Determining Your Collection Sources
The CCPA requires businesses to identify the categories of sources from which they collect personal information. Though only the category names will show up in your privacy notices, Polaris also tracks the names of the individual sources. This will make it easier to review and update the list later.
Only include sources of non-aggregate information, i.e., information that can be associated with a particular consumer. For example, if you receive advertising performance data from an ad network, but it’s all statistics that can’t be linked to any individual, this is not considered personal information and you can disregard it.
For most businesses, the consumers themselves are the primary source of personal information, so every list will contain “Consumer” as a Collection Source by default.
Here are the other categories:
Social Networks
Many websites will have a “social login” function, where users can sign in using their accounts with social networks such as Facebook, Google, and Twitter. The social networks then send information about the user to the business, so they should be considered a Collection Source.
Online Retail Partners
For businesses that sell products online through a retail partner like Wal-Mart or Amazon and receive information about their customers through that partner, they should count it as a Collection Source.
Data Brokers
This category includes data exchanges and data collectives. If your business purchases personal information or receives personal information as part of an exchange (e.g., to generate sales leads or enhance customer profiles), categorize the other party as a Collection Source.
Data Analytics Providers
If your business receives personal information from an analytics provider taken from outside of the context of the consumer’s use of your business’s own website or app (e.g., data related to the consumer’s interactions with third-party websites) and that information can be associated with a particular individual, then the analytics provider should be listed as a source.
Ad Networks
If you use ad networks to deliver ads to consumers on other websites, these may be a data source if your business receives personal information that can be associated with a particular individual.
Internet Service Providers
If your business purchases or receives personal information about consumers from internet service providers, you should list them as sources.
Data Recipients as Collection Sources
The line between Data Recipients and Collection Sources can be a little unclear sometimes. When deciding how to classify a vendor or other outside party, consider the context in which the personal information was collected, as well as the consumer’s expectations. Is the vendor merely processing the information on your business’s behalf? Did the consumer intend to provide their personal information specifically to your business? If so, the consumer should be considered the Collection Source, even if another party acted as an intermediary.
For example, if a business uses a customer support vendor, it might seem like that vendor is a Collection Source because it is receiving personal information directly from consumers and passing it to the business. However, because that vendor is processing information on behalf of the business and the consumer is intending to interact with the business itself, the vendor should be listed as a Data Recipient, not a Collection Source.
It can sometimes be the case that a company is both a Data Recipient and a Collection Source. This is common with vendors categorized as data brokers, where a business may be sharing personal information with that vendor and also receiving personal information collected elsewhere. We have marked many such vendors as potential sources in the Polaris database. If you add one of them as a Data Recipient, it will be automatically added to your list of Collection Sources as well. If your business does not actually receive any personal information from those sources, you may remove them from your list.