As an industry-leading technology provider, we help enable compliance and ensure the security of your data and that of your customers. In today’s privacy-centric data economy, brands can form closer connections with consumers than ever before by building trusted relationships. Therefore, it is vital to protect information being shared across platforms and connected devices while also empowering consumers with choice.
The California Consumer Privacy Act (CCPA) represents a significant shift in state-side consumer data privacy legislation, with implications for brands serving and targeting consumers in the state of California.
For answers to important questions about your business, Kochava, and the CCPA, visit our CCPA FAQ.
CCPA requires brands to provide consumers with a comprehensive description of their online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information. Privacy policies must be designed and presented in a way that is easy to read and understandable to an average consumer. Unlike Europe’s General Data Protection Regulations (GDPR), which required app developers to “ask consumers for consent,” the CCPA requires developers to provide consumers a mechanism to “opt-out” from having their personal data sold, with stricter “opt-in” mechanisms for minors. Full legislation here.
The CCPA took effect on January 1st, 2020, with enforcement commencing no later than July 1st, 2020.
Kochava complies with the CCPA in its capacity as a “service provider” in providing Kochava Measurement services.
Kochava complies with the CCPA in its capacity as a “business” in providing Kochava Collective services.
As an acting member of the Interactive Advertising Bureau (IAB), Kochava is enacting the IAB’s CCPA Compliance Framework within our native measurement SDKs, and requires data suppliers contributing to the Kochava Collective to pass appropriate privacy string signals.
The General Data Protection Regulation (“GDPR”) creates consistent data protection rules across Europe. It applies to companies that are based in the EU and global companies like Kochava that process personal data about individuals in the EU. Kochava is, and will continue to be, compliant with all data privacy laws across the globe. We are committed to complying with GDPR legislation and collaborating with partners to facilitate compliance.
We thought it would be helpful to provide the context upon which Kochava delivers its services to clients in order for you to better understand how Kochava complies with GDPR and treats client data.
Kochava provides a number of different services to clients:
A comprehensive set of data analytics and attribution tools
The characteristic Kochava Measurement client is a company that has created an app and wants to measure every aspect of an advertising campaign promoting it. The Kochava Measurement client enters into a contractual relationship with Kochava, which allows the client to embed Kochava software (an “SDK”) into its app. The client customizes the SDK to collect certain data derived from the app. Kochava processes this data on behalf of the client and visualizes it on a private dashboard for the client’s analysis. The client pays Kochava a fee for providing this service. The data remains the exclusive property of the client at all times.
A mobile audience marketplace
The characteristic Kochava Collective client is a company that has created an app and wants to advertise it to specific audiences. The Kochava Collective client enters into a contractual relationship with Kochava in order to access a mobile audience marketplace and use the data therein for advertising purposes. The client browses the marketplace and builds custom audiences based on data attributes associated with mobile devices. The client then chooses among partnering ad networks to activate an ad campaign directed to those mobile devices. Kochava is paid a fee for providing this service. Kochava populates the marketplace with data from its Free App Analytics clients and third-party suppliers.
Free App Analytics
A limited set of free data analytics and attribution tools, made available in return for your contribution of data to the Kochava Collective marketplace
The characteristic Free App Analytics (“FAA”) client is a company that has created an app and wants to measure the performance of an advertising campaign promoting it. The FAA client enters into a contractual relationship with Kochava, which allows the client to embed Kochava software (an “SDK”) into its app. The client customizes the SDK to collect certain data derived from the app. Kochava processes this data on behalf of the client and visualizes it on a private dashboard for the client’s analysis. Instead of the client paying Kochava a fee for this service, the FAA client allows Kochava to use the data for Kochava’s own purposes. There are two distinct differences between Kochava Measurement and FAA: (1) The FAA client has access to a limited set of data analytics tools, whereas the Kochava Measurement client has access to the full suite of tools; and (2) the FAA client receives the service free of charge in exchange for granting first-party data rights to Kochava, whereas the Kochava Measurement client pays Kochava a fee for services without granting additional data rights. Kochava does not, and will not, determine the purposes or means of processing personal data of European data subjects for any of its clients. As such, Kochava operates exclusively as a Data Processor under GDPR across each of its business units.
|Business Unit||Role||Legal Basis|
|Kochava Measurement||Data Processor||Kochava processes data on behalf of its clients.|
|Kochava Collective||n/a||The Kochava Collective audience marketplace does not include data derived from EU data subjects.|
|Free App Analytics||Data Processor||Kochava processes data on behalf of its clients. Kochava does not transfer data derived from EU data subjects into the Kochava Collective audience marketplace.|
In its capacity as a Data Processor, Kochava adheres to the rules of the GDPR as follows:
Data Protection by Design
The Kochava Measurement and FAA service platforms (“Platform”) are designed to enable clients to:
- Determine which personal data the Platform processes;
- Limit the collection of personal data to that which is adequate, relevant, and necessary for the purpose of which they are processed;
- Manage the retention periods of personal data; and
- Destroy personal data.
Data Protection by Default
The Platform is designed to:
- Process personal information in conformance to the instructions provided by the client;
- Collect only the personal data that are necessary for fulfilling the purposes of which they are processed;
- Make personal data accessible only to a limited number of people whose job requires such access; and
- Ensure a level of security appropriate to the risk of processing personal data.
Collection of "Sensitive" Personal Data
Kochava contractually prohibits its clients from utilizing the Platform to collect, process, or otherwise handle sensitive personal data.
Kochava does not keep personal data any longer than is necessary for the purposes for which it is being processed. Kochava deletes personal data after a client’s contract has expired or has been terminated.
Kochava will continue to promptly inform clients of incidents involving personal data in line with the data incident terms in our current (and any subsequently updated) agreements. Kochava maintains, and will continue to invest in, advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help identify and respond to security or privacy events (and any personal data breaches under the GDPR) without delay.
Kochava is audited annually by an independent third party against GDPR and ISO/IEC 27001:2013 standards.
Kochava ingests client data to its cloud servers from locations across the world. Upon ingestion, Kochava transfers the data to its secure processing facility located in the United States. Kochava is certified under the EU-U.S. Privacy Shield frameworks, which is a legal mechanism to enable the transfer of personal data from the European Economic Area to the US, where certified organizations guarantee to provide a level of protection in line with EU data protection law. See more here.
Kochava also offers clients EU-approved Model Contract Clauses upon request.
Kochava will, in addition, continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and is committed to having an ongoing lawful basis for data transfers in compliance with applicable data protection laws.
Kochava does not subcontract any of its processing operations to a subprocessor in the absence of a written agreement which contractually obligates the subprocessor to adhere to all applicable GDPR data processing requirements.
Opt-Out & Right to be Forgotten
You may click here click here to be redirected to the Kochava web page dedicated to providing guidance on opting out of interest-based advertising.
In order to protect your privacy, Kochava has engineered its systems to not collect identifying information such as email, name, and phone number. However, GDPR considers mobile device identifiers and IP addresses to be “personal information.” A mobile device identifier is a unique string of 30+ numbers associated with your device (e.g., cell phone). An IP address is a series of numbers separated by periods that identifies each computing device using a particular “Internet Protocol” at a given time to communicate over a network.
If you are concerned that Kochava has this information, we will be happy to delete it from our systems upon request. You may submit a request to delete all your personal information by emailing Kochava at firstname.lastname@example.org or by contacting the legal department via telephone at 855-562-4282. However, please bear in mind that when you contact Kochava with such a request, because of the precautions we have proactively taken to protect your privacy, you are actually volunteering more personally identifying information to Kochava as a result of lodging the request than Kochava would have ever had prior to you initiating contact.Opt Out Policy
In its capacity as a processor of personal data, Kochava will ensure its contractual agreements with clients require the parties to adhere to the respective obligations of controllers and processors. Furthermore, Kochava will enter into data-processing agreements with clients where required.
Our Consent Management Platform can help you comply with CCPA as a business and GDPR as a data controller.
Standards, Regulations & CertificationsKochava and Trusted Partners?
Comprehensive controls over security and risk management
A framework for transferring and processing EU data in the US
Kochava is a registered member of the Trustworthy Accountability Group
Controls over financial reporting
Controls over security, availability, and confidentiality
Public report of controls over security, availability, and confidentiality
Securing cloud computing environments.
German standard for information security of cloud services.
Service Level Standards
The Kochava Platform will operate and otherwise comply and function in all material respects on an uptime basis of 99.99% over a rolling annual basis. If an incident disrupts the client’s use of the Platform, then Kochava shall respond as follows:
- Critical Priority Incident rendering the Platform inoperative: Kochava shall respond to Company within one hour of notice and immediately begin replicating and verifying the problem.
- High Priority Incident degrading the operations and use of the Platform: Kochava shall respond to Company within four hours of notice and immediately begin replicating and verifying the problem.
- Medium Priority Incident affecting the operations of, but not degrading, the Platform: Kochava shall respond to Company within six hours of notice and immediately begin identifying and verifying the problem during normal business hours.
- Low Priority Incident having a minor impact on the operations of the Platform- Kochava shall respond to Company within eight hours of notice if alerted between 6:00 a.m. – 8:00 p.m. PST Monday through Friday and begin identifying and verifying the problem within two business days.
On January 1, 2020, California’s new privacy law, the California Consumer Privacy Act of 2018 (“CCPA”), became effective. The CCPA provides broad rights to California residents regarding how their data is collected, held, processed, licensed and sold. Residents of California now have the right, among others, to know what of their personal information is sold or disclosed to third parties, the right to access their personal information that businesses have collected, the right to opt out of the sale of their personal information, and the right to delete of all their personal information (the “right to be forgotten”).
You may exercise your rights with respect to any personal information contained in the Kochava Collective by contacting Kochava at email@example.com or by calling 855.562.4282.
Information Kochava Collects
Kochava collects a variety of information that is considered personal information. “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include deidentified or aggregated consumer information.
Kochava collects personal information from third party data providers, such as data brokers or through contractual relationships with its Free App Analytics? customers. Kochava collects personal information for business and commercial purposes including: enhancing Kochava’s and Kochava’s partners’ products and services; fraud prevention; analytics; advertising enhancement; any other purpose not prohibited by applicable laws or privacy regulations, including the CCPA.
Categories of personal information that Kochava collects:
Kochava has collected the following categories of personal information from consumers within the last twelve (12) months:
- Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, device identifiers, or other similar identifiers;
- Commercial information such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Internet or other electronic network activity information such as device data (including the names of the apps installed on your device), browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement, including device ID’s and Mobile Advertising IDs;
- Geolocation data such as physical location or movements;
- Inferences such as any inferences drawn from any of the information collected to create a profile about the consumer (e.g., demographics).
Information Kochava Sells
Under the CCPA, “sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. Kochava has disclosed and sold personal information to third parties for business and commercial purposes in the preceding twelve months. Kochava does not, to the best of its knowledge, collect or sell the personal information of minors under 16 years of age.
Categories of personal information that Kochava sells to third parties:
- Device ID
- IP Address
- Hashed Email
- App Activity
Internet or other electronic network activity information
- Browsing & Search History
- Device attributes (make, model, operating system, etc.)
- Geo Location
Inferences drawn from any of the information collected to create a profile about the consumer
- Behavior & Interests
Categories of third parties to whom Kochava sells personal information:
- Advertising Agencies
- Financial Institutions
- Data Platforms and Data Brokers
- Data Analytics Providers
Your Rights and Choices
Right to Opt-Out
You have the right to direct Kochava to not sell your personal information to third parties at any time. This is referred to as your “right to opt-out.” Kochava only shares information as outlined herein. If you choose to opt-out of the sharing of your personal information, Kochava will no longer send your personal information to third parties. You can choose, at any time, to opt back in to the sale of your personal information. To opt-out of (or opt back in to) the sharing of your personal information with third parties, please submit at opt-out request to firstname.lastname@example.org. Once you exercise your right to opt-out, Kochava will wait at least twelve (12) months before asking you to reauthorize the sale of your personal information.
Right to Know
You have the right to receive information about the types of personal information that Kochava collects, uses, discloses, and sells. Specifically, this right allows you to ask Kochava for the following information: (a) the categories of personal information that Kochava collects about you; (b) the categories of sources from which Kochava has obtained personal information about you; (c) Kochava’s business or commercial purpose for collecting or selling your personal information; (d) the categories of your personal information that Kochava sells to third parties; (e) the categories of third parties that Kochava sells your personal information to; and (f) the specific pieces of personal information that Kochava has collected about you. Kochava must disclose this information to you when you exercise your right to know, subject to proper verification of your request. If Kochava has shared your personal information for, both, business and commercial purposes, Kochava will provide you two separate lists: (a) one that identifies disclosures for business purposes and the personal information categories that each category of recipient obtained; and (b) one that identifies sales and the personal information categories that each category of recipient purchased.
Right to Access
In addition to your right to know about your personal information, as listed above, you have the right to request access to all the categories of personal information that Kochava has collected about you, and all the specific pieces of personal information that Kochava has collected about you. When you exercise this right, the information that Kochava provides to you must be in a portable and readily readable format.
Right to be Forgotten
You have the right to request that Kochava delete any personal information it has collected about you, subject to certain exceptions for business purposes. Once Kochava receives and confirms your verifiable consumer request, Kochava will delete your personal information from its records, unless an exception applies.
Kochava may deny your deletion request if retaining the information is necessary for Kochava or its service providers to:
- Complete the transaction for which Kochava collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with Kochava.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising your Rights to Know, Access, and be Forgotten
To exercise your rights to know, access, and be forgotten described above, please submit a verifiable consumer request to Kochava by either:
- Calling 855.562.4282.
- Emailing email@example.com.
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request to know or for access twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows Kochava to reasonably verify you are (a) the person about whom Kochava collected personal information or (b) such person’s authorized representative.
- Describe your request with sufficient detail that allows Kochava to properly understand, evaluate, and respond to it.
Kochava cannot respond to your request or provide you with personal information if Kochava cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with Kochava. Kochava will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
Kochava endeavors to respond to a verifiable consumer request within 45 days of its receipt. If Kochava requires more time (up to 90 days), it will inform you of the reason and extension period in writing. Kochava will deliver its written response by mail or electronically, at your option. Any disclosures Kochava provides will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response Kochava provides will also explain the reasons it cannot comply with a request, if applicable. For data access requests, Kochava will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
Kochava does not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If Kochava determines that the request warrants a fee, Kochava will tell you why it made that decision and provide you with a cost estimate before completing your request.
Right to Non-Discrimination
You have the right to non-discrimination if you exercise any of your rights under the CCPA. If you exercise your rights under the CCPA, Kochava will not do any of the following: (a) deny you any goods or services; (b) charge you a different price or rate for Kochava’s goods or services, including through the use of discounts or other benefits or imposing penalties; (c) provide to you a different level or quality of goods or services; or (d) suggest to you that you will receive a different price or rate for Kochava’s goods or services or a different level or quality of Kochava’s goods or services.
However, Kochava may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive Kochava offers will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.
Kochava’s Contact Information
201 Church Street
Sandpoint, Idaho, 83864