Accenture Affiliate California Consumer Privacy Act (CCPA) Implementation Procedure
Privacy matters to Accenture, our people and clients. Handling personal data responsibly and in line with our core values and complying with privacy laws is an essential requirement for everyone in Accenture. This procedure document will help you understand the new requirements under the California Consumer Privacy Act (“CCPA” or “Act”) which Accenture must comply with starting January 1, 2020, and what those requirements mean to you.
CCPA requires organizations, including Accenture, to provide California residents with new privacy rights, and to inform individuals about those new rights prior to the processing of their Personal Information.
Accenture is required to inform California residents if we provide such data to third parties in exchange for a benefit, which is called a “Sale” under CCPA. Sale is broadly defined as monetary or other valuable consideration which includes instances where the data shared as an inducement to work together even though no money is exchanged. To help determine whether a Sale is occurring, please see the Appendix.
If there is a Sale, Accenture must provide California residents the right to exercise Do Not Sell My Information rights under California law regarding their Personal Information– (i.e. refuse) of the Sale of their Personal Information. They can do so at Accenture by being redirected to Accenture’s Data Privacy application – One Trust (see Step #1) or by calling 1-844-833-2556 during the standard Pacific Standard Time (PST) office hours (only available in English). This document will help you to understand if you have to comply with the requirements of the Act and how to implement the required link and privacy statements to allow individuals to opt out of a selling of their personal information.
In case of a “do not sell” opt out, Accenture must stop sharing such data with third parties.
To identify if you are falling under the requirements of the Act, please read through the following:
If you use Personal Information of California residents for your activities in relation to your project or work, then CCPA requirements apply. Accenture must provide such privacy rights (including the right of information, access and deletion, which Accenture offers already globally through Policy 90) and inform the individuals about those rights prior to the processing of their Personal Information. Accenture has modified its external Privacy Statement to address the additional CCPA privacy rights and has also developed a process to address these rights when exercised by the California resident.
There are further requirements that apply when the processing is considered a “Sale” to a third party. The term “Sale” is defined quite broadly, however, it always requires the disclosure of data to a third party and a benefit for the disclosing company.
The following two questions below will guide you to determine if your processing is a Sale. You can also use our decision tree in the Appendix which will help you to make a determination.
A disclosure of Personal Information is any provision of Personal Information to another unaffiliated company or business. Any Personal Information that is intentionally made available to a third party may constitute a disclosure (in comparison to an unintentional disclosure which may be considered a breach)
Examples of Disclosure: If Accenture provides a website user’s IP addresses to a data analytics company to analyze website traffic, that would constitute a disclosure of Personal Information. Or if Accenture grants a vendor access to its email marketing lists so the vendor can send marketing emails on Accenture’s behalf, that would also constitute a disclosure of Personal Information.
If the third party works as a Service Provider and the Personal Information was disclosed for this reason, such disclosure will NOT fall into the definition of a Sale. To be a Service Provider, the third party is not allowed to use the Personal Information for any purposes other than for the provisioning of services to Accenture. They must agree to this requirement in writing within the contract. If the Service Provider wants to use the Personal Information in any other way not covered by the existing service provider contract, then they will be considered a “third party” and not a Service Provider.
Example: Accenture uses Archer for project management purposes, subject to a contract that restricts RSA Security owning Archer from selling any Personal Information received from Accenture or from otherwise using the Personal Information outside of the business relationship between Archer and Accenture. This disclosure would not be a “Sale” because it would fall within the exception for disclosures to Service Providers for business purposes.
Example: Accenture sends email addresses to a vendor to send marketing emails on Accenture’s behalf. Such information is necessary for the vendor to do its job but is not the motive or inducement for the engagement with Accenture (especially if the vendor is restricted from retaining the email addresses or using them other than to provide services to Accenture). The exchange of the emails here is not part of the bargained-for exchange between Accenture and the vendor, and the disclosure to the vendor is therefore not a “Sale.”
If there is a disclosure, but you are unclear whether the third party qualifies as a Third Party, please move to the next question:
A benefit can be any “bargained-for” exchange where the disclosure of Personal Information is part of what motivates or induces the parties to enter into an agreement.
Example: Accenture grants a data broker access to Personal Information with rights to resell that information to the data broker’s other clients. In exchange, the data broker grants Accenture access to its own data derived from other clients. The exchange of Personal Information here is part of the bargained-for exchange between Accenture and the data broker, and the disclosure to the data broker would constitute a “Sale.”
Example: I Accenture were to share or license Personal Information for a monetary payment (or a discount on services), then there would be a Sale. However, there may be a Sale even if there is not monetary consideration but rather other valuable consideration, i.e., another business benefit received by Accenture in exchange for the Personal Information. For example, even if Accenture is sharing Personal Information with a client in the context of providing “free” services to the client, there could still be “other valuable consideration” present if the client’s receipt of Personal Information forms part of a promise to engage in future business or otherwise induces future Accenture work for the client.
Please note, however, disclosures of Personal Information to a third party are not a “Sale” when the individual agrees to the disclosure of the data to the third party.
Example: A user clicks one of the social media sharing buttons on the bottom of Accenture.com, and by virtue of the click, the user’s IP address and the fact that the user came from Accenture.com is disclosed to the social media provider. This disclosure would not be a “Sale” because it would fall within the intentional interaction exception.
Nevertheless, you can only rely on the individual’s behavior if such behavior clearly and unambiguously shows the intent to have such interaction. Hovering over, muting, pausing, or closing certain content on a website does not constitute a consumer’s intent to interact with a third party. As intentional interaction can be difficult to determine, relying on this approach should therefore be the exception.
1. Add a Do Not Sell My Personnel Information hyperlink to your United States pages footers, which redirects to the CA Residency Confirmation Page on Accenture.com: https://www.accenture.com/us-en/form-do-not-sell-my- personal-information
Note the following:
i. This link is in production since 12/27/2019
ii. Individuals that confirm they are California residents through this page will then be redirected to submit their information for validation prior to the information being added to the Accenture Do Not Sell Master Suppression List (for more information see Step #4 below).
4. All applications that meet the definition of “selling personal information”, are required to:
a. have existing and future business and/or technical process that meet the standard of selling personal data updated to always reference Accenture’s Do Not Sell Master Suppression List prior to proceeding with the corresponding business procedure or technical process that sells information
b. check if an individual’s information is listed in the Accenture Do Not Sell Master Suppression List. When an individual’s information in the in-scope application’s database of personal information matches the personal information (First Name, Last Name, and physical address or e-mail address) on the Accenture Do Not Sell Master Suppression List, all information associated with the corresponding individual’s personal information MUST BE EXCLUDED from any processes of selling that personal information.
Note: The Accenture Do Not Sell Master Suppression List can be accessed by going directly to the OneTrust application and using the following instructions:
a. Click on the icon in the header
b. Select “Reports” from the dropdown list
c. Select the button “Accenture Master Suppression List” from the list of Report Names
d. The list can be viewed within the web browser or exported by selecting the ‘Export’ button at the top right
If you have any privacy related question with regard to the required changes, please use our DP tool to log your request.
Personal Information: similar to “personal data” as defined by Accenture Policy 90 as information which makes an individual directly or indirectly identifiable.1 Some examples include name, email address, health history, biometric information, identification numbers, location data, online identifiers (e.g., IP address), photos, and social networking website posts. (See Appendix chart for Categories of Personal Information.)
Sale or Selling: The term “Sale” or “Selling” is defined as a disclosure of Personal Information that is exchanged for monetary or other valuable consideration to a third party which is not a Service Provider.
1. A disclosure of Personal Information: Any making available for Personal Information to a third party.
Example: Accenture provides website user IP addresses to a data analytics company to analyze website traffic, that would constitute a disclosure of Personal Information. Or if Accenture grants a vendor access to its email marketing lists so the vendor can send marketing emails on Accenture’s behalf, that would also constitute a disclosure of Personal Information.
2. That is exchanged for monetary or other valuable consideration: This means that the Personal Information disclosed must be part of the bargained-for-exchange between the parties. However, there may be a Sale even if there is not monetary consideration but rather other valuable consideration
Example: Accenture is sharing Personal Information with a client in the context of providing “free” services to the client. This may be considered “other valuable consideration” if the client’s receipt of Personal Information forms part of a promise to engage in future business or otherwise induces future Accenture work for the client.
3. To a third party: A “Sale” requires that Personal Information be disclosed to either “another business” or a “third party.” Therefore, a disclosure of Personal Information is not a “Sale” unless the information is provided to a third party. For instance, disclosures within a single “business” do not constitute a “Sale” because that is not a disclosure to “another business” or a “third party.” “Business” is defined to include entities that:
(1) control or are controlled by the business; and
(2) share common branding, such as by sharing a name, service mark, or trademark.
As such, disclosures of Personal Information among Accenture affiliates are not “Sales” as long as those affiliates share common branding. But where two Accenture entities do not share common branding, disclosures between those Accenture entities could constitute a “Sale” because they may be treated as two separate “businesses.” For example, if Accenture LLP provides Personal Information to Accenture Inc., those parties should be understood as commonly branded and therefore as part of the same business.
Accenture Affiliate: Accenture majority owned entity.
Service Provider means any third party or company which is working on behalf of Accenture to provide services to Accenture or Accenture’s clients provided that the applicable contract with the service provider restricts them from any Sale of the Personal Information (or other usage that is not compatible with the business purposes for which Accenture disclosed the information).
1 Policy 90 defines “personal data” as “information which makes an individual directly or indirectly identifiable.” Typical examples include employee names or email addresses, vendor and client contract details and recruitment and alumni data. This also would include information associated with bb) identifiable households, such as physical addresses and connected household appliance usage information, such as Smart TV behavioral data.