California Consumer Privacy Act (CCPA)

What is the CCPA ?

" The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. " Wikipedia

What are the conditions required for compliance with CCPA ?

The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, which does business in California, and satisfies at least one of the following thresholds:

• Business organization has annual gross revenues in excess of $25 million;
• Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
• Business organization earns more than half of its annual revenue from selling consumers' personal information.

Organizations are required to "implement and maintain reasonable security procedures and practices in protecting consumer data".

Does CloudAlly comply with the CCPA ?

CloudAlly does not meet any of these (above) conditions. However CCPA also defines a service provider similarly to GDPR).

A service provider needs to fulfill the following requirements:

1. Be a for-profit entity
2. Be a processor to a business (i.e. process information on behalf of the business)
3. Receive the information for business purposes
4. Receive the information pursuant to a compliant contract.
   A compliant contract must prohibit the service provider from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for business the, or as otherwise permitted CCPA

The CCPA requires that an agreement between a Business and a Service Provider will:

1. prohibit the Service Provider from selling the personal information it receives/collects;
2. prohibit the Service Provider from retaining, using, or disclosing the personal information for any purpose other than for the purpose of performing its services under the agreement;
3. prohibit the Service Provider from retaining, using, or disclosing the information outside of the direct business relationship between the Service Provider and the Business; and
4. include a certification that the Service Provider understands the obligations and will comply with them. 

Hence:

• CloudAlly complies with the CCPA. CloudAlly is not subject to the CCPA as a Business, and that, when required rather it complies with CCPA as a Service Provider.
  
  
• CloudAlly is compliant with CCPA as a Service Provider, and provides a CCPA Addendum. This document states that CloudAlly as a Service Provider understands it's obligations under CCPA and will comply with them. 

Note:

CloudAlly's Privacy Policy clause 11 relates to: CCPA.  
The CCPA addendum is available by request from CloudAlly's Director of Compliance - Monty Sagal (email).  

For any further inquiry please contact: