California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) goes into effect on Jan 1, 2020. Its purpose is to provide California residents with new privacy rights.  The new law impacts all organizations that offer goods or services to California residents.

This article provides an overview of the tools that Salesforce offers as a Service Provider. We encourage you to speak to legal counsel to learn how the CCPA may affect your organization, as this article is not legal advice.

The Salesforce privacy team has additional details on the CCPA available from the Regional Privacy Laws page including an FAQ and a Fiction vs Fact whitepaper. The terms “Business”, “Service Provider” and “Sale” used in this document refer to the definitions in the CCPA (as documented in our FAQs).

Data Deletion (Delete my data)

As a Service Provider, Salesforce Audience Studio  provides tools to effectuate a deletion request on behalf of our customers. That includes all information tied to a device (cookie ID, mobile device ID) or a person (bridge key, hashed emails).

More details on data deletion including implementation options are available in this related article.

Data Portability & Access Requests (Give me a copy of my data)

The data portability tool provides the ability to request data feeds associated with a device or person. To comply with the CCPA, you may be required to export consumers’ personal data to make it available to them when they request it.

More info on Data portability tools can be found here.

Do not sell my personal information (“Do Not Sell”)

The CCPA provides consumers the right to opt out of the sale of their personal data. Please note that customers are advised to consult with legal counsel on the definitions of the terms “sale” and “personal information” and that Salesforce is unable to provide legal advice on these definitions.

We provide API-based tools to help you manage and comply with consumer Do Not Sell requests. When using these tools, it is critical that all inputs to update consent be through the online methods of API, Javascript, SDK, and the UI. Note that consent updated through Self-Serve File Imports and by Requesting Data Deletion via File are not supported by the consent API.

The process to configure the Do Not Sell option in Audience Studio is outlined below.

1. The definition of a “sale” depends on your business and how you use Audience Studio to accomplish your business goals. Review the CCPA Do Not Sell requirements with your legal team and create a plan to map a “sale” to one or more Audience Studio consent flags.  These flags include data collection, analytics, targeting, cross-device, data sharing, and re-identification, as described here.  As an example, your legal team may determine that a Do Not Sell request applies to data sharing with partners and activation to DSPs, in which case you would map the definition of a “sale” to the Data Sharing and Targeting consent flags.
   
   
2. To manage a Do Not Sell request using Audience Studio, you must set up your policy regime to default to consent TRUE for flags that are associated with a “sale.”. In the example above, you could configure a Custom policy regime as shown below.
   
   
   
3. Use the consent API on your websites and in your applications and other software to manage consent flags. Specifically, when a consumer opts out of data selling, you must modify the consent to set the consent flags mapped to a “sale” to FALSE. The consent API will provide the ability to read the current consent setting, update flags and write to the consent API with the updated consent. You must also use the consent API to determine whether to show the CCPA opt-out to the consumer.

More information on Consent Management can be found here.

More information on Consumer Rights Management - Concepts & Glossary of Terms can be found here.

More information on Consent API can be found here.

More information on setting up the consent tag at “JavaScript Consent Tag Spec”.