On January 1, 2020 the CCPA became effective and will be enforced by the California Attorney General beginning July 1, 2020. What is the CCPA? It is a privacy law that gives California residents new privacy rights. Particularly, app and web developers should take note of the CCPA. The CCPA is the reason for many e-mails that you may have received recently from online services notifying you of a change to their privacy practices and policies.
The CCPA is applicable to developers of mobile apps, web apps, and other online services that are doing business in California and that satisfy one or more of the following thresholds:
- Annual gross revenues in excess of twenty-five million dollars
- Processing for commercial purposes the personal information of 50,000 or more consumers, households, or devices
- 50 percent or more of annual revenues from selling consumers' personal information
For the CCPA to be applicable the developer does not need to be in California. Rather, it matters where the consumers reside. If an app is used by California residents, it may be subject to the CCPA (assuming that all other requirements for the applicability of the CCPA are met). Microsoft and a few other tech companies decided to apply the CCPA to all residents of the United States, which avoids the hassle of identifying where users reside.
It is not clear at this point whether the thresholds only relate to consumers residing in California or to all users of an app. For example, is the threshold of 50,000 or more consumers, households, or devices met if an app has more than 50,000 users in total but less than 50,000 from California? A conservative approach would be to assume that it relates to all users of an app and apply the CCPA.
Here is an important point. "Selling" is broadly defined in the CCPA and includes renting, releasing, making available, transferring, or otherwise communicating by electronic means a consumer's personal information for monetary or other valuable consideration. "Selling" will likely be interpreted to cover sharing of personal information with ad networks to target advertising for ad revenue.
"Personal information" is also broadly defined in the CCPA. It generally covers all information related to a consumer's interaction with an app. For example, advertising identifiers, IP addresses, and location information all qualify as personal information per the CCPA. Under this definition almost every app will process some category of personal information.
The bottom line is that the CCPA is applicable to many more developers than it initially seems. Likely, many smaller and mid-sized developers will be impacted by the heightened compliance standards the law mandates. It will take some time to settle under which circumstances the new law will apply. It may also lead some developers to change their business models, e.g., monetizing via in-app purchases instead of ad targeting to avoid the sale of personal information, which requires a "Do Not Sell My Personal Information" link under the CCPA.
If the CCPA is applicable to an app, California residents have the right to request from the developer:
- A copy of their personal information (right to know)
- Deletion of their personal information (right to delete)
- Being opted out from the sale of personal information (right to opt out)
An important (and not yet fully resolved) part of the rights request process is the identity verification of the individual submitting a request. Personal information should not be disclosed to unauthorized individuals. How the identity of the requester can be verified depends on what information an app is collecting in the first place: for example, if it collects ad IDs, developers can ask for this identifier; if it collects e-mail addresses, users should submit their rights requests from those e-mail addresses. Generally, developers should not ask for more information than they already have. Also, the more sensitive the personal information is, the higher the standard for identity verification should be.
To honor opt out requests, developers have to stop collecting personal information from the opted out users. In addition, they also have to notify third parties to stop such collection. For requests to delete, past information must be removed as well; again, both from the databases of the developer and any third party to whom such information was disclosed. Many ad networks have established processes for propagating rights requests through their systems, e.g., for AdMob publishers can restrict data processing. Developers should check which processes the third parties they integrate have set up and follow those. In the absence of any special processes provided, it is a good idea to just reach out to the third parties. Industry organizations have established compliance frameworks as well, e.g., the Interactive Advertising Bureau CCPA Compliance Framework.
- A description of the consumer's right to opt out
- The web form by which the consumer can submit their request to opt out
- Instructions for other methods to submit opt out requests
- Any proof required when a consumer uses an authorized agent to exercise opt outs
Many developers, particularly, in the ad space, are currently taking a close look at their business models. After all, which user would not click on a button to stop his or her sale of personal information? Also, having a Do Not Sell Button on one's website is not for everyone from an image perspective. In addition, the administrative burden of processing opt out requests and propagating them downstream to ad partners can be quite high. Some even worry about a "weaponization" of the new privacy rights, which the CCPA tries to prevent, for example, by limiting right to know requests to twice in a twelve-month period. Thus, not all is doom and gloom. In fact, now is a good opportunity for developers to take a step back and think about how they process personal information. It is a good time to use increased privacy protections as a feature and differentiator.
- A description of consumers' privacy rights
- How those rights can be exercised and how the identity of individuals requesting them is verified
- Lists of the categories of personal information collected, sold, and disclosed for a business purpose in the preceding twelve months
- The categories of sources from which personal information is collected (e.g., the app itself, data brokers, public repositories, ...)
Whether the CCPA is applicable or not, developers should embrace privacy policies as an artifact of software development. Just as many developers are familiar with different software licensing models, especially in the open source domain, the creation and maintenance of privacy policies should be equally understood as an original task of software developers. Some cases will require additional consultation with a lawyer. However, for garden variety cases policies will be fairly standardized and developers can and should integrate the task in their workflow.
This post is for informational purposes only and does not constitute legal advice. An identical version is published on Medium.