California Consumer Privacy Act

MemberLeap California Consumer Privacy Act Addendum



The California Consumer Privacy Act (CCPA) is the most comprehensive data protection law ever enacted in the United States. It provides a variety of privacy obligations to businesses regulated by the CCPA and rights to California consumers relating to the access to, deletion of, and sharing of personal information.

The CCPA goes into effect on January 1, 2020. The legislation was originally approved by Governor Brown in June of 2018 and amended the Civil Code sections 1798.100 through 1798.198.

In case of infringement, the CCPA levies statutory fines of not more than $2,500 per violation or $7,500 per intentional violation. While its not entirely clear yet what constitutes a violation, there are strong arguments that each transaction or each consumer affected could constitute their own violation, causing fines to rack up quickly. These cases may only be brought by the California Attorney General. The private right of action in the CCPA is limited to data breaches, where damages can come in between $100 and $750 per incident per consumer.

In brief, here are some of the main elements to consider for achieving compliance with the CCPA:

Important CCPA Definitions

In the context of the CCPA consumers are all California residents, businesses are individuals or entities that determine the purposes and means of the processing of consumers personal data, and service providers are individuals or entities that process information on behalf of a business. These are broadly synonymous to controllers and processors used in the GDPR. Generally, the CCPA term personal information lines up with personal data under GDPR. However, CCPA also includes family and household data. The term sale of personal information to third parties is broadly defined to include disclosure of personal information for valuable consideration.

What you need to know: For organizations doing business in California, MemberLeap will be acting as a service provider. We process personal information only on behalf of our clients, pursuant to written agreements. In order to comply with the CCPA requirements, we have updated our agreements to meet the requirements for service providers under the CCPA and to allow our clients to continue to transfer data to us. Those agreements permit MemberLeap to process our clients data (including personal information) only for the purpose of providing our services. While we necessarily have to process personal information transmitted through our network, we do not sell that information to third parties.

If you are a CCPA-regulated client, you can read the MemberLeap CCPA Addendum here.

The CCPA Applies to an Organization Which Meets Any One of the Following Criteria:

  • Global annual gross revenue in excess of $25 million;
  • Derives 50% or more of its annual revenue from selling California residents' personal information; or
  • Annually buys, receives for commercial purposes, sells, or shares the personal information of 50,000 or more California residents, households, or devices.

What you need to do: If you are beginning your CCPA journey, you should focus on the following:

  1. Identify what personal information you collect, use, share, store and sell;
  2. Update Privacy Notices;
  3. If you sell personal information, or exchange it for any kind of valuable consideration, provide a clear and comprehensive Do not sell my Personal Information link on your website;
  4. Establish a process to efficiently respond to customer requests;
  5. Update vendor agreements;
  6. Train employees on CCPA requirements;
  7. Establish security controls to prevent and detect data breaches;
  8. Have a formal data breach response program in place. 

We would be happy to answer questions about these requirements and what they might look like for you at any time - info@memberleap.com.

The Rights an Organization Must Enable Under the CCPA:

  • Right to Notice
  • Right to Disclosure
  • Right to Deletion
  • Right to Data Portability
  • Right to Opt Out of Sale
  • Right to Non-Discrimination
  • Right to Opt In for Children's Personal Information

What you need to do: You will need to be able to respond to various requests from consumers for exercising their rights under the CCPA. Many of the CCPA rights afforded to consumers are similar to the rights the GDPR provides. MemberLeap system allows for most of this already, and the add-on CCPA center will make the rest easier, at least with respect to allowing data portability, and anonymizing data to satisfy the right to deletion. 

FAQ:

Do you charge more for handling CA data?

If you need assistance storing CA consumer data, we would require you to sign an Addendum to our Online Service Agreement, and to pay an additional monthly charge. This charge offsets costs that we incur in order to comply with the CCPA as a service provider. By paying this fee, you are also granted access to our Privacy/CCPA module, which includes features needed for compliance, as well as some additional materials and guidelines to help you get compliant. Below is the current schedule of additional fees.

  • 1-20 citizens = $10 per month
  • 21-250 citizens = $20 per month
  • 251-2,500 citizens = $30 per month
  • 2,501-5,000 citizens = $40 per month
  • 5,001+ = Consultation with MemberLeap Membership Solution Consultant

Subject to change based on additional privacy requirements. 

Are All Vendors Considered Service Providers Under the CCPA?

No. In order to be considered a service provider for the purposes of the CCPA, an organization must process personal information on behalf of a business. In addition, the vendor must be bound by a written contract that prohibits it from:

  1. retaining the personal information for any purpose other than for the specific purpose of performing the services specified in the contract;
  2. using the personal information for any purpose other than for the specific purpose of performing the services specified in the contract; or
  3. disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract.

As a result, there are a number of situations in which a business may use a vendor that does not qualify as a service provider under the CCPA. These include situations where:

  1. no written contract exists between a business and a vendor;
  2. a contract exists, but it allows the vendor to retain personal information beyond termination;
  3. a contract exists, but it allows the vendor to use personal information (in any form) for its own purpose; or
  4. a contract exists, but it allows the vendor to make decisions about the disclosure of personal information.

How do I ensure my contracts with third parties are able to take advantage of the CCPA Opt Out exceptions?

One of the most important aspects of the CCPA is that it prohibits the undisclosed sale of personal information, and requires companies that do sell personal data to easily allow customers to opt out of the sale of their personal data. 

The definition of sell in the CCPA is incredibly broad. Transactions where personal information is exchanged for something of value, like information or access, also constitute a sale under the CCPA. Where a consumer has elected to opt out, the business is required to stop selling personal information as soon as a consumer exercises their opt out right. The CCPA does provide three exemptions: (1) to a service provider; (2) to an exempted entity or contractor; and (3) at the direction of the consumer. Even if a consumer has elected to opt out, personal information can continue to transfer to the parties falling under the exemption.

In order to take advantage of the first two exemptions, organizations will have to ensure that the transfers with service providers are governed by written contracts containing the specific terms required under the CCPA. MemberLeap Online Service Agreement and CCPA Addendum include the requirements needed to take advantage of the CCPA opt out exception.

What is the Opt In requirement under the CCPA?

The opt in requirement for children's personal information means that a business can only sell the personal information of a child between the ages of 13 and 16 with the child's consent and can only sell the personal information of a child under 13 with the consent of the child's parent or guardian.

What if I have other questions?

Please ask us. As we get more questions, it will help us build this FAQ section.

If you are a client and have questions, please log into the system, and submit a help ticket. This will help us better coordinate our efforts to help you with compliance.

If you are a prospective client and have questions about the CCPA module or other aspects of our product, please click here to contact us or email us at info@memberleap.com.