mParticle FeaturesMarch 18, 2020

CCPA Compliance with mParticle

Learn how mParticle can help you comply with the upcoming California Consumer Privacy Act of 2020 (CCPA), slated for enforcement on July 1, 2020.

ccpa-compliance-support

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, with enforcement planned for July 1, 2020. This legislation is largely similar, with key differences, to the European Union’s General Data Protection Regulation (GDPR), for which mParticle provides compliance support. As CCPA regulations develop, mParticle will repurpose and update the platform capabilities already available to support GDPR compliance to extend support to brands impacted by CCPA.

This blog outlines mParticle’s current and upcoming product capabilities and how they can be applied to meet your CCPA compliance efforts.

Comparing GDPR to CCPA

Requirement GDPR CCPA CCPA key differences mParticle scope
Right to access Yes Yes Only applies to data collected in previous 12 months In scope
Right to portability Yes No No explicit portability requirement. In scope
Right to erasure Yes Yes Largely the same. In scope
Right to correction Yes No Not applicable Out of scope
Opt-out of data
sales
No Yes Consumers can opt-out of having their personal information sold, with an opt-out period of one year (opt-in for age under 16).

In GDPR, data subjects can refuse consent for specific purposes or opt-out of data processing (below)
In scope
Right to restrict
processing
Yes No No explicit requirement to halt processing in CCPA. In scope
Right to stop
automated
decision-making
Yes No Not applicable Out of scope
Right to equal
services & price
Yes Yes Not applicable Out of scope

mParticle's current and future compliance capabilities

Regulation Current state CCPA additions
Right to access Send data subject identities mParticle responds with a related data file in JSON.
More info.
No changes anticipated
Right to portability Send data subject identities mParticle responds with a related data file in JSON.
More info.
No changes anticipated
Right to erasure Send data subject identities and, mParticle responds with deletion confirmation via the OpenGDPR open format.
More info.
No changes anticipated
Opt-out of data sales Brands can create Consent Purposes (i.e. Data Sales) that are then used in forwarding rules and audiences
to prevent sales of a customer’s data when that customer has opted out.
More info.
No changes anticipated
Right to restrict processing Brands can create Consent Purposes (i.e. Data Sales) that are then used in forwarding rules and audiences.
More info.
No changes anticipated

How mParticle fits with CCPA compliance

As a central point of identity resolution, as well as collection and syndication of data within a brand’s stack, mParticle typically has access to many or most, if not all, of:

  1. Data that has been collected about a user (via SDKs and Feeds)
  2. Computed data about the data subject such as attributes or audiences
  3. Integrations with service providers and third parties
  4. Integrations with internal systems

This centrality in the data ecosystem allows mParticle to ingest, maintain, and apply the consent state, data forwarding rules, and customer data history along with mechanisms for its retrieval and deletion. 

Achieving and maintaining regulatory compliance with CCPA and/or GDPR is a large effort that extends beyond the scope of mParticle, for example:

Privacy office

  1. Staffing of a privacy function with appropriate DPO/leadership
  2. Training and certification of employees and contractors
  3. Inventory of data collected, retention policies/privacy impact assessment (GDPR-specific)
  4. Privacy review and impacts to product development and customer service

On-property

  1. User Interfaces and messaging for providing a privacy notice 
  2. Mechanisms soliciting and collecting  user’s opt-out preferences and syndicating the election to mParticle
  3. Business rules, processes, and systems for receiving, vetting, tracking, and managing data subject requests and sending them to mParticle

Within mParticle

  1. Maintaining Consent Purposes to track which customers received notice and/or have opted out of third-party customer data sales
  2. Forwarding Rules to prevent the forwarding of customer data from customers who have opted out of third-party customer data sales

Ecosystem components not connected to mParticle

  1. Ingestion, maintenance, and syndication of consent state, forwarding rules, customer data history and mechanisms for its retrieval and deletion.

For customers looking for vendor assistance with building and maintaining CCPA compliance components outside of mParticle’s scope, we highly recommend speaking with an mParticle-integrated Privacy and Compliance vendor.

Get started with mParticle today

Connect with an mParticle expert to discuss how to integrate and orchestrate customer data the right way for your business.

Request a demo

Startups can now receive up to one year of complimentary access to mParticle. Learn more