California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a state statute that enhances privacy rights and consumer protection for residents of California, United States. The CCPA was passed in 2018 and went into effect on January 1, 2020. It is considered one of the most comprehensive data privacy laws in the United States.

Key Provisions of the CCPA

The CCPA grants California residents the following rights:

  • Right to Know: Consumers have the right to know what personal information is collected about them, where it is sourced from, how it is used, and whether it is disclosed or sold.

  • Right to Delete: Consumers have the right to request the deletion of their personal information.

  • Right to Opt-Out: Consumers have the right to opt-out of the sale of their personal information.

  • Right to Non-Discrimination: Businesses are prohibited from discriminating against consumers who exercise their privacy rights.

  • Right to Access: Consumers have the right to access their personal information.

  • Right to Data Portability: Consumers have the right to request their personal information in a portable format.

Compliance Requirements

Businesses subject to the CCPA must comply with the following requirements:

  • Notice at Collection: Businesses must provide consumers with notice at or before the point of collection of personal information.

  • Privacy Policy: Businesses must maintain a privacy policy that discloses the categories of personal information collected, the purposes for which it is used, and the categories of third parties with whom it is shared.

  • Opt-Out Mechanism: Businesses must provide consumers with a mechanism to opt-out of the sale of their personal information.

  • Data Security: Businesses must implement reasonable security measures to protect consumer data.

  • Training and Record-Keeping: Businesses must train employees on privacy practices and maintain records of consumer requests and responses.

  • Non-Discrimination: Businesses must not discriminate against consumers who exercise their privacy rights.

The USPrivacy cookie is a mechanism used to manage and communicate user privacy preferences in compliance with the IAB's U.S. Privacy Framework. This framework is designed to help businesses comply with various U.S. state privacy laws, including the CCPA.

  • User Consent Management: The USPrivacy cookie stores user consent preferences regarding the collection, use, and sharing of personal information.

  • Standardized Format: The cookie follows a standardized format to ensure interoperability across different websites and ad tech platforms.

  • Privacy Signals: The cookie communicates privacy signals to downstream partners, indicating whether a user has opted out of the sale of their personal information.

  • Compliance Support: By using the USPrivacy cookie, businesses can more easily comply with state-specific privacy regulations and demonstrate their commitment to user privacy.

The USPrivacy cookie is typically stored in the browser as a first-party cookie and contains the following key fields:

  • Version: The version of the USPrivacy framework being used (currently 1).

  • Explicit Notice/Opportunity to Opt-Out: Indicates whether the user has received explicit notice and an opportunity to opt-out of the sale of their personal information.

  • Opt-Out Sale: Indicates whether the user has opted out of the sale of their personal information.

  • LSPA: Indicates whether the user has opted out of the sale of their personal information under the Limited Service Provider Agreement (LSPA).