California Consumer Privacy Act (CCPA) | Frequently Asked Questions
California Consumer Privacy Act (CCPA)
Frequently Asked Questions
InMobi is committed to data privacy and complying with all legislative and regulatory requirements that ensure data protection. As the California Consumer Privacy Act (CCPA) goes into effect, we are fully committed to require compliance across every aspect of our business. As a trusted partner of leading brands across the globe, InMobi is dedicated to protecting consumer privacy while generating value for our publisher partners and creating a safe and transparent marketplace for advertisers.
This document will provide you with information on InMobi’s compliance with CCPA and include details about our products and its scope of compliance under CCPA regulations among other details. Please note that this document includes terms as defined by CCPA.
Disclaimer: This document is only intended to be a general FAQ and must not be read or treated as legal advice. Please consult your lawyers to determine your position and compliance requirements under CCPA.
1. What is CCPA?
California Consumer Privacy Act (CCPA) is a comprehensive data privacy regulation applicable to the users based in the State of California in the United States. CCPA becomes effective from January 2020 and at a high level imposes transparency with regard to the collection, processing and use of consumer’s personal information and provides consumers with certain rights regarding such usage.
2. Do you as a partner to InMobi or its affiliates need to comply with CCPA?
If you are partnering with InMobi or any of its affiliates(s), whereby you are either providing or obtaining personal information of users based in U.S., then, yes, you need to be compliant with requirements under CCPA (“Partners”).
- In the context of CCPA, personal data or personal information includes without limitation online identifiers such as device identifiers, IP address, ad-ids, gpid etc. and any inferences drawn from the same used to create audience profiles.
- De-identified/Anonymized, aggregated consumer information is not deemed to be personal information under CCPA.
- Please note that while CCPA is intended to be applicable to users based in California, InMobi requires its partners to implement certain measures for users across the entire U.S.
Please consult your lawyers to determine your position and compliance requirements under CCPA.
3. What happens if the app/network is not compliant with the requirements of CCPA?
Intentional violation of the CCPA can bring civil penalties of up to $7500 for each violation in a lawsuit brought by the California Attorney General on behalf of the people of the State of California.
The maximum fine for other violations is $2500 per violation. Other impacts comprise of claims, action for damages, termination of the engagement, loss of reputation, business and revenue. InMobi may also only elect to run anonymized traffic.
4. What broad measures must you take as a Partner to InMobi in the context of CCPA?
There are certain requirements that have to be fulfilled by Partners to comply with CCPA. Such requirements include (but are not limited to):
- privacy policy update such that the policy clearly indicates the consumer data sets collected,
- how such data is used or processed,
- disclosure regarding further sharing, transferring or ‘selling’ of consumer data to third parties and
- establish or update practices for addressing consumer rights such as consumer’s right to know, access, seek correction or deletion of personal information or elect to opt-out of ‘sale of personal information’ etc.
5. What is the definition of sale under CCPA?
Definition of sale has been broadened in the CCPA.
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
6. What is InMobi’s position under CCPA?
InMobi has taken the position of ‘Business’ for its supply side engagement(s) on the network/SSP side, data management platform and owned and operated applications. For demand side engagements including InMobi DSP integration, InMobi has taken the position of a ‘Service Provider’ where it obtains personal information from its demand partners. InMobi has taken the position of a ‘Service Provider’ for its affiliate promotion channel.
7. Does InMobi view the disclosure of personal information in an integration with third-party mediation partners (or SSPs) as “sale” under the CCPA? Why?
Yes, InMobi considers the exchange of personal information from sources as sale, as InMobi uses personal information for targeting which is beyond just attribution and measurement. If you are a publisher, we would recommend that you check with your mediation partner (referred to as third-party mediation partners/SSPs in this case) for their specific stance under CCPA.
8. How long will user data be stored at InMobi?
There is no change in InMobi’s data retention policy as part of this update. Personal information will not be stored for more than 13 months.
9. How does InMobi plan on receiving consumer opt-outs, data access or deletion requests from supply partners?
InMobi, as a part of phase 1 implementation, will receive opt-out information from publishers via manual but secure means (password protected data rooms, data dumps, emails (with locked folders) etc) and act upon the request. Further, as a part of phase 2 implementation, InMobi will integrate with the IAB CCPA framework for data transfers.
InMobi will follow the same approach to send this information to our downstream partners.
10. Should the in-app advertising partners obtain prior consent from users under CCPA guidelines?
There is no requirement of obtaining prior consent in the CCPA. CCPA imposes a default opt-in but has defined clear notice and mechanism for users to exercise their rights such as the right to access, the right to opt-out of services, the right to opt-out of sale, the right to delete.
11. Do you have plans to join the IAB’s CCPA framework?
Yes, we will be integrating with the IAB framework for data transfers soon.
12. Where do I find InMobi’s updated Terms of Service that incorporates CCPA clauses?
13. Where can I learn more about how and for what purposes InMobi is using user data for?
14. What are the differences between CCPA and GDPR?
While the objective of both legislations is to give users the control over how his or her personal data is processed, both have their own approach to achieve this. Following are the key differences:
Domain | GDPR | CCPA |
Definition of “Personal Data” | Any information relating to an identified or identifiable person. Ex. Device ID, Advertising ID, Location information etc. | Information that “identifies, relates to, describes, is capable of being associated with a particular consumer or household” – potentially broader than GDPR definition Ex. Device ID, Advertising ID, Location, IP Address, lat-long, etc. |
Consent | Consent has to be sought before collection of personal data | Default opt-in |
Data Protection Officer | Yes | No |
Children’s Data | Parental consent required for children under 16; EU member states may lower the age to 13 | Businesses cannot sell the data of consumers under 16 unless the consumer has opted into the sale if the child is 13-16 or the parent has opted-in if the child is under 13 |
Fines | Up to 4% of global revenue or 20 million euros | Private actions: $100-$750 per consumer per incident Attorney General actions: up to $7,500 per violation |
Data Breach Notification | Yes | No |
If you have any questions, please contact ccpa@inmobi.com