CCPA Compliance
Tutela compliance FAQ and partner guide
The California Consumer Privacy Act (CCPA) is a law intended to protect California residents' privacy in a GDPR-like fashion. The law became effective on January 1st, 2020, and has been fully enforceable since July 1st, 2020. Tutela fully supports this law and other laws that protect digital privacy.
Yes! As a company whose livelihood depends on data and its proper treatment, Tutela takes data privacy and security very seriously. We take proactive steps to go above and beyond basic privacy and data protection requirements.
The following information will focus on how Tutela is CCPA compliant when it comes to the information that our software (SDK) collects while running in the background of popular mobile apps and games. While we’re not in a position to offer legal advice, we invest heavily in compliance and work with PwC and others to review our privacy practices on a regular basis.
Under CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA further details that personal information can include, but is not limited to, data that falls under certain categories such as Identifiers, Commercial Information, and Biometric Information.
CCPA uses a broad definition of personal information that includes direct identifiers like name, social security number, and email address, but similar to GDPR it also extends to things like IP Addresses and Geolocation data.
However, the CCPA clarifies that “Personal information” does not include consumer information that is de-identified or aggregate consumer information.
This is further underlined in section 1798.145(5), where it’s confirmed that the CCPA obligations don’t restrict a business’s ability to “Collect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information.”
The CCPA definition of “de-identified” is:
… information that cannot reasonably identify relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses de-identified information:
1. Has implemented technical safeguards that prohibit re-identification of the consumer to whom the information may pertain.
✅ Tutela has done this
2. Has implemented business processes that specifically prohibit re-identification of the information.
✅ Tutela has done this
3. Has implemented business processes to prevent inadvertent release of de-identified information.
✅ Tutela has done this
4. Makes no attempt to re-identify the information.
✅ Tutela never attempts to re-identify information
Yes. The purpose of the CCPA is to give consumers more control over the personal information that businesses collect about them. So as long as a business abides by the CCPA regulations and respects the privacy rights of California consumers, collecting personal information is completely fine.
We take technical and organization measures to de-identify and/or aggregate the information we collect, and a result ensure it is not personal information, and not subject to CCPA guidelines.
Additionally, through an abundance of transparency, care, and respect for the privacy and security of consumer information:
We are proactive about data minimization. Collecting less data is one of the easiest ways to reduce the risk to consumers. We only collect the data that is necessary for us to help telecoms companies around the world understand and improve network speeds and network coverage.
a. We do not collect any direct identifiers (including no user IDs, names, addresses, or emails)We run privacy impact assessments, and regularly consult with legal advisors who are experts in Privacy and Data Security.
We treat all data we collect in accordance with the CCPA guidelines, and make it easy for consumers to exercise their rights.
Beyond de-identifying and aggregating data to make it no longer a form of personal information, here are the additional measures we at Tutela take to comply with key CCPA consumer rights:
What is the Right to Notice?
Before a business collects personal information from a resident of California, it should provide them notice that it will do so, and explain the purposes for which the information will be used.
How Tutela complies with CCPA Notice at Collection requirements:
Our app partners include a disclosure notice in the privacy policy that is accessible via their app’s download page on the app store(s)
Our app partners also add an in-app just-in-time notice (see examples below)
Our experience shows that users are happy to provide network experience data if it helps to reduce advertisements, support their favourite apps, improve mobile signals, and does not affect their in-app experience or device performance. Our partnerships team helps apps ensure that all appropriate notices are provided through collaborative discussion and our Privacy & Compliance Checklist.
The screenshots below show examples of in-app just-in-time notices.
What is the Right to Know?
Consumers have the right to ask a business to disclose what personal information it has about them and what it does with that information.
How Tutela complies with CCPA Right to Know requests:
Because of the measures Tutela takes to de-identify data and prevent user identification, we have not determined a reliable method to identify data that relates to an individual’s device (we don’t know if we’ve ever collected data from their phone, because our data does not identify any person or device).
Instead we respond by informing consumers of these measures, and directing them to the information on Tutela’s general collection, use, and sharing of personal data contained in our Privacy Charter.
What is The Right to Request Deletion?
Consumers have the right to ask businesses to delete personal information collected from them (with some exceptions). A business shall comply with a consumer’s request to delete by one of: (a) permanently deleting (b) de-identifying, or (c) aggregating the personal information
How Tutela complies with CCPA Deletion requests:
Because of the measures Tutela takes to de-identify data and prevent user identification, we have not determined a reliable method to identify data that relates to an individual’s device (we don’t know if we’ve ever collected data from their phone, because our data does not identify any person or device).
Instead we respond by informing consumers of these measures, providing opt-out instructions, and directing them to our Privacy Charter.
What is The Right to Opt-out?
Consumers have the right to opt-out of the sale of their personal information.
How Tutela complies with CCPA Opt-out requests:
We provide procedures to support consumers' right to opt out at any time, as outlined in the Tutela Privacy Charter and at tutela.com/opt-out.
Our SDK also provides API methods for starting and stopping data collection, which our app partners can choose to associate with in-app functionality, for example CMP preference callbacks or custom functions.
We’ve built our business with the intent to be CCPA compliant, we help our app partners ensure CCPA compliance with respect to Tutela through collaborative discussion and our Privacy & Compliance Checklist, and we take the privacy of all mobile application users very seriously. Tutela’s business model is to help organizations in the mobile industry understand and improve the world’s networks, not to exploit personal data. This makes us the perfect partner for apps looking to supplement revenue while respecting user privacy.
Disclaimer: The information on this page is not legal advice, nor is it a replacement or substitute for your own review, and we cannot assume any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding CCPA compliance, please forward this page to your legal team or contact us at partners@tutela.com.