Updated: January 1, 2020
The California Consumer Privacy Act, or CCPA, took effect on January 1, 2020, and provides a variety of privacy rights to California consumers. Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an “opt-out” for certain data transfers and an “opt-in” requirement for minors.
Smartwaiver's tools and processes are compliant with the CCPA. We are committed to offering services and resources to our customers to help them comply with CCPA requirements that may apply to their activities.
The CCPA only applies to Smartwaiver customers doing business in California, which annually satisfies one or more of the following: (1) gross annual revenue of more than $25 million, (2) 50% or more of annual revenue derived from the sale of consumer personal information, or (3) buys, sells, or shares the personal information of more than 50,000 consumers.
For businesses that satisfy one of these requirements, compliance with the CCPA requires a partnership between Smartwaiver and our customers in their use of our services. Smartwaiver’s Terms of Service outlines our customers’ obligation to lawfully obtain and process all personal data appropriately.
Many of the CCPA’s rights afforded to Californians are similar to the rights afforded to European customers under the GDPR, including disclosure and data subject right (DSR) requests, such as access, deletion, and portability. Therefore, Smartwaiver customers can look to our existing GDPR solutions to help with their CCPA compliance.
To evaluate how you approach the CCPA, you should focus on five key items:
Personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.
The CCPA includes 11 categories, which can be summarized as: Identifiers, Select Information in Customer Records, Legally Protected Characteristics, Commercial Purchasing Information, Biometric Information, Internet or Network Activity, Geolocation, Information Typically Detected by the Senses, Employment Information, Education Information, Inferences from Above Used to Profile. Personal data does not include publicly available information.
The CCPA requires regulated businesses that collect, use, transfer, and sell personal information to, among other things:
The CCPA requires disclosure of the following:
The definition of “sell” in the CCPA is incredibly broad, including “making personal information available to” a third party for monetary or other valuable consideration. Where a consumer has elected to “opt-out”, the business will be required to turn off the flow of personal information to any third party.
The CCPA does provide a number of carve-outs to this “sale” opt-out control. The three primary carve-outs are transfers (i) to a Service Provider, (ii) to an “exempted entity” or “contractor”, and (iii) at the direction of the consumer. Even if a consumer has elected to “opt-out”, personal information can continue to transfer to third parties who fit into those carve-outs.
To take advantage of the first two exemptions, businesses will have to ensure that the transfers are governed by written contracts containing the specific terms required by the CCPA.
Smartwaiver is excited about the CCPA and the strong data privacy and security requirements it emphasizes and we look forward to helping our customers comply with the new regulations. We are committed to ensuring our own compliance and helping our customers understand their obligations as well.
Steps Smartwaiver is taking to be CCPA compliant include:
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
If you are a Smartwaiver customer that collects data you are considered a data controller. The controller is a person or organization that determines the purpose of processing personal data. You therefore have the responsibility to ensure that you are fulfilling your obligations under CCPA regulations which includes maintaining the lawful processing of personal data of your customers.
As the data controller, you and your organization are required to process data in accordance with the CCPA, including (but not limited to):
Under CCPA, Smartwaiver acts as a data processor of the personal data received by Smartwaiver customers. The processor is the person or organization that processes personal data on behalf of the controller and in accordance with the instructions and scope that the controller and processor have mutually agreed upon. This means that Smartwaiver has an obligation to support its customers to ensure the processing of their customer data is secure and to ensure that the tools to accommodate the individual’s rights listed above are provided.
As a Smartwaiver customer, you have chosen us to be the processor of your customer’s personal data - a responsibility we take very seriously. As your processor, we will do our best to assist with YOUR obligations as a controller.
Smartwaiver customer data is stored on servers located in the United States.
The right to have personal data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if retaining personal data is required to comply with a legal obligation, such as with contracts (waivers) or financial transactions. Deleting this data may put the business in unnecessary legal liability. We recommend that you get in touch with your legal adviser regarding which data and documents you are legally obligated to remove.
CCPA introduces parental consent obligations consistent with The Children's Online Privacy Protection Act (COPPA) for children under the age of 13.
For children between 13 and 16 years old, CCPA imposes a new obligation to obtain opt-in consent from the child for any “sale” of their personal information.
Should there be a request from a California subject to delete/edit customer information, that request would first need to be directed to the data controller (the business using Smartwaiver). The data controller (the business using Smartwaiver), should send a request noting the document ID(‘s) of the waiver(s) that need to be forgotten. This request should be sent to firstname.lastname@example.org. Once received Smartwaiver will process the request.
Due to the sensitive and legal liability nature of most documents on the Smartwaiver system, we take the protection of your documents very seriously. Accidental deletion can have serious consequences that requires an extra level of protection to guard against this from happening. Because of this, we require these types of requests be processed directly by our support staff.
No. As a business regulated under the CCPA rules, you will need to evaluate your own obligations (such as opt-in / opt-out standards). There are multiple resources online that outline what these obligations might be, but it’s always best to consult with your attorney on these matters.