California Consumer Privacy Act

What is the CCPA?

The California Consumer Privacy Act is a California law which enhances privacy and consumer protection rights for California residents.  The law went into effect on January 1, 2020 and requires businesses to disclose how they handle consumer data. 

The Purpose of the CCPA?

The purpose of the CCPA is to grant California residents (“Consumers”) greater privacy and consumer protection, and greater control over how companies handle their personal data.

Before or at the time of collection, the business must inform Consumers about the personal information categories it collects, intended use for the categories, and if the business sells personal information, provide a link to a  “Do Not Sell My Personal Information” option and privacy notices.

Under the CCPA, Consumers have the right to opt-out of the sale of personal information to third parties. The business must provide two opt-out methods including an interactive form accessible online through a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link in a clear and conspicuous location on its website or mobile application. Further, the business may not request reauthorization to sell a Consumer’s personal information for at least 12 months after the Consumer opt-out, with some exceptions.

The Scope of the CCPA?

Any business that processes the personal information of consumers in California are subject to the CCPA.  The CCPA defines business as any for profit entity doing business in California that:

• Has annual gross revenues of at least 25 million USD per year
• Annually buys, sells, receives, or shares personal information from at least 50,000 Consumers, households, or devices, or
• Makes over 50 percent of its gross annual revenue from selling personal information

Data Collection

How does Bombora create its products?

• Bombora creates services from data collected by its proprietary Bombora Data Cooperative.  Each member of the Data Co-op (“Co-op Member”) contributes data by deploying a javascript or pixel tag provided by Bombora (“Bombora Tag”)  on their web properties. A web property is a point of presence (e.g., a website, advertisement, blog) on the web that is an asset of a company used for the purpose of representing a brand. 

What data does Bombora collect?

• Bombora collects unique identifiers, such as cookie ID or hashed email; IP address and information derived from the IP address, such as city and state; engagement level data, such as dwell time, scroll depth, scroll velocity, and time between scrolls; page URL and information derived therefrom such as content, context and topics; referrer URL; browser type and operating system.   

Does Bombora collect Personally Identifiable Information (PII)?

• Bombora does not collect Personally Identifiable Information. Bombora collects Cookie IDs and IP addresses, including engagement metrics.  The data Bombora collects is not PII because at collection the data is  aggregated to create a profile of a company, not an individual.

How is Consent Collected?

• Although Opt-in is not required for CCPA, Bombora has implemented the concept of privacy by design. Bombora has adopted the Interactive Advertising Bureau (IAB) Transparency and Consent Framework (TCFv2) and encourages all Co-op Members to participate.
• Pursuant to TCF protocols, the Bombora Tag sits behind the Consent Management Platform  (“CMP”) on each Co-op Member web property. When you visit a Co-op Member web property, the Co-op Members’ CMP collects your explicit informed consent or offers an opt-out. After you provide consent, , the Co-op Member passes the consent string to Bombora, for the purposes you have granted. You can revoke your consent to Bombora for any or all purposes previously granted at anytime Here.  

Bombora is member #163 of the IAB Transparency and Consent Framework. For more information, here is an IAB TCF factsheet. 

• Co-op Members agree to present their website visitors with the option to consent (and, in some jurisdictions, opt-out) when each visitor lands on the Co-op Member’s web property. 
• The Bombora Tag does not collect data unless it receives the appropriate consent signal (where applicable).  The Co-op Member collects and records consent from the user in a consent-based model including Bombora and its purposes. Bombora logs the consent from the hosting site via the IAB Transparency & Consent Frameworks as registered vendor #163. This could involve including Bombora’s Purposes in a Consent Management Platform and privacy policy.

Bombora’s approach to the CCPA?

Under the CCPA Bombora considers itself to be a Service Provider. Our core products are:

• Company Surge® Analytics – is a Data as a Service report listing Domain Name (a company URL), Topic (created by Bombora from aggregated data) and Company Surge® Score (created by Bombora from aggregated data).
• Audience Verification (AV) –  is a feature of the Bombora Measurement product suite that provides insights and visibility into B2B digital advertising and Account-Based Marketing.
• Visitor Insights (VI) –  is a feature of the Bombora Measurement product suite that provides demographic and firmographic insights about the company visiting a VI Subscriber’s website
• Visitor Track  – integrates predictive marketing, demand generation, and web analytics into a powerful application to drive more prospect opportunities from existing website visitor traffic – it’s like “Caller ID for Your Website®.”
• Syndicated Segments –  are preset audience segments available and sold by third party data exchange and programmatic platforms. Syndicated Segments can contain data that is unique to Bombora, provided to Bombora by third party data suppliers, or some combination thereof.
• Custom Audience Segments – are bespoke audience segments that are created specifically for a single advertiser/agency using Bombora’s Digital Audience Builder directly or in conjunction with an internal services team

Bombora manages a cooperative of Business to Business (“B2B”) Publishers, referred to above as the Bombora Co-op. Bombora has direct relationships with the Co-op Members contributors to ensure that the data is collected in a privacy-compliant consent-based manner. Bombora does not sell or share consumer personal information because Bombora links all data and identifiers collected to the Domain (URL Address) or Name of a Company. We profile companies not consumers.      

Your Rights and Choices

The CCPA provides Consumers with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Any disclosures we provide will only cover the 12-month period preceding the verifiable Consumer requests. The response we provide will also explain the reasons we cannot comply with a request, if applicable. Please note that because most of the information we store can only identify a particular browser or device, and cannot identify you individually. To help protect your privacy and maintain security, we take steps to verify your identity in OneTrust. Making a verifiable Consumer request does not require you to create an account with us.  Before granting you access to your personal information or complying with deletion, portability, or other related requests, you will need to provide us with some additional information to enable us to identify the personal information we hold about you and ensure that we accurately fulfill your request. 

California residents (or your authorized representative) may exercise your rights described in this section by visiting a privacy request form to exercise and the right to know (the data we may have on you) and the request to delete (the data we may have on you) . Click here to opt-out of the sale of your personal information. You can also exercise these rights by emailing privacy@bombora.com with the subject “CA Privacy Rights”.