Disclaimer: This content is for informational purposes only, and should not be used as legal advice regarding data privacy laws.
SECTIONS:
What steps should I take to ensure compliance with the CCPA and CPRA?
Does 10to8 sell or share user data to third parties that I need to declare to my clients?
Do I need to change the way I manage bookings or take bookings online?
How does 10to8 help me with requests for information access or deletion?
What data do I need to tell my customers I store in 10to8?
What is CCPA & CPRA?
CCPA is California’s Consumer Privacy Act and has been in place since January 2020. It provides residents of California with data rights to enable them to take control of their personal information. The California Privacy Rights Act (CPRA) will amend the CCPA, strengthening rights and bringing in new requirements for organizations. It takes effect on January 1, 2023.
How are things changing?
The CPRA grants additional consumer rights and expands these rights to employees. The changes include:
- Establishing ‘sensitive personal information’ (SPI) as a new category and providing individuals with the right to specify how this data is used.
- Strengthening rights around data access and deletion.
- Establishing new opt-out rights for consumers. Under the CCPA, opt-out was permitted from the sale of personal information. The CPRA extends the opt-out to the sharing of personal information as well.
- Introducing a new requirement for companies processing ‘high-risk’ data to perform annual cybersecurity audits.
In addition, the CPRA establishes a new Agency, the California Privacy Protection Agency (CPPA) to oversee and enforce data privacy regulations.
Is 10to8 CCPA & CPRA Ready?
Yes. 10to8 takes data privacy seriously and as well as having tools for GDPR (for EU businesses) and HIPAA (US medical businesses) we can help you be compliant with the CCPA and CPRA.
As always with data privacy; it is ultimately you who will need to use 10to8 and your other software tools in an appropriate way to make sure you comply with the CCPA and CPRA.
What steps should I take to ensure compliance with the CCPA and CPRA?
- Check if your business is included in the scope of the new CPRA, as the qualifying criteria and thresholds have changed.
- Make sure you know the ‘purpose’ for the information that you collect and use.
- Know what data you hold and who you share it with, especially if it is sold to, or shared with, third parties.
- Have a privacy policy that complies with the CCPA and CPRA guidance.
- Have consent from all your customers to use their data for the purpose for which you hold it (i.e. your privacy policy), including opt-outs if you sell or share their data to third parties.
- If you are dealing with any data classed as ‘sensitive personal information’, you will need to inform customers about this and provide them with the option to limit how their SPI is used.
- Be ready to respond to requests for access and deletion of client data, and ensure you communicate requests for deletion to any third parties you have shared the data with.
- Check if you need to undertake annual audits.
- Always carry out your own due diligence and monitor regulatory updates, to ensure you’re compliant with data privacy laws.
Does 10to8 sell or share user data to third parties that I need to declare to my clients?
Whilst the CCPA made it mandatory for any business selling PII to let consumers opt-out of having their data sold (often via a ‘do not sell my info’ link on the website homepage), the CPRA expands these rights by enabling consumers to also limit sharing of their data (with a ‘Do Not Sell or Share My Personal Information’ opt-out, for example).
Whilst 10to8 does not sell any user data, we do share it with trusted third parties. We share your data with third parties who provide services on our behalf, relating to the infrastructure and operation of 10to8. All our third-party service providers are required to take appropriate security measures to protect your data and we do not allow them to use your data for their own purposes. We permit them to process your data on a minimum access basis only.
Do I need to change the way I manage bookings or take bookings online?
With CCPA and CPRA, it’s important to get your customers’ consent at the point of booking to collect their data. 10to8’s opt-in feature allows you to ask key questions at booking, and then store and manage those responses (such as permission to use their data).
How does 10to8 help me with requests for information access or deletion?
Access: 10to8 has standard tools to help you access all customer information stored in 10to8 automatically so that you can supply it to them.
Deletion: We have a standard process for deleting user information in a secure manner.
Remember that you must verify that the person requesting the information is either the person in question or a legitimate agent of that person.
What data do I need to tell my customers I store in 10to8?
That depends on how you use 10to8 and what data you store. You are the one who puts data into 10to8 so it is up to you to make sure that it complies with your policies.
We believe that a good privacy policy should inform all customers about what data you store, how you use it, how long you store it for, and who you share it with. Where you are processing SPI you will also need explicit consent from users to collect this category of data.
10to8 stores and processes client information in the following manner:
-
For booking appointments so that the Individual User can access 10to8 Client’s facilities and services;
-
To set up and send reminders for bookings via email, social media platforms and SMS messaging;
-
To send messages related to specific bookings via email, social media platforms and SMS messaging;
-
To send general messages to Individual Users when requested to, by the Client.