CCPA Overview

The CCPA in many ways can be thought of as the “American GDPR.” However, while GDPR is more about the processing of consumer data, CCPA focuses more on the commercial use of the data and runs on an opt-out basis (vs. opt-in).

The CCPA protects California residents’ personal information – even when they’re outside the state – and applies to any company that does business in California, including any for-profit entity that collects consumers’ personal data, and satisfies at least one of the following thresholds:

  • Has annual gross revenues in excess of $25 million
  • Possesses the personal information of 50,000 or more consumers, households, or devices
  • Earns more than half of its annual revenue from selling consumers’ personal information

Under the CCPA, “personal information” includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Recommendations for App Publishers

  1. Communicate with Your Legal Counsel. The CCPA presents novel and complex legislation, and this article is not intended to constitute legal advice. This article and all information, content, and materials available on the site are for general informational purposes only. Please communicate with your own legal counsel to understand and appropriately address your organization’s obligations under the CCPA.
  2. Review Your App Permissions and Privacy Policy. The CCPA provides consumers with important rights of access, data portability, deletion, opt-out and opt-in (for minors). You should carefully review enterprise data flows to ensure compliance with CCPA requirements. 
  3. Provide a Verified ‘Opt-out’ Mechanism. Until such time as the Attorney General of California provides additional guidance regarding identity verification, please consider establishing a secure PCI-DSS compliant process and mechanisms to validate the authenticity and validity of CCPA based requests. We recommend adopting the existing PCI-DSS standard as a default.

The CCPA and Media Impact

  1. Gimbal is putting significant effort towards CCPA compliance, including internal data flow mapping exercises, updating privacy disclosures, internal training and participation in data privacy industry groups, such as the MMA’s Location Privacy Alliance. Further, we are closely following the evolution of CCPA directives as they are issued by the AG of California.
  2. Gimbal will comply with CCPA and is proactively empowering consumers to choose how location data is utilized with our LocationChoices initiative, as explained below.

Gimbal Preparations for CCPA

    1. Commitment to Compliance. In those instances where Gimbal is a processor of Personal Information under the CCPA, Gimbal has taken steps to ensure CCPA compliance ahead of the CCPA’s effective date of January 1, 2020.
    2. Partner Requests. We are developing secure, straightforward integrations to enable partner compliance with CCPA requests; including Access, Deletion, and Opt-out requests originated from verified end-users. Please reach out to your Gimbal representative to learn more about moving forward on partner compliance integrations.
    3. Gimbal Leads Consumer Data Privacy Empowerment with LocationChoices. Gimbal is leading the industry in privacy through our LocationChoices initiative. LocationChoices is a simple app that will allow consumers to opt out of having location data used by companies who have signed the LocationChoices pledge.

Should you have any questions, please reach out to your Gimbal representative or email