You are probably seeing a storm of CCPA related emails coming from your vendors right now. It’s a good thing and we too want to update you on what we have done to ensure your online communities are compliant.
What Is CCPA?
CCPA came in effect on January 1st 2020. The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.
Why Is CCPA Important?
CCPA will impact any business that collects data from California residents, and it doesn’t matter where your business is based. In order to ensure that the protection of personal data remains a fundamental right for these citizens, the California Attorney General will fine organizations who fail to meet their obligations with respect to handling data.
What Is the Definition of Personal Information*?
Personal information is defined in the CCPA as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (1798.140.o1)
Personal information under the CCPA includes direct identifiers (such as real name, alias, postal address, social security numbers), unique identifiers (such as cookies, IP addresses and account names), biometric data (such as face and voice recordings), geolocation data (such as location history), internet activity (such as browsing history, search history, data on interaction with a webpage or app), sensitive information (such as health data, personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information).
Personal information also includes data that by inference can lead to the identification of an individual or a household. Aggregate and anonymous data is exempt from the CCPA, unless it is in any way re-identifiable.
This means that data that in itself is not personal information, can become so under the CCPA if it can be used – by inference or by combination with other data – to identify an individual or a household.
How Can You Make Sure Your Platform Is Compliant?
To ensure your community platform can become CCPA compliant, you have to perform the following steps:
1. We Updated Our “Data Processing Agreement”
We updated our DPA to make sure it states that we do not sell any of your users information and that we will aid whenever one of your users uses the rights to obtain their data.
For your convenience, we’ve included the DPA in our sign-up and order process. This means that the next time you start a community, these new terms will automatically apply to your project.
If you are currently running a community and are the Platform Owner, you can accept these new terms by visiting your platform once it has been updated to platform version 6.8.0. This will make your platform ready for CCPA compliance. We specifically say “ready for CCPA compliance” instead of “CCPA compliant”, because there are a couple of more steps for you to take.
2. Update Your Privacy Statement
If you haven’t used a privacy statement yet in your community then now is the time to do so. Keep in mind that it’s important to inform your members about:
- What kind of data you are collecting using CMNTY
- Why you are collecting this data, and
- Who is processing this data
- What kind of information you collect and process
- Why do you collect and process information
- How do you collect and process information
- How users can request access, change, move, or deletion of their personal data
- The method for verifying the identity of the person who submits a request
- Sales of users’ personal data and how they can opt out of the selling of their data
You’ll be happy to know that we’ve made it easier for you to set up a privacy statement with a redesigned tool. And for your convenience we have supplied you with a basic privacy statement template. This basic statement should cover the most important aspects and of course you are free to use or extend it. See our help center article about privacy statements for more information.
3. Tools for Controlling Rights to Opt out & Rights to Deletion
With CCPA, data may not be stored longer than absolutely necessary. Also, your members may request to “be forgotten” which means that you should destroy all data you have on them. Both of these rules are the responsibility of the Data Controller (meaning you), but of course we have tools in place that allow you to delete members or destroy data when necessary.
Deleted data will be removed from the platform immediately and from our backups within 30 days. Please be reminded that deleting information from the platform alone is not enough. You should also delete any data you have about members locally or stored in other places.
4. Working With Data From Minors Between 13 and 16
If you are going to work with data from minors between the age of 13 and 16, make sure to add a checkbox to your registration form to obtain their consent. You can easily do so by adding a checkbox profile field and make this field required.
Summary and Quick Checklist
CMNTY made sure that our tools are CCPA ready. To do so we updated our Data Processing Agreement and we’ve added tools for you to be transparent with your members about their privacy.
We also have tools to meet the Rights to opt out rules and the Rights to deletion. To make sure your current community platform meets the CCPA privacy rules:
1. Log in to your platform and accept the new GTC, SLA and DPA, when they are available.
2. Make sure you have set up a privacy statement as described in this article. (Optionally, use our privacy statement template).
3. Determine your data retention period and act accordingly (ongoing).
4. Follow up requests to be forgotten and act promptly (ongoing).
5. Additionally, and probably less common, be sure to respond to your member’s right to notice, right to disclosure and right to equal services and prices
Questions About CCPA?
We can imagine you have question about CCPA and how it applies to your community. Feel free to reach out to our support team at firstname.lastname@example.org and they’ll be happy to answer all of them.