Note: This blog post is provided for informational purposes only. It is not intended to be a substitute for legal advice. As such, we recommend that you consult a lawyer before acting on any matter discussed within this post.
What is the CCPA?
The CCPA stands for the California Consumer Privacy Act of 2018, which went into effect on January 1, 2020. The CCPA is a California data privacy regulation that governs how certain organizations use, collect, and process personal information relating to California residents.
What's changed?
The CCPA was recently amended by the California Privacy Rights Acts of 2020 (CPRA), which went into effect on January 1, 2023. Enforcement will begin on July 1, 2023. Businesses that are subject to the CCPA now have additional obligations.
Where can I find a copy of the CCPA?
A full text version of the CCPA can be found here.
Who must comply with the CCPA?
Your obligations under the CCPA will depend on whether you are acting as a "business", "service provider", "third party" or "contractor" with respect to data that you process. This is a legal assessment that each app developer will need to make based on its own processing activities. When making this determination, consider the definitions below.
Business
A Business is a for-profit legal entity doing business in California that collects the personal information of California residents (Consumers), either directly or by using others to collect the personal information on its behalf, and meets at least one of the following:
- has annual gross revenues of more than $25 million;
- annually buys, receives, or sells for commercial purposes or for other valuable consideration (Sells) or shares for cross-context behavioral advertising (Shares), personal information of 100,000 or more consumers or households;
- derives more than 50% of its annual revenues from Selling or Sharing Consumers' personal information.
Under CCPA, Businesses have certain obligations in regards to personal information.
- For instance, Businesses are required to provide Consumers with notice about the categories of personal information that they collect, how that personal information will be processed, the reason for the collection/processing, among other notice requirements.
- Businesses must also ensure that they enter into appropriate contractual arrangements with service providers, contractors, or third parties, stating that the personal information they collect is protected by reasonable security measures (e.g. encryption), and that they have a process for handling consumer requests (e.g. right to delete personal information, right to correct personal information, and as further described in the section below "What rights does a Consumer have under the CCPA").
Service Provider
A Service Provider is a person or entity that processes personal information on a Business’ behalf and that receives a Consumer's personal information for a business purpose from or on behalf of the Business, all pursuant to a written contract that must contain certain provisions as set forth in the CCPA.
Contractor
A Contractor is a person or entity to whom a Business makes available a Consumer's personal information for a business purpose, pursuant to a written contract that must contain certain provisions as set forth in the CCPA.
Third Party
A Third Party is a person or entity which receives personal information from a Business but does not meet the definitions of a Service Provider or Contractor.
Obligations for Service Providers, Contractors, and Third Parties
Under CCPA, Service Providers, Contractors, and Third Parties are required to enter into written contracts with Businesses which contain certain language, including:
- that the personal information is disclosed for specific and limited purposes,
- an obligation to comply with the CCPA and a requirement to notify the Business if no longer able to comply,
- that the Business may take steps to ensure that the other party use personal information in a manner consistent with the Business’ obligations under the CCPA, and
- that the Business has the right to take reasonable steps to stop and remediate unauthorized use of personal information.
Service Providers and Contractors have additional contractual obligations, that do not apply to Third Parties. These include prohibitions on i) Selling or Sharing personal information, ii) retaining, using or disclosing personal information outside of the direct relationship of the parties or for reasons other than the business purpose set forth in the contract, and iii) combining personal information received from the Business with personal information received in other contexts.
Additionally, Contractors have unique contractual obligations, that do not apply to Service Providers or Third Parties, including a certification that the Contractor understands their obligations and restrictions and shall permit the Business to monitor their compliance.
Finally, it is possible for an organization to be a Business, Service Provider, Contractor, and/or Third Party with respect to different subsets of data. For example, an organization could be a Service Provider to a customer and a Business to a vendor.
Who has rights under the CCPA?
Any person who is a resident of California has rights under the CCPA. While the CCPA defines individuals with rights as "Consumers" the term is actually much broader than just customers of a business (e.g. end users) and also includes, but is not limited to: employees, contractors, visitors, etc.
What rights does a Consumer have under the CCPA?
Businesses must provide Consumers the following rights for their personal information:
- Right to delete;
- Right to correct;
- Right to know the types of information being collected or processed;
- Right to opt-out of Sale or Sharing; and
- Right to limit use and disclosure of sensitive personal information (a subset of personal information).
Businesses may contractually require their Service Providers and Contractors to provide these rights to such consumers also. In short, if you are a Business, Service Provider, Contractor, or Third Party under CCPA, you may be required to provide Consumers with this information or enable these capabilities (deleting/correcting personal information, opting out of sharing, limiting use of information).
What is Atlassian doing to comply?
Atlassian is committed to complying with the CCPA. See Atlassian's CCPA commitment for more details.
Questions for App Developers to consider
- Is your organization a Business, Service Provider, Contractor, or Third Party under CCPA?
- If you answered yes to the above, you may want to consider:
- Can you comply with the relevant obligations for a Business, Service Provider, Contractor, and/or Third Party, as they apply to your organization?
- Is your Privacy Policy up-to-date and compliant with CCPA?
- Note – many organizations, including Atlassian, have updated their privacy policies for the amended CCPA, including a notice at collection which covers the categories of personal information collected in the past 12 months, the purposes for which the information was collected and disclosed, the categories of recipients of disclosures made for business purposes in the past 12 months, and the categories of recipients of disclosures made in the past 12 months that may be considered "sales" of personal information or "sharing" of personal information for cross-context behavioral advertising under California law.
- Is your data processing agreement (DPA) up-to-date and compliant with CCPA?
- Note – many organizations have updated their DPAs, including Atlassian (see our updated Customer DPA and Forge DPA) to include CCPA specific contractual obligations, as further detailed above (e.g. that personal information is disclosed for specific and limited purposes).
- Do you have a process to enable consumers to exercise their rights?
- Do you Sell or Share personal information?
- If you do sell or share personal information, do you have an appropriate opt-out mechanism for Consumers?
- If you answered yes to the above, you may want to consider:
Final thoughts
The ability to process personal information is important for almost all organizations, including app developers. However, regulatory changes coupled with increased customer scrutiny are forcing organizations to re-think how they store and use such data.
For many Atlassian customers, it's mission critical to ensure compliance with applicable laws (including CCPA) – and that means confirming that the apps they use are compliant as well.
Bottom line – privacy compliance is not just about internal compliance, but about meeting the expectations of your customers, who put their valuable data into your hands. Set yourself up for success by assessing your obligations under the CCPA and any other applicable laws.
Remember, the CCPA is a complex law and will apply differently to different apps, depending on where and how you do business, what data you collect about your customers and end-users, and how you use that data, among other things. If you have any concerns or questions, consult a lawyer about how the CCPA specifically applies to you.