{"id":16341,"date":"2019-11-07T16:53:29","date_gmt":"2019-11-07T11:23:29","guid":{"rendered":"https:\/\/vwo.com\/?page_id=16341"},"modified":"2024-02-16T12:40:20","modified_gmt":"2024-02-16T07:10:20","slug":"ccpa","status":"publish","type":"page","link":"https:\/\/vwo.com\/compliance\/ccpa\/","title":{"rendered":"VWO and the CCPA"},"content":{"rendered":"\n

Last updated: Nov 07, 2019<\/b><\/p>\n

VWO’s commitment to data privacy and protection<\/h2>\n

VWO believes privacy and protecting data are core aspects of trust in today\u2019s technology world. We take our own data protection commitment to you and your customers very seriously. We are acutely aware that we need to earn and maintain your trust on a daily basis.<\/span><\/p>\n

VWO is committed to protecting your privacy and sees CCPA as an opportunity to strengthen our commitment even further. We don\u2019t collect & process users\u2019 personal information beyond what is required for the functioning of our services, and this will never change.<\/span><\/p>\n

VWO has put in place processes and procedures to comply with the various provisions of CCPA\u2014consumer rights, data protection addendum, data deletion, data retention, and pseudonymization, which align with our core values of customer trust and data privacy.<\/span><\/p>\n

What Is the CCPA?<\/h2>\n

The\u00a0<\/span>California Consumer Privacy Act, Cal. Civ. Code \u00a7\u00a7 1798.100 et seq<\/span><\/a>. (CCPA)\u00a0is a U.S. law that was enacted in 2018 in the State of California. Generally, it expands upon the privacy rights available to Californian citizens and listing data protection requirements, with which companies must comply.\u00a0<\/span><\/p>\n

Similar to the GDPR, the CCPA establishes and enhances consumer privacy rights for California residents and imposes rules on businesses that handle their personal information that relates to, describes, is associated with or can be linked to an individual.<\/span><\/p>\n

The CCPA grants Californian consumers new rights with respect to the collection of their personal information and requires a business to comply with certain obligations, including:<\/span><\/p>\n

    \n
  1. The consumer\u2019s <\/span>right to receive a copy, in a readily usable format, of the specific personal information collected about them during the twelve (12) months prior to their request.<\/span><\/b><\/li>\n
  2. The consumer\u2019s <\/span>right to know a business\u2019s data collection practices, including the categories of personal information it has collected, the source of the information, the business\u2019s use of the information, and to whom the business disclosed the information it has collected about the consumer.<\/span><\/b><\/li>\n
  3. The consumer\u2019s right to have such personal information deleted<\/span><\/strong>.<\/span><\/li>\n
  4. The consumer\u2019s right to know the business\u2019 data sale practices<\/span> and to request that their personal information not be sold to third parties.<\/span><\/b><\/li>\n
  5. A prohibition on businesses on discrimination for exercising a consumer right.<\/li>\n
  6. An obligation on businesses to notify a consumer of their rights.<\/li>\n<\/ol>\n

    Data Privacy and Information Security Certifications<\/h2>\n

    We have been certified for the following certifications to ensure CCPA preparedness:<\/span><\/p>\n

      \n
    1. ISO 27001:2013 Information Security Management Systems [ISMS]:<\/a> ISMS ensures a systematic approach to managing sensitive company information so that it remains secure. ISMS includes people, processes, and IT systems by applying a risk management process.<\/span><\/li>\n
    2. ISO 27701:2019 Privacy Information Management System [PIMS] & CCPA Act Compliance<\/a>:\u00a0<\/a>ISO 27701 is internationally recognized and built as an extension of the widely-used ISO\/IEC 27001 and ISO\/IEC 27002 standards for information security management. It is a global privacy standard that focuses on the collection and processing of personally identifiable information (PII). This standard was developed to help organizations comply with international privacy frameworks and laws.<\/li>\n
    3. System and Organization Controls 2 Type II (SOC 2 Type II)<\/a>: SOC 2 Type II is a rigorous auditing standard developed by the American Institute of CPAs (AICPA). It ensures that companies have established and maintained effective controls to protect the security, availability, processing integrity, confidentiality, and privacy of customer data.<\/li>\n<\/ol>\n

      How does the CCPA apply to VWO customers?<\/h2>\n

      VWO customers that collect, and store personal information are considered <\/span>\u201c<\/b>Businesses<\/span>\u201d<\/b> under the CCPA. Businesses bear the primary responsibility for ensuring that their processing of personal information is compliant with relevant data protection law, including the CCPA.\u00a0<\/span><\/p>\n

      VWO acts as a <\/span>\u201c<\/b>Service Provider,<\/span>\u201d<\/b> as such term is defined in the current version of the CCPA, and shall collect, access, maintain, use, process and transfer the personal information of our customers and our customer\u2019s end-users solely for the purpose of performing our obligations under our existing contract(s) with our subscribers; and, for no commercial purpose other than the performance of such obligations and improvement of the Services we provide.<\/span><\/p>\n

      How VWO is Helping Businesses Become CCPA- ready<\/h2>\n

      The California State Legislature has indicated that it may further amend the CCPA. In light of such amendments, VWO is actively tracking the law and we will continue to keep our customers updated on features and functionality they can use to support their compliance efforts. Customers can also view the below table for more detailed information on how to use VWO Services to comply with data privacy laws.<\/span><\/p>\n

      The CCPA will become enforceable on January 1, 2020. We will evaluate and adapt our practices where necessary to ensure that we will be compliant.<\/span><\/p>\n

      At VWO, we ensure that our customer data is secure and easily accessible. VWO is built on a foundation of trust, security, and compliance to ensure that our internal data practices are CCPA-ready. An equally important part for us is to assist our customers and partners in their journey toward compliance. With that in mind, we have the following details about the VWO Experience Optimization Platform:<\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n
      \u00a0<\/td>\nVWO Features<\/strong><\/td>\nHow it works<\/strong><\/td>\n<\/tr>\n
      Storing and managing personal information for visitors<\/b><\/td>\nSession Recordings<\/span><\/td>\n\n

      By default, VWO anonymizes all key presses to avoid storing or transmitting any personal or sensitive information on VWO servers. We\u2019ve features to anonymize the following:<\/span><\/p>\n

        \n
      1. Hide all text in the HTML body.<\/span><\/li>\n
      2. Whitelist using CSS selectors path: This option can be used to <\/span>specifically anonymize or whitelist an input\/non-input field or text labels.<\/span><\/li>\n
      3. Anonymize a specific element by using the nls_ protected class.<\/span><\/li>\n<\/ol>\n
        \n

        Read more<\/span><\/a><\/p>\n<\/td>\n<\/tr>\n

      \u00a0<\/td>\nCustom Dimensions <\/span><\/td>\n\n

      We have the process of creating a custom dimension in VWO to include the following features:<\/span><\/p>\n

        \n
      1. By default, VWO will filter all incoming data for a custom dimension for personal properties like email addresses, credit card numbers, and others.<\/span><\/li>\n
      2. Users are recommended to encrypt all incoming data. <\/span>Read more<\/span><\/a><\/li>\n<\/ol>\n<\/td>\n<\/tr>\n
      \u00a0<\/td>\nLocation Information<\/span><\/td>\n\n

      Customers can customize what location information of visitors is stored or completely disable storing any location information.\u00a0<\/span><\/p>\n

      Read more<\/span><\/a><\/p>\n
      \n

      IP Address- By default, VWO replaces the last octet of IP address with 0 before saving it. Customers can now customize this setting and disable storing the IP address.<\/span><\/p>\n

      Read More<\/span><\/a><\/p>\n<\/td>\n<\/tr>\n

      Collecting Consent<\/b><\/td>\nOn-page Surveys<\/span><\/td>\n\n

      We have the option to display a consent message at the beginning of each survey. The message can also include links to policies and other information.\u00a0<\/span><\/p>\n

      Read More<\/span><\/a><\/p>\n<\/td>\n<\/tr>\n

      \u00a0<\/b><\/td>\nBrowser Privacy Settings<\/span><\/td>\n\n

      Customers can configure their privacy settings in the VWO app to stop recording any information about the website visitors who have \u201cDo Not Track\u201d setting enabled on their browsers.<\/span><\/p>\n

      Read More<\/span><\/a><\/p>\n<\/td>\n<\/tr>\n

      Consumer Rights<\/b><\/td>\nSecurity Settings <\/span><\/td>\n\n

      Customers can request data for their website or mobile app visitors through a visitor\u2019s UUID. A link will be generated by VWO that will collect all the data for specific UUID or potential data such as URLs and visitor recordings for a defined time period.<\/span><\/p>\n

      Read More<\/span><\/a><\/p>\n

      \u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

      \u00a0<\/b><\/td>\nSecurity Settings<\/span><\/td>\n\n

      Customers can request the deletion of data for their website or mobile app visitors through their visitor\u2019s UUID.\u00a0<\/span><\/p>\n

      Read More<\/span><\/a><\/p>\n

      \u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      What We Are Doing to Ensure You Can Use VWO Product in a CCPA Ready Manner<\/h2>\n

      The CCPA is focused on organizational compliance instead of product-level compliance. However, we attach the utmost importance to how we build our products and have adopted a Privacy and Security by Design approach. Our products are designed with privacy and security in mind and as a core component of our development process.<\/span><\/p>\n

      As a business, you will need to ensure you are compliant with your own obligations under the CCPA. However, if you buy a VWO Services, we aim to ensure that you can use our Services in a CCPA-Ready manner, helping you to satisfy your obligations under the CCPA. For example, we design our products to facilitate data minimization and provides better insight into and control over your data flows in order to make it easier for you to satisfy your CCPA obligations as a business.<\/span><\/p>\n

      Does VWO sell personal information?<\/h2>\n

      We do not <\/span>\u201c<\/b>sell<\/span>\u201d<\/b> our customer\u2019s personal information as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to a third party for monetary or other valuable consideration. We may share aggregated and\/or anonymized information regarding your use of the Service(s) with third parties to help us develop and improve the Services and provide our customers with more relevant content and service offerings as detailed in our customer agreements.<\/span><\/p>\n

      What guidance can VWO provide regarding the CCPA?<\/h2>\n

      VWO cannot provide legal advice to customers regarding the CCPA at this time. Customers should consult their legal counsel on how the CCPA specifically applies to them and how to achieve their own compliance.<\/span><\/p>\n

      VWO values our customers\u2019 trust, and we share the same concerns as our customers over the privacy of our customers\u2019 information. As part of its robust privacy program, VWO has mapped its global privacy practices to E.U. data privacy law.\u00a0<\/span><\/p>\n

      For information on these practices and the functionality we provide to support our customers\u2019 compliance, please visit the rest of our\u00a0<\/span>Privacy Policy<\/span><\/a>,\u00a0<\/span>Cookies Stored by VWO<\/span><\/a>, <\/span>How to Opt-out<\/span><\/a>, and <\/span>Data Deletion Policy<\/span><\/a>. These resources detail the privacy and security measures undertaken by VWO to protect its customers\u2019 personal information, our data retention\/deletion policies, and features available in our Services that enable our customers to comply with their end-user privacy requests.<\/span><\/p>\n

      You can also learn more about our privacy practices\u00a0<\/span>here<\/span><\/a>. You can obtain our current Data Processing Addendum <\/span>here<\/span><\/a>.<\/span><\/p>\n

      Privacy and information protection act FAQ<\/h2>\n

      Frequently Asked Questions about the California Consumer Privacy Act (CCPA).<\/span><\/p>\n

      1. What is CCPA?<\/b><\/p>\n

      The California Consumer Privacy Act (CCPA) is created to protect the privacy and personal information of consumers. The CCPA<\/span> initiative states that the act is intended to <\/span>\u201c<\/b>give Californians the \u2018who, what, where, and when\u2019 of how businesses handle consumers\u2019 personal information.<\/span>\u201d<\/b> The act requires businesses to tell consumers what information its collecting and gives consumers the right to say no to the sale of their personal information. It will also allow consumers to sue companies if their personal information is breached.<\/span><\/p>\n

      \u00a0<\/p>\n

      2. Who does it apply to?<\/b><\/p>\n

      CCPA applies to any organization that works with the personal information of California residents. This law introduces new obligations for business processing information while clearly stating the accountability of business information controllers.<\/span><\/p>\n

      \u00a0<\/p>\n

      3. Where does the CCPA apply?<\/b><\/p>\n

      This law doesn’t have territorial boundaries. It doesn’t matter where your organization is from \u2014 if you process the personal information of consumers of California, you come under the jurisdiction of the law.<\/span><\/p>\n

      \u00a0<\/p>\n

      4. What are the penalties for non-compliance?<\/strong><\/p>\n

      The CCPA is enforced primarily by the California attorney general, who may seek civil penalties of up to $2,500 per violation or up to $7,500 per intentional violation. The law, however, also provides a private right of action for certain data breaches arising from violations of California’s data security law. Affected California residents can seek $100 to $750 in statutory damages per individual per incident or actual damages, whichever is greater.<\/span><\/p>\n

      \u00a0<\/p>\n

      5. Who are the key stakeholders?<\/b><\/p>\n

      Consumer<\/b>– The CCPA defines <\/span>\u201c<\/b>consumer<\/span>\u201d<\/b> as <\/span>\u201c<\/b>a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, however identified, including by any unique identifier.<\/span>\u201d<\/b> According to the referenced state regulations, a California resident is any individual who is<\/span><\/p>\n

        \n
      1. \u201cin the state of California for other than a temporary or transitory purpose,\u201d<\/span><\/li>\n
      2. \u201cdomiciled in the state\u201d of California and \u201coutside of the state for a temporary or transitory purpose.\u201d<\/span><\/li>\n<\/ol>\n

        Business<\/b>– A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for profit or financial benefit of its shareholders or other owners, that collects consumers\u2019 personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers\u2019 personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:<\/span><\/p>\n

          \n
        1. Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185<\/li>\n
        2. <\/b> Alone or in combination, annually buys, receives for the business\u2019 commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.<\/span><\/li>\n
        3. Derives 50 percent or more of its annual revenues from selling consumers\u2019 personal information.<\/span><\/li>\n<\/ol>\n

          Service Provider<\/b>– \u201cService provider\u201d means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer\u2019s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing personal information for a commercial purpose other than providing the services specified in the contract with the business.<\/span><\/p>\n

          Third Parties<\/b>– Under the California Consumers Privacy Act (CCPA) entities that process data subject to CCPA but are neither businesses nor service providers<\/span> are considered \u2018third parties\u2019 (See, Section<\/span> 1798.140(w)<\/span><\/a> of the California Civil Code).<\/span><\/p>\n

          Under<\/span> 1798.115<\/span><\/a> (d) of the California Civil Code, a third party <\/span>shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received an explicit notice and is provided an opportunity to exercise the right to opt-out.<\/b><\/p>\n

          \u00a0<\/p>\n

          6. What is personal information or Personally Identifiable Information (PII)?<\/b><\/p>\n

          Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc).<\/span><\/p>\n

          \u00a0<\/p>\n

          7. Where is my information located?<\/b><\/p>\n

          The data of vwo.com\u00a0customers will reside in the US\u00a0 with IBM Softlayer and Google Cloud Platform (GCP).<\/span><\/p>\n

          \u00a0<\/p>\n

          8. Comparison with GDPR<\/b><\/p>\n

          The European Union has been at the forefront of consumer privacy since the 1996 Data Privacy Directive to the current GDPR, which provides even greater privacy rights to EU residents. Some even refer to the CCPA as California\u2019s GDPR. While there a number of similarities between the two, there are also many differences. Table 1 provides a comparison. Companies that implemented GDPR-level compliance can leverage parts of their program to meet CCPA requirements. However, additional program development for CCPA will still be required.<\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
          CCPA compared to the European Union\u2019s GDPR<\/b><\/td>\n<\/tr>\n
          \u00a0<\/td>\nCalifornia CCPA<\/b><\/td>\nEU GDPR <\/b><\/td>\n<\/tr>\n
          Scope <\/b><\/td>\nRights, disclosure, transparency <\/span><\/td>\nOmnibus -covers much more <\/span><\/td>\n<\/tr>\n
          Personal Information <\/b><\/td>\nBroader-includes households and devices <\/span><\/td>\nIncludes personal data as well as special categories<\/span><\/td>\n<\/tr>\n
          Rights <\/b><\/td>\nRights to access and deletion broader <\/span><\/td>\nSimilar rights to erasure <\/span><\/td>\n<\/tr>\n
          Security<\/b><\/td>\nNot Included <\/span><\/td>\nProcedures for protecting information <\/span><\/td>\n<\/tr>\n
          Disclosures <\/b><\/td>\nSpecific requirements for disclosure <\/span><\/td>\nLess prescriptive <\/span><\/td>\n<\/tr>\n
          Data Sharing <\/b><\/td>\nMore restrictive -but no rules for transfers outside the USA<\/span><\/td>\nRestriction on data transfers outside of specific countries <\/span><\/td>\n<\/tr>\n
          Privacy By Design\/Default <\/b><\/td>\nNot Includes<\/span><\/td>\nRequired <\/span><\/td>\n<\/tr>\n
          Data Protection Impact Assessment <\/b><\/td>\nNot Includes<\/span><\/td>\nRequired if Criteria met<\/span><\/td>\n<\/tr>\n
          Breach Notification <\/b><\/td>\nNot Includes<\/span><\/td>\n72-hours requirements <\/span><\/td>\n<\/tr>\n
          Data Protection Officer<\/b><\/td>\nNot required <\/span><\/td>\nRequired if Criteria met <\/span><\/td>\n<\/tr>\n
          Enforcement <\/b><\/td>\nAttorney general and Litigators.<\/span><\/td>\nPrivacy regulators <\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

          \u00a0<\/p>\n

          9. Where can I find additional resources on CCPA?<\/b><\/p>\n

          Here are some links you can refer to for additional reading on the CCPA:<\/span><\/p>\n