iResearch and the CCPA

At iResearch Services, we invest significant efforts in ensuring that our products and practices comply with all global data protection and privacy laws that apply to us and our clients.

On this page we provide information about the California Consumer Privacy Act of 2018 (CCPA) and the ways in which iResearch Services complies with its current requirements.

CCPA – What Is It All About?

The CCPA, which came into effect on January 1, 2020 and became enforceable on July 1, 2020, consists of a series of bills that gave new privacy rights to consumers residing in the State of California, and imposes obligations on businesses processing their personal information.

Roles, Responsibilities & Exemptions

The CCPA distinguishes between three roles for companies involved in the processing of personal information:

  • Business (similar to ‘data controller’ under the GDPR)
  • Service Provider (similar to ‘data processor’ under the GDPR)
  • Third Party (similar to a Business, but one that does not have direct interaction with the consumer)

The CCPA generally applies to Businesses that fulfil one or more of the following conditions:
(i) have a gross revenue greater than $25 million;
(ii) Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes;
(iii) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The obligations imposed on ‘Businesses’ outline the limits of ‘sale’ of personal information and define specific actions that Businesses are required to perform, such as:

  • Create a “Do-Not-Sell-My-Personal-Information” button on your homepage
  • Inform consumers of categories & specific pieces of information collected/sold to them
  • Provide at least 2 methods of communication for requesting to exercise consumer rights

As the CCPA currently only applies to ‘consumers’ (and not ‘Data Subjects’ as defined by the GDPR), certain relationships were exempt from CCPA enforcement:

  • Employee information (this includes past, current and potential employee information)
  • B2B interactions (information obtained in the course of an activity between companies)

How Is iResearch Services Complying With the CCPA?

  • We have identified iResearch Services’ role as a “Service Provider” under the CCPA, where we process personal information solely on behalf of our clients (the “Business” in such cases).
  • We have identified iResearch Services’ role as a “Business” where it processes the personal information of California consumers for its own purposes. Due to the nature of iResearch Services, its activities are typically exempt from CCPA enforcement on iResearch Services, provided it does not sell personal information of California consumers (or of any other data subjects); however may be applicable from a Lead Generation processing point of view.
  • iResearch Services has already invested significant effort and resources into its GDPR program for the right to access personal data, and has simply widened the scope of applicability to include California consumers, thereby complying with the so-called “look back” requirement to ensure that consumers are able to access their personal information covering the preceding 12-month period.
  • iResearch Services already provides technical and organizational measures for sufficiently exercising other proposed consumer rights that are similar to rights granted under the GDPR (such as the right to disclosure, deletion, and opt-out).
  • Updated our Privacy Policy, to ensure that it sufficiently addresses CCPA consumer rights and industry standard practices.
  • Introduced additional amendments to iResearch Services’ data processing addendum (DPA) and internal procedures to reflect the specific requirements of the CCPA (such as with respect to entity roles, the maximum response time and data subject verification process, and the commitments required of a Service Provider towards the Business under the CCPA).
  • Having procedures for handling suspected breaches concerning personal information, limiting the use, disclosure, and retention of personal information, and regularly conducting privacy training for all relevant members of our staff.

What’s Next?

iResearch Services closely follows developments surrounding the CCPA and the AG’s Proposed Regulations, as well as monitoring legislative developments both in California and in other US states.

If you have any further questions concerning iResearch Services’ privacy program and our ongoing efforts surrounding the CCPA, please feel free to contact our Data Protection Officer & Privacy Team at [email protected].