Smartwaiver and the CCPA
Updated: January 1, 2020
What is the CCPA?
The California Consumer Privacy Act, or CCPA, took effect on January 1, 2020, and provides a variety of privacy rights to California consumers. Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an “opt-out” for certain data transfers and an “opt-in” requirement for minors.
Smartwaiver CCPA Compliance
Smartwaiver's tools and processes are compliant with the CCPA. We are committed to offering services and resources to our customers to help them comply with CCPA requirements that may apply to their activities.
Are Smartwaiver customers CCPA compliant?
The CCPA only applies to Smartwaiver customers doing business in California, which annually satisfies one or more of the following: (1) gross annual revenue of more than $25 million, (2) 50% or more of annual revenue derived from the sale of consumer personal information, or (3) buys, sells, or shares the personal information of more than 50,000 consumers.
For businesses that satisfy one of these requirements, compliance with the CCPA requires a partnership between Smartwaiver and our customers in their use of our services. Smartwaiver’s Terms of Service outlines our customers’ obligation to lawfully obtain and process all personal data appropriately.
How will the CCPA affect my company?
Many of the CCPA’s rights afforded to Californians are similar to the rights afforded to European customers under the GDPR, including disclosure and data subject right (DSR) requests, such as access, deletion, and portability. Therefore, Smartwaiver customers can look to our existing GDPR solutions to help with their CCPA compliance.
To evaluate how you approach the CCPA, you should focus on five key items:
- Discover: Identify what Personal Information you have and where it resides.
- Map: Determine how you are sharing Personal Information with third parties and identify if the third party is subject to an exception from the CCPA opt-out requirements.
- Manage: Govern how the data is used and accessed.
- Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
- Document: Document a data breach response program and ensure your contracts with applicable third parties are able to take advantage of the opt-out exceptions.
What is Personal Data?
Personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.
The CCPA includes 11 categories, which can be summarized as: Identifiers, Select Information in Customer Records, Legally Protected Characteristics, Commercial Purchasing Information, Biometric Information, Internet or Network Activity, Geolocation, Information Typically Detected by the Senses, Employment Information, Education Information, Inferences from Above Used to Profile. Personal data does not include publicly available information.
Key Principles of the CCPA
The CCPA requires regulated businesses that collect, use, transfer, and sell personal information to, among other things:
- Provide disclosures to consumers, prior to collection, regarding the categories and purposes of collection.
- Enable Consumer rights relating to access, deletion, and portability of the specific pieces of personal information that has been collected by you.
- Enable a control that will permit consumers to opt out of the “sale” of the consumer’s data. However, certain transfers, like transfers to service providers, remain permitted.
- For minors, under 16, enable an opt-in process so that no sale of the minor’s personal information can occur without actively opting in to the sale.
- Ensure that consumers are not discriminated against for exercising any of their rights under CCPA.
What are the CCPA required disclosures?
The CCPA requires disclosure of the following:
- Categories of personal information of the consumer that have been collected.
- Categories of sources used in collection.
- The business or commercial purposes for collecting.
- The categories of third parties with whom the personal information is “shared”.
- Categories of personal information that has been “sold” and the categories of “third parties” to whom each category of personal information was sold.
- Categories of personal information that has been “disclosed for a business purpose” (that is, transferred but not a “sale”) and the categories of “third parties” to whom each category of personal information was transferred.
- The specific pieces of personal information that has been collected about that consumer.
How is data “sold” under the CCPA?
The definition of “sell” in the CCPA is incredibly broad, including “making personal information available to” a third party for monetary or other valuable consideration. Where a consumer has elected to “opt-out”, the business will be required to turn off the flow of personal information to any third party.
The CCPA does provide a number of carve-outs to this “sale” opt-out control. The three primary carve-outs are transfers (i) to a Service Provider, (ii) to an “exempted entity” or “contractor”, and (iii) at the direction of the consumer. Even if a consumer has elected to “opt-out”, personal information can continue to transfer to third parties who fit into those carve-outs.
To take advantage of the first two exemptions, businesses will have to ensure that the transfers are governed by written contracts containing the specific terms required by the CCPA.
What has Smartwaiver done to prepare for the CCPA?
Smartwaiver is excited about the CCPA and the strong data privacy and security requirements it emphasizes and we look forward to helping our customers comply with the new regulations. We are committed to ensuring our own compliance and helping our customers understand their obligations as well.
Steps Smartwaiver is taking to be CCPA compliant include:
- Making available a GDPR/CCPA-compliant Customer Data Processing Agreement for Smartwaiver’s processing of personal data under the GDPR and CCPA on behalf of its customers. If your use of Smartwaiver requires Smartwaiver to process personal data within the scope of the GDPR or CCPA, Smartwaiver’s GDPR-CCPA Data Processing Addendum is available for e-signature here.
- Vendor agreements review: To ensure that our customers’ personal data is protected all the way down the sub-processing chain, we are reviewing our vendor agreements and ensuring CCPA-compliant terms are in place with vendors and service providers who process CCPA personal data on our behalf.
- Evaluating our Privacy and Cookie Notices and making any updates as needed.
What are Processors and Controllers?
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Data Processor vs. Data Controller
If you are a Smartwaiver customer that collects data you are considered a data controller. The controller is a person or organization that determines the purpose of processing personal data. You therefore have the responsibility to ensure that you are fulfilling your obligations under CCPA regulations which includes maintaining the lawful processing of personal data of your customers.
A Controller’s General Obligations:
As the data controller, you and your organization are required to process data in accordance with the CCPA, including (but not limited to):
- Establishing a process to identify and report data breaches within the timeframes of the CCPA
- Ensuring that the processed personal data is adequately protected
- Informing your customers how their data is processed
- Determining what personal data is processed and for what purposes.
- Adhere to the consumer rights to access, delete, and receive a copy of data
- Adhere to the consumers right to opt-out from sales of data to third parties
Under CCPA, Smartwaiver acts as a data processor of the personal data received by Smartwaiver customers. The processor is the person or organization that processes personal data on behalf of the controller and in accordance with the instructions and scope that the controller and processor have mutually agreed upon. This means that Smartwaiver has an obligation to support its customers to ensure the processing of their customer data is secure and to ensure that the tools to accommodate the individual’s rights listed above are provided.
A Data Processor’s General Obligations:
As a Smartwaiver customer, you have chosen us to be the processor of your customer’s personal data - a responsibility we take very seriously. As your processor, we will do our best to assist with YOUR obligations as a controller.
Where is Smartwaiver customer data stored?
Smartwaiver customer data is stored on servers located in the United States.
Is all data subject to a right to be deleted upon request?
The right to have personal data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if retaining personal data is required to comply with a legal obligation, such as with contracts (waivers) or financial transactions. Deleting this data may put the business in unnecessary legal liability. We recommend that you get in touch with your legal adviser regarding which data and documents you are legally obligated to remove.
How does the CCPA apply to children?
CCPA introduces parental consent obligations consistent with The Children's Online Privacy Protection Act (COPPA) for children under the age of 13.
For children between 13 and 16 years old, CCPA imposes a new obligation to obtain opt-in consent from the child for any “sale” of their personal information.
How will Smartwaiver handle requests to delete personal data?
Should there be a request from a California subject to delete/edit customer information, that request would first need to be directed to the data controller (the business using Smartwaiver). The data controller (the business using Smartwaiver), should send a request noting the document ID(‘s) of the waiver(s) that need to be forgotten. This request should be sent to firstname.lastname@example.org. Once received Smartwaiver will process the request.
Why can I not process a “right to be forgotten” request in the Waiver Console?
Due to the sensitive and legal liability nature of most documents on the Smartwaiver system, we take the protection of your documents very seriously. Accidental deletion can have serious consequences that requires an extra level of protection to guard against this from happening. Because of this, we require these types of requests be processed directly by our support staff.
Since Smartwaiver is in compliance with the CCPA, does that mean my business will automatically comply with the CCPA?
No. As a business regulated under the CCPA rules, you will need to evaluate your own obligations (such as opt-in / opt-out standards). There are multiple resources online that outline what these obligations might be, but it’s always best to consult with your attorney on these matters.