California Consumer Privacy Act (CCPA) 101 for app developers

California Consumer Privacy Act (CCPA) 101 for app developers

Note: This blog post is provided for informational purposes only. It is not intended to be a substitute for legal advice. As such, we recommend that you consult a lawyer before acting on any matter discussed within this post.

What is the CCPA?

The CCPA stands for the California Consumer Privacy Act of 2018, which went into effect on January 1, 2020. The CCPA is a California data privacy regulation that governs how certain organizations use, collect, and process personal information relating to California residents.

What’s changed?

The CCPA was recently amended by the California Privacy Rights Acts of 2020 (CPRA), which went into effect on January 1, 2023. Enforcement will begin on July 1, 2023. Businesses that are subject to the CCPA now have additional obligations.

Where can I find a copy of the CCPA?

A full text version of the CCPA can be found here.

Who must comply with the CCPA?

Your obligations under the CCPA will depend on whether you are acting as a “business”, “service provider”, “third party” or “contractor” with respect to data that you process. This is a legal assessment that each app developer will need to make based on its own processing activities. When making this determination, consider the definitions below.

Business

A Business is a for-profit legal entity doing business in California that collects the personal information of California residents (Consumers), either directly or by using others to collect the personal information on its behalf, and meets at least one of the following:

  1. has annual gross revenues of more than $25 million;
  2. annually buys, receives, or sells for commercial purposes or for other valuable consideration (Sells) or shares for cross-context behavioral advertising (Shares), personal information of 100,000 or more consumers or households;
  3. derives more than 50% of its annual revenues from Selling or Sharing Consumers’ personal information.

Under CCPA, Businesses have certain obligations in regards to personal information.

Service Provider

A Service Provider is a person or entity that processes personal information on a Business’ behalf and that receives a Consumer’s personal information for a business purpose from or on behalf of the Business, all pursuant to a written contract that must contain certain provisions as set forth in the CCPA.

Contractor

A Contractor is a person or entity to whom a Business makes available a Consumer’s personal information for a business purpose, pursuant to a written contract that must contain certain provisions as set forth in the CCPA.

Third Party

A Third Party is a person or entity which receives personal information from a Business but does not meet the definitions of a Service Provider or Contractor.

Obligations for Service Providers, Contractors, and Third Parties

Under CCPA, Service Providers, Contractors, and Third Parties are required to enter into written contracts with Businesses which contain certain language, including:

Service Providers and Contractors have additional contractual obligations, that do not apply to Third Parties. These include prohibitions on i) Selling or Sharing personal information, ii) retaining, using or disclosing personal information outside of the direct relationship of the parties or for reasons other than the business purpose set forth in the contract, and iii) combining personal information received from the Business with personal information received in other contexts.

Additionally, Contractors have unique contractual obligations, that do not apply to Service Providers or Third Parties, including a certification that the Contractor understands their obligations and restrictions and shall permit the Business to monitor their compliance.

Finally, it is possible for an organization to be a Business, Service Provider, Contractor, and/or Third Party with respect to different subsets of data. For example, an organization could be a Service Provider to a customer and a Business to a vendor.

Who has rights under the CCPA?

Any person who is a resident of California has rights under the CCPA. While the CCPA defines individuals with rights as “Consumers” the term is actually much broader than just customers of a business (e.g. end users) and also includes, but is not limited to: employees, contractors, visitors, etc.

What rights does a Consumer have under the CCPA?

Businesses must provide Consumers the following rights for their personal information:

  1. Right to delete;
  2. Right to correct;
  3. Right to know the types of information being collected or processed;
  4. Right to opt-out of Sale or Sharing; and
  5. Right to limit use and disclosure of sensitive personal information (a subset of personal information).

Businesses may contractually require their Service Providers and Contractors to provide these rights to such consumers also. In short, if you are a Business, Service Provider, Contractor, or Third Party under CCPA, you may be required to provide Consumers with this information or enable these capabilities (deleting/correcting personal information, opting out of sharing, limiting use of information).

What is Atlassian doing to comply?

Atlassian is committed to complying with the CCPA. See Atlassian’s CCPA commitment for more details.

Questions for App Developers to consider

Final thoughts

The ability to process personal information is important for almost all organizations, including app developers. However, regulatory changes coupled with increased customer scrutiny are forcing organizations to re-think how they store and use such data.

For many Atlassian customers, it’s mission critical to ensure compliance with applicable laws (including CCPA) – and that means confirming that the apps they use are compliant as well.

Bottom line – privacy compliance is not just about internal compliance, but about meeting the expectations of your customers, who put their valuable data into your hands. Set yourself up for success by assessing your obligations under the CCPA and any other applicable laws.

Remember, the CCPA is a complex law and will apply differently to different apps, depending on where and how you do business, what data you collect about your customers and end-users, and how you use that data, among other things. If you have any concerns or questions, consult a lawyer about how the CCPA specifically applies to you.

Public resources that can help you determine your obligations under the amended CCPA

Exit mobile version