CCPA FAQ

California Consumer Privacy Act (CCPA) Frequently Asked Questions

Last Updated Date: April 26, 2020

This FAQ is intended for Source Meridian’s Clients & Consumers. You can find more information on acceptable use of our website in our Terms of Use. If you are a consumer, please see Source Meridian’s Consumer Privacy Policy for information about your CCPA rights as they relate to Source Meridian’s services.

This FAQ is for informational purposes only. It is intended to provide information on Source Meridian’s approach to addressing the potential obligations imposed by the CCPA on Source Meridian’s business model. It is not intended to provide legal or business advice to any other company or individual. The obligations imposed by the CCPA depend on how your company collects and uses personal information and you are solely responsible for seeking your own advice as needed for your company’s compliance needs under the CCPA or otherwise.

1. What is the CCPA?

The California Consumer Privacy Act (CCPA) is a comprehensive privacy law that came into effect on January 1, 2020. The law is enforced by the California Attorney General (AG), who is also tasked with issuing regulations under the CCPA. Enforcement can begin six months after the AG issues final regulations or on July 1, 2020, whichever is sooner.

The CCPA applies across all industry sectors, imposing obligations on companies that handle personal information. The CCPA’s requirements include:

  • Providing privacy notices
  • Implementing processes for individuals to access and delete their personal information
  • Allowing individuals to opt out from “sales” of their personal information

The “sale” opt out right impacts more than just traditional sales of data for money. The CCPA defines “sale” broadly to include many commonplace data sharing arrangements, even where no money is exchanged. However, data sharing with a business’s service provider is not considered a “sale,” as long as certain contractual terms are in place between a business and its service provider.

2. How is Source Meridian preparing for the CCPA?

Source Meridian has been actively assessing its obligations under the CCPA and has a core team focused on leading CCPA efforts, as well as privacy and regulatory in general. This core team has been working closely with outside privacy counsel who focus on CCPA compliance and the changing privacy regulatory environment. Among other activities, Source Meridian is preparing processes for receiving and responding to consumer rights requests we may receive, revising applicable privacy policies, and reviewing and modifying contracts to align with applicable CCPA requirements.

3. How can our Clients continue to use Source Meridian‘s services consistent with the CCPA?

As currently defined under the CCPA, a “service provider” processes California consumers’ personal information on behalf of another business. To be a service provider, the entity must receive the personal information under a written contract that limits the service provider’s processing to purposes specified in the contract or otherwise permitted by the CCPA. A “business” is a for-profit entity that determines the purposes and means of processing California consumers’ personal information and that meets certain thresholds around revenue and similar factors.

Where Source Meridian acts as a service provider, Source Meridian’s privacy policies and terms of use outline how we handle Event Data and Contributed Data, as defined and detailed in our Terms of Use, that you own and provide to us, requiring us to follow your instructions. If you pass along a request to us that a consumer opts out of “sales” (as broadly defined under the CCPA) of their personal information, we will only use Event Data and Contributed Data associated with that consumer request to directly support the services that we provide to you. We will also respond to your request to “delete” a specific consumer’s personal information which is part of Event Data or Contributed Data.

Where Source Meridian may act as a business under the definitions of the CCPA, including with respect to Data, as defined in our Privacy Policy, Source Meridian will respond to any consumer “opt out of sales” requests that you may choose to send to us by not further incorporating the personal information associated with that consumer. Because Source Meridian does not directly interact with consumers, but gains access to certain data automatically as part of the services we provide to our Clients, to help our Clients facilitate consumer “sale opt out” requests if you choose to flow down any requests, Source Meridian will set up a process for you to send along consumer “sale opt out” requests you receive. To help consumers receive appropriate notice about the use of their information at collection, we may ask those who provide us access to certain data to provide written affirmation that you provide consumers with appropriate notice and may ask for an example of the notice.

3. How can our Clients continue to use Source Meridian‘s services consistent with the CCPA?

Source Meridian plans to:

Provide a process for submitting requests for exercising applicable rights under the CCPA, including “sale opt-out” and “deletion” requests.

Notify you if we need to put into place any new terms which are required by the CCPA regulations thus far.

Continue to work closely with our outside privacy counsel to address any obligations arising out of updates or changes to the CCPA regulations and will notify you of material changes which may affect the processes we have outlined above or implemented.

Please visit our Privacy Page on our main website at sourcemeridian.com for more information and resources.