On January 1st 2020, the California Consumer Privacy Act (CCPA) introduced new data privacy rights for California residents – forcing companies that conduct business in the state of California to implement structural changes to their privacy programs. The new law is a response to the increasing role personal data plays in business practices and the personal privacy implications surrounding the collection, use, and protection of personal information.
Though UpdraftPlus may not necessarily meet the criteria necessary in order to comply with the CCPA law (1. Have $25 million or more in annual sales – 2. Buys, sells, or shares information on 50,000 or more individuals, households, or devices – 3. Derives more than half of our annual revenue from selling personal information), we have made every effort to meet and achieve CCPA compliance for the privacy rights of our California based customers. As such, we are providing this CCPA-specific privacy notice to supplement the information and disclosures already contained in our Data Protection and Privacy Centre. This notice applies only to individuals residing in California with an UpdraftPlus account from whom we collect personal information.
What is the CCPA?
The CCPA allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
Much like the GDPR law that was enacted in May 2018, many of the same rules on the use of customer data are represented in the CCPA. However the CCPA does takes a broader view than the GDPR of what constitutes private data.
How does CCPA differ from GDPR?
GDPR applies to the processing of all personal data, regardless of what that data is intended for or how it will be processed.
The CCPA is more specific regarding what kinds of data are protected and under what circumstances. While GDPR has strict user “opt-in” consent options before companies can access any of your data, CCPA only requires companies to supply the option to “opt-out” when user information is going to be actively sold or shared.
The CCPA does not provide the same protection to a wider range of user data types that the GDPR does. These include:
- Data that is already legally available to the public
- Medical information that’s protected under California’s Confidentiality of Medical Information Act (CMIA) or the federal Health Insurance Portability and Accountability Act (HIPPA)
- Personal information covered by California’s Driver’s Privacy Protection Act
And other similar data sets.
UpdraftPlus does not sell personal information
The following categories of personal information have been defined by the CCPA. This information may have been collected and/or disclosed for a business purpose by ourselves in the last twelve months. The examples of the personal information provided in each category are taken from the CCPA and are included so you can better understand the specific information contained within a category. More information about the specific information UpdraftPlus gathers and how that information is used and processed can be found here.
|Category||We Collect||We Sell|
|Examples: Name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.|
|B. Categories of personal information in Cal. Civ. Code 1798.80(e)||Yes||No|
|Examples: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.|
|C. Characteristics of protected classifications under California or Federal law||No||N/A|
|Examples: Race or color, ancestry or national origin, religion or creed, age (over 40), mental or physical disability, sex (including gender and pregnancy, childbirth, breastfeeding or related medical conditions), sexual orientation, gender identity or expression, medical condition, genetic information, marital status, military and veteran status.|
|D. Commercial information||Yes||No|
|Examples: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.|
|E. Biometric information||No||N/A|
|Examples: Physiological, biological, or behavioral characteristics, including DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.|
|F. Internet or other electronic network activity information||Yes||No|
|Examples: Browsing history, search history, and information regarding a consumer’s interaction with an internet website, application or advertisement.|
|G. Geolocation data||Yes||No|
|Example: Precise physical location.|
|H. Sensory information||No||N/A|
|Examples: Audio, electronic, visual, thermal, olfactory, or similar information.|
|I. Professional or employment-related information||No||N/A|
|Examples: Job application or resume information, past and current job history, and job performance information.|
|J. Non-Public education information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99)||No||N/A|
|Examples: Records that are directly related to a student maintained by an educational agency or institution or by a party acting for the agency or institution.|
|K. Inferences drawn from personal information||No||N/A|
|Examples: Consumer profiles reflecting a consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.|
Use of personal information
As the new CCPA has now come into force we wanted to clarify that UpdraftPlus meets the criteria necessary to be in accordance with the specific CCPA business and commercial purposes, as detailed below:
- Auditing related to a current interaction with you and concurrent transactions, including, but not limited to auditing compliance with this specification and other standards.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use.
- Contracting with service providers to perform services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.
- Otherwise enabling or effecting, directly or indirectly, a commercial transaction.
- For other purposes for which we provide specific notice at the time the information is collected.
UpdraftPlus’ collection and disclosure of personal information
In the last year UpdraftPlus have collected personal information from general sources including you, your use of our services, your devices, our affiliates, our vendors, and our service providers. More specific information about the personal information we collect is laid out in this in our GDPR and Data Protection and Privacy Centre.
Your California privacy rights
If you are a California resident, the CCPA allows you to exercise the following rights.
Right to know and access. You may submit a verifiable request for information regarding the: (1) categories of personal information collected or disclosed by us; (2) purposes for which categories of personal information are collected by us; (3) categories of sources from which we collect personal information; and (4) specific pieces of personal information we have collected about you during the past twelve months.
Right to Delete. Subject to certain exceptions, you have the option to delete personal information about you that we have collected from you.
Verification. Requests for access to or deletion of personal information are subject to our ability to reasonably verify your identity in light of the information requested and pursuant to relevant CCPA requirements, limitations, and regulations.
Right to Equal Service and Price. You have the right not to receive discriminatory treatment for the exercise of your CCPA privacy rights, subject to certain limitations.
Shine the Light. We do not rent, sell, or share your personal information with non affiliated companies for their direct marketing purposes, unless we have your permission.
Submit Requests. To exercise your rights under the CCPA, you can deactivate and purge your account (similar to the GDPR “right to erasure” – “right to be forgotten”) by sending us a customer support request under “This is a GDPR/CCPA-related query” in the “What kind of support request is this?” option.
If you have any further questions or queries, please leave a comment below and we will get back to you as soon as possible.