The California Consumer Privacy Act gives Californians the right to see, delete and stop the sale of the
personal information that companies have compiled about them.
Who Is Affected?
Companies that do business in California, regardless of where they are located, must comply with the law if they exceed one of the following thresholds:
The CCPA stipulates the following (for California residents):
Consumers Are Granted:
Businesses Are Prohibited from:
Personal information is anything that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household which includes:
• Real name or alias, physical address, biometric information,
• IP address, email address, unique personal identifier, online identifier (incl. device ID and user agent)
• Account name, driver’s license number, passport number
• Records of purchasing history or tendencies
• Internet browsing or search history, information related to web site interactions, geolocation data
• Employment or education data
The selling of data under the CCPA is defined very broadly. Think of it more like sharing data. Per the IAB,
“Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. Simply disclosing data, even as part of a larger transaction involving a product or service, likely constitutes a sale, [so] it is difficult to conceive of an activity that does not fall within this definition given that the digital advertising ecosystem is built and predicated upon utilizing consumer data for ad decisioning, reporting, and optimization.”
For digital video ad serving and analytics, ER only collects IP address, device ID (if sharing is enabled by the web publisher/device), user agent string, and geo-location (inferred by the IP address).
When a Consumer Opts Out on a Publisher’s Website
• As a signatory to the IAB CCPA Compliance Framework, if a consumer on a publisher’s website opts out of having their personal information collected and shared, the publisher
will pass this signal to ER in real time on every ad call and viewing session via a privacy macro.
• When ER receives notice that a consumer has opted out, (a) those users can no longer be geo-targeted via ER and (b) we can no longer share their personal information with our
advertising clients via custom, log level reports. All fields in custom reports that have personal information - IP address, device ID, user agent - will be replaced with “CCPA”.
When a Consumer Contacts ER Directly
• If a consumer contacts ER to have their personal information deleted, we will acknowledge the request within 10 days, and act on the request within 45 days.
• We will also share these requests with any ER advertising clients who have received this personal information via our custom reports, so they may take action to delete data within their systems.