Smartlook and the CCPA/CPRA
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020.
The CCPA is intended to enhance privacy rights and consumer protection for California residents. Like GDPR, the CCPA doesn’t apply only to companies doing business in California, but to all businesses managing and processing personal information of residents of California. More information can be found on the California Legislature website.
Even though the CCPA is very similar to GDPR, it requires further scrutiny by companies doing business in California.
On January 1, 2023, new rules are being brought to the CCPA by the so-called California Privacy Rights Act (CPRA). Is it new CCPA? No, it is an amendment of it. It expands some obligations and brings California customers even closer to the GDPR. More information can be found on this page: https://www.caprivacy.org/annotated-cpra-text-with-CCPA-changes/.
Be aware, that even it is only an amendment, CPRA changes practically everything. More rights, fines, duties, contracts.
This article aims to explain how Smartlook complies with the CCPA/CPRA and personal data processing, so you can evaluate where you stand with regard to this legislation. Please note that this article is for informational purposes only.
You should consult legal counsel to determine how the CCPA/CPRA applies to you and your business.
What does the CCPA/CPRA mean for Smartlook and you?
Within the CCPA/CPRA, Smartlook is defined as a service provider, while you, our customers, are defined as the business. In the CCPA/CPRA context, we process your user data for business purposes on your behalf. Do not forget, that you have to abide by CCPA/CPRA if you meet any of the below:
- your annual gross revenues are in excess of $25,000,000;
- you annually buy, sell, or share the personal information of 100,000 or more consumers or households;
- you derive 50% or more of your annual revenues from selling or sharing personal information of consumers in California.
As we noted in our [Data security policy](add link), keeping data secure is paramount to Smartlook. As such, we’ve held ourselves to a standard which not only complies with all legal requirements, but also takes steps to ensure the trust and safety of our customers' data.
Smartlook handles customer data only within the scope permitted by the relevant regulation and by our customers. With new rules stipulated in the CPRA, we are not going to:
- sell any customer data to third parties;
- share any customer data to parties that are not approved or not mentioned in our terms;
- rate, use or disclose any customer data for any purpose other than for the purposes specified in our Data Processing Agreement and Terms & Conditions;
- combine any customer data we process on your behalf with other data to any business purpose that is not expected by the customers (we may be combining data to track and analyze certain aspects of use and performance of our Service to improve our service offering for our customers).
Our WEB SDK is written with privacy-first in mind, therefore we do not record a number of potentially sensitive data by default. This means that inputs, IP addresses, on-page emails, and long numbers are not recorded unless you enable it explicitly via the Record API. CPRA introduces a category of Sensitive Personal Information, which includes information such as:
- a customer’s social security, driver’s license, state identification card, or passport number,
- a customer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account,
- and many more – see SEC. 14 letter (ae) of CPRA.
Please be aware and do not record this information. You must be extra cautious about this information. Any of your customers has the right to limit the use of their sensitive personal information (see SEC. 3, letter (B) and SEC. 4 of the CPRA). This limitation may also include not to transfer data to service providers (us). If you provide us with such information, we are going to use this information only to provide you with our service.
If you want to access and work with personally identifiable data from residents of California, you need to provide us with evidence that you’ve received your end user consent to process their personal data.
Review the [Data Processing Agreement (DPA)](add link to pdf), which, according to our Terms of Service, applies whenever you process personal data (by the language of CCPA/CPRA – we process data of your customers (end users) on your behalf).
Additionally, the CCPA/CPRA provides end users with some rights that need to be respected. Smartlook can help you with this as well.
End user rights
The CCPA/CPRA provides end users the right to request a full disclosure of all collected data on them from businesses that operate in California. End users have the power to decide whether their data may can be shared, stored, sold, and removed. Are you keeping records of what personal information are being collected about your end users? With CPRA, every customer has the right to know what information you collect about them and have collected during the last 12 months.
If any of your users request a full of disclosure of personal data stored in your Smartlook project, you can find this data using the [filter](add link). Filter your collected data by IP, email, or other identifier to find what data you have on a particular user. Keep in mind that if the user wasn't previously identified (including your verified consent and signed DPA), all of that user's information is anonymized by default and unable to be filtered.
Smartlook is able to delete all data related to a specific user from our databases at your request. Once deleted, we will send you verification. To delete user data, submit a ticket by emailing [email protected].
Under CPRA, we are obliged to cooperate with you in responding to the customer’s request to exercise their rights (deletion, correction, disclosure). This is also stated in our DPA.
Do not forget, that it is primarily your responsibility to comply with all rights and duties stipulated in the CPRA (such as duty for data minimization, data retention restriction etc.).
Need more information?
Last updated: 3 January 2023
Updated 3 months ago