On January 1st 2020, the California Consumer Privacy Act (CCPA) introduced new data privacy rights for California residents – forcing companies that conduct business in the state of California to implement structural changes to their privacy programs. The new law is a response to the increasing role personal data plays in business practices and the personal privacy implications surrounding the collection, use, and protection of personal information. Though UpdraftPlus may not necessarily meet the criteria necessary in order to comply with the CCPA law (1. Have $25 million or more in annual sales – 2. Buys, sells, or shares information on 50,000 or more individuals, households, or devices – 3. Derives more than half of our annual revenue from selling personal information), we have made every effort to meet and achieve CCPA compliance for the privacy rights of our California based customers. As such, we are providing this CCPA-specific privacy notice to supplement the information and disclosures already contained in our Data Protection and Privacy Centre. This notice applies only to individuals residing in California with an UpdraftPlus account from whom we collect personal information. What is the CCPA? The CCPA allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach. Much like the GDPR law that was enacted in May 2018, many of the same rules on the use of customer data are represented in the CCPA. However the CCPA does takes a broader view than the GDPR of what constitutes private data. How does CCPA differ from GDPR? GDPR applies to the processing of all personal data, regardless of what that data is intended for or how it will be processed. The CCPA is more specific regarding what kinds of data are protected and under what circumstances. While GDPR has strict user “opt-in” consent options before companies can access any of your data, CCPA only requires companies to supply the option to “opt-out” when user information is going to be actively sold or shared. The CCPA does not provide the same protection to a wider range of user data types that the GDPR does. These include:
Use of personal information
As the new CCPA has now come into force we wanted to clarify that UpdraftPlus meets the criteria necessary to be in accordance with the specific CCPA business and commercial purposes, as detailed below:
- Data that is already legally available to the public
- Medical information that’s protected under California’s Confidentiality of Medical Information Act (CMIA) or the federal Health Insurance Portability and Accountability Act (HIPPA)
- Personal information covered by California’s Driver’s Privacy Protection Act
|Category||We Collect||We Sell|
|Examples: Name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.|
|B. Categories of personal information in Cal. Civ. Code 1798.80(e)||Yes||No|
|Examples: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.|
|C. Characteristics of protected classifications under California or Federal law||No||N/A|
|Examples: Race or color, ancestry or national origin, religion or creed, age (over 40), mental or physical disability, sex (including gender and pregnancy, childbirth, breastfeeding or related medical conditions), sexual orientation, gender identity or expression, medical condition, genetic information, marital status, military and veteran status.|
|D. Commercial information||Yes||No|
|Examples: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.|
|E. Biometric information||No||N/A|
|Examples: Physiological, biological, or behavioral characteristics, including DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.|
|F. Internet or other electronic network activity information||Yes||No|
|Examples: Browsing history, search history, and information regarding a consumer’s interaction with an internet website, application or advertisement.|
|G. Geolocation data||Yes||No|
|Example: Precise physical location.|
|H. Sensory information||No||N/A|
|Examples: Audio, electronic, visual, thermal, olfactory, or similar information.|
|I. Professional or employment-related information||No||N/A|
|Examples: Job application or resume information, past and current job history, and job performance information.|
|J. Non-Public education information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99)||No||N/A|
|Examples: Records that are directly related to a student maintained by an educational agency or institution or by a party acting for the agency or institution.|
|K. Inferences drawn from personal information||No||N/A|
|Examples: Consumer profiles reflecting a consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.|
- Auditing related to a current interaction with you and concurrent transactions, including, but not limited to auditing compliance with this specification and other standards.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use.
- Contracting with service providers to perform services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.
- Otherwise enabling or effecting, directly or indirectly, a commercial transaction.
- For other purposes for which we provide specific notice at the time the information is collected.