Inside Mixpanel

California Consumer Privacy Act (CCPA) and user analytics: What you need to know

Peter Day Head of Global Privacy & Technology Services and Director of Legal at Mixpanel

Companies that do business with California residents are less than a month away from seeing the implementation of a sweeping new data privacy law. The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020 and hands control of personal data to almost 40 million consumers in California — about 12 percent of the U.S. population. Since the legislation passed last year by a landslide in both state houses, Mixpanel has been working hard on updating our privacy policies and also helping our customers meet their CCPA obligations.

About the California Consumer Privacy Act

The CCPA is a piece of historic legislation in that it’s the first bill of its kind to pass in the United States. Since it’s a state law, it gives California residents — which the law actually identifies as “consumers” — control over their personal information. No other state or federal law gives American consumers that amount of power over how a company handles personal data. The CCPA also unifies several user information and privacy goals. 

Under CCPA, California consumers will have the right to find out what personal information a company is collecting on them and decide whether their personal data may be stored, shared, and sold by companies that operate in the state. 

The new rights enshrined in the CCPA include:

  • The ability to request the disclosure of the information a company has collected on an individual, specifically, what information is used and shared.
  • The ability to request and see what personal information a company has sold to third parties.
  • The right to prohibit a company from selling their information to a third party via a “Do Not Sell My Personal Information” link on the site’s homepage and privacy policy page.
  • The right to have personal information deleted.
  • When CCPA rights are exercised, companies are prohibited from discriminating against the consumer by raising prices or limiting services.  
  • Once a consumer opts-out, their information is banned from being sold for 12 months.

If all of this sounds familiar, that’s because the law is similar to legislation that went into effect a month before California passed the CCPA. The European Union enacted the General Data Protection Regulation (GDPR) in May 2018. Under the GDPR, in order to collect and process personal information on EU citizens, all businesses must first obtain a user’s permission. 

The CCPA has a few significant differences. California law is limited to protecting consumers in the state. And there’s one noteworthy improvement. Some consumer rights groups suggested that GDPR-compliant companies exploited a loophole by designing privacy opt-in forms in a way that weren’t actually optional. Legislators in California made sure to include language in the CCPA that forbids such tactics.

What businesses are required to comply with the CCPA?

The CCPA applies to for-profit companies that do business in California and collect personal information from California consumers. The law also applies to companies that collect information on residents on behalf of third party businesses and services. Applicable companies must meet one or more of the following criteria:

  • Earn $25 million or more in gross annual revenue
  • Buy, collect, sell, or disclose personal information from 50,000 or more California consumers, households, or devices per year
  • Make more than 50 percent of their revenue from the sale of personal data

How is Mixpanel complying with the CCPA?

Our customers are afforded several protections under the CCPA. So for the past year, we’ve been working diligently to improve some systems, create new ones, and also ensure our customers meet their CCPA obligations as well. These will be fully implemented by the time CCPA goes into effect. 

Here are several new CCPA-compliant initiatives that we’ve been working on:

  • Enhanced Privacy and Security Awareness Program: We are updating and adding additional protections to our privacy and security training portal. All Mixpanel employees will undergo training on new data safety and handling procedures.
  • Ability to export and delete data: Mixpanel is enhancing our export and deletion tools and implementing new ones. These changes enable us to accommodate consumers’ data-handling requests under new CCPA rules. Customers will also have a way to export their data over a 12-month period.
  • New agreements tailored to the CCPA: In addition to our Privacy Shield certification and compliance under the GDPR, Mixpanel offers a GDPR Data Processing Addendum (DPA) that protects customers transferring personal data internationally. With the arrival of the CCPA, we drafted a separate DPA for the use, processing, and transfer of personal data covered under the new California legislation.

Privacy goals

Your security and privacy is our number-one concern. To that end, we commit to being transparent about how we collect and share your information. Our Privacy Policy explains in depth what information we collect and how we use it. 

As Mixpanel finalizes the implementation of CCPA-compliant policies, we are confident we will continue to be a market leader in product analytics platforms and user privacy.

If you would like more information or have any follow-up questions, please reach out to us at compliance@mixpanel.com.

Get the latest from Mixpanel
This field is required.