CCPA FAQs
The California Consumer Privacy Act (“CCPA”) governs how businesses handle the personal information of California residents. At Cognitiv, we are committed to our customers’ success, including their compliance efforts with respect to the CCPA. We’re here to assist customers by providing privacy and security protections through the Cognitiv platform.
Cognitiv views the CCPA as yet another opportunity for Cognitiv to strengthen our long-standing commitment to data protection principles and practices.
What is the CCPA?
The CCPA requires companies that handle the personal information of California residents to inform residents of the companies’ privacy practices and to offer residents the ability to:
• Access the information that companies maintain about the individuals;
• Delete that information in certain circumstances; and
• Direct companies not to share individuals’ information with third parties, or allow third parties to access that information, for those parties’ own purposes.
Who must comply with the CCPA?
Most of the CCPA’s requirements apply to “businesses” – companies that collect (or direct the collection of) consumers’ personal information and determine the purposes for which the information is collected, used and disclosed.
The law also imposes limited requirements on “service providers” – companies that process consumer personal information on behalf of a business, and to which a business discloses such information for a business purpose and pursuant to a written contract. The CCPA requires service providers to process personal information only as necessary to provide their services, as these services are defined by their business customers – i.e., the “businesses” – within the contract.
The CCPA applies to any “business” that:
• Handles California residents’ personal information;
• Is “doing business” in California, and
• Meets any one of these three thresholds:
• Has an annual gross revenues of $25 million;
• Obtains personal information from 50,000 or more California residents, households, or devices annually; or
• Derives 50 percent or more of the company’s annual revenue from “selling” (i.e., sharing or giving access to the information to third parties for those parties’ own purposes) California residents’ personal information.
What data is “personal information” under the CCPA?
The CCPA defines personal information broadly to include information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
In practice, this broad definition means that information such as contact information, transaction data, IP address, mobile device identifiers, and ordering details may be within scope of the CCPA’s definition of personal information, and subject to the law’s requirements.
How does Cognitiv address CCPA requirements?
Cognitiv is a “service provider” under the CCPA because we process personal information only on behalf of our customers, pursuant to a written contract, and only to provide our services to our customers, pursuant to such written contract.
What is Cognitiv doing to help customers respond to CCPA requests to access or delete personal information?
Below is information on the steps that Cognitiv will take to help customers comply with the CCPA, including instructions on how to send your end users’ CCPA requests to Cognitiv so that we may help customers respond.
Specifically, with respect to CCPA requests for which our customers require Cognitiv’s assistance:
• We will provide our customers with the personal information we maintain about the customers’ respective end users in response to access requests. Cognitiv will provide such information to our customer within 15 business days of Cognitiv’s receipt from the customer of the CCPA request and the email address of the requesting end user.
• We will delete and/or anonymize personal information we maintain about a customers’ end users in response to deletion requests except to the extent we are required or permitted to maintain the information by applicable law, including the CCPA. For example, we may need to keep personal information for fraud detection, security purposes or as it relates to chargeback inquiries. Cognitiv will delete such information, subject to the exceptions provided above, within 15 business days of Cognitiv’s receipt from the customer of the CCPA request and the email address of the requesting end user and provide a confirmation of the same back to the customer.
• Please note that customers may not use Cognitiv’s platform to provide end user information to any third party in a manner which may constitute a sale under the CCPA.
As a Cognitiv customer, what do I need to provide to Cognitiv in connection with CCPA?
• You will be responsible for identifying and responding to requests from your end users in compliance with CCPA. As described above, Cognitiv will provide you with end user information for access requests and delete/anonymize end user information in response to deletion requests except as otherwise required by applicable law or permitted by the CCPA.
• You will be responsible for verifying the identity of an end user submitting a CCPA request and for evaluating the scope and legality of CCPA requests.
• Since Cognitiv has limited visibility into your other systems, you are responsible for notifying your other service providers or other third party providers of any CCPA requests even if those service providers are receiving your end users’ data from Cognitiv.
Questions
If you or anyone in your organization has questions about the CCPA, or any of Cognitiv’s security and privacy practices, please do not hesitate to contact the Cognitiv team at privacy@cognitiv.ai.
Please note that these FAQs (including links and cross-references) are not legal advice and are provided for informational purposes only. For legal advice, you’ll need to consult with your organization’s legal team. Cognitiv is not liable in any way with regard to the content of these FAQs.