA, Businesses are entities that meet certain specified thresholds and determine the purposes and means of the processing of consumer’s personal data and Service Providers are individuals or entities that process information on behalf of a Business pursuant to a written contract that contains certain specified language. These are broadly synonymous to the terms ‘Controllers’ and ‘Processors’ used in GDPR.
CCPA and Acquia
How will the CCPA affect Acquia? Is Acquia a “business” or “service provider” under CCPA?
Acquia, in its performance of services to its customers, can be deemed as a “service provider” under the CCPA as it processes personal information on behalf of its customers (or “business”). Customers or “businesses” are the entities that determine why and how personal information will be collected and used. As Acquia’s customers have complete
control of their website and digital experience content they are ultimately responsible for such content.
Acquia may also act as a “business” in the information it collects from its website. Acquia’s use of Customer personal
What are my responsibilities (as a customer of Acquia) as it relates to CCPA readiness?
As a customer, if you are a “business,” you are responsible for ensuring compliance with the key requirements of the CCPA. This includes, but is not limited to, notifying individuals of how and why you handle their personal information, honoring their opt-out of sale requests if applicable), addressing their requests for access to or deletion of their
What are Acquia’s responsibilities (as a service provider to Customer) as it relates to CCPA readiness?
Acquia will cooperate with Customers in meeting CCPA requirements where possible and appropriate. For example, to the extent Customer, in its use of the services, does not have the ability to address a verifiable consumer request for deletion, data portability, access, and rectification, Acquia shall upon Customer’s request assist Customer in
responding to such request, to the extent Acquia is legally permitted to do so and the response to such request is required under the CCPA. However, please note that Customers remain ultimately responsible for compliance with these requirements, including, answering requests from Customers’ consumers.
How does the CCPA apply to B2B data?
The majority of the CCPA’s operative provisions do not apply to personal information that Business A obtains about representatives of Business B when that personal information is obtained in the context of Business A and Business B doing business with one another. This is known as the CCPA’s B2B exemption. Pursuant to this exemption, Acquia’s response to a consumer’s access or deletion request may not address data that we obtain in the B2B context.
How is Acquia preparing for CCPA?
Acquia is leveraging the compliance efforts it used in the past (e.g., GDPR, ISO) and, as such, we are currently in an excellent position to meet the related CCPA requirements.
What is the customer’s role in securing their content?
Under the Acquia shared responsibility model, customers can build on the technical and organizational security measures and controls offered by Acquia to manage their own compliance requirements. Customer responsibility will be determined by the Acquia Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. Customers can use familiar measures to protect their data, such as encryption and multi-factor authentication, in addition to Acquia security features like security patch management, antivirus upload scanning, file system encryption, SSL, HTTPS, and logging and monitoring.
Does Acquia “sell” personal information?
No. Acquia does not sell personal information.
Does Acquia have a documented Breach Notification Process?
Yes, we have an internal, documented Breach Notification Process.
Does Acquia have any legal guidance for customers regarding the CCPA?
Acquia is not in a position to provide customers with legal advice on their requirements under CCPA, and suggests that customers consult their legal counsel on how best to prepare for CCPA's implementation and enforcement.
Will Acquia be updating its contractual terms with respect to CCPA? Does Acquia have a CCPA Addendum?
Acquia’s standard terms already prohibit Acquia from retaining, using or disclosing the personal information for any purpose other than as specified under the agreement and as such, we do not feel an update is necessary. However, for those Customers who still desire to execute a separate addendum, we have prepared the Acquia CCPA Business-Service Provider Addendum.
For customers who wish to execute a separate addendum, the Business-Service Provider Addendum has been created.