Do I need to comply with CCPA?
The CCPA applies to any for-profit business that collects consumers' personal data, that does business in California, and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million.
- Possesses the personal information of 50,000 or more California consumers, households, or devices.
- Derives 50% or more of its’ annual revenue from the sale of consumer personal information.
Does GDPR compliance cover CCPA compliance?
No. While some components are similar, CCPA requires specific compliance standards which are not part of GDPR.
If the company we buy data from is CCPA compliant do we need to be?
Yes. If you are a covered company under CCPA, you are required to become CCPA compliant.
How does your service ensure compliance?
Broadly speaking, under the CCPA List Owners & Mailers are required to:
- Inform California consumers of their rights under CCPA.
- Disclose which categories and specific pieces of information are being collected.
- Detail how that information is being used, including to whom it is shared or sold.
- Provide access to personal information via a verified request mechanism
- Honor opt-out and deletion requests.
Alerts.com covers each of these compliance items and more. Notification, access, disclosure, reporting, opt-out and deletion requests are all handled within the platform. It provides consumers with an easy-access, verified request portal to access their personal information. It offers online reporting to satisfy disclosure requirements along with opt-out and deletion request options.
Ours is the only turnkey, fully automated consumer-facing CCPA solution for SMBs and Data Compilers/Brokers, Agencies & Marketing Services companies who maintain databases and/or rent prospect data.
If my company just serves as a data processing company for mailers that market into California, am I required to be compliant?
Consult with an attorney regarding your specific situation. There are some instances in which a services provider who doesn’t store or maintain consumer data will not be required to comply.
How does it work?
Alerts.com provides a cost effective, easy-to-implement solution for List Owners and Mailers subject to the CCPA, providing comprehensive data access and disclosure compliance. The site offers central repository for List Owners and Mailers to maintain CCPA-related data points and transactions, relieving them of the burden of managing compliance in-house.
Each list used or sold is uploaded to your account within Alerts.com. Easy click navigation and drop-down menus guide you through the order creation and data upload process. Compliance details such as categories of personal information, specific pieces of information, data sources and categories are captured. File layouts are easily mapped within the system and drag & drop file uploads allow for quick and easy workflows. Suppression and Deletion files are continuously updated and available for download at any time.
Is it breaking compliance rules by sharing private customer data with Alerts.com for the purpose of privacy compliance?
Do I need to report everything in my database? Are there exceptions?
No you do not. You don’t need to report “information about information.” That is to say, if you report the consumer’s address, and have a separate field reporting “SCF” (first 3-digits of the zip code), it is not necessary to report that separately.
Where are Alerts.com’s servers hosted? / Where is my data hosted and maintained?
All data is hosted at Digital Ocean (www.digitalocean.com) data centers and stored in a private clould environment with automatic backups and infrastructure redundancies, allowing guaranteed 99.99% uptime. Certifications include ISO/IEC 27001:2013, EU-U and Swiss-US Privacy Shield Certification - https://www.digitalocean.com/legal/certifications/ .
How do I know my data will be secure?
Alerts.com’s infrastructure is secured through a defense-in-depth layered approach. Access to the management network infrastructure is provided through multi-factor authentication points, which restrict network-level access to infrastructure based on job function utilizing the principle of least privilege. Our proprietary architecture permits only single, encrypted queries from our web-facing portal to your database. Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only users who require access to a system are able to login.
Personally Identifiable Information (PII) is not stored by Alerts.com. As data is uploaded to the system, it is converted to masked data (using asterisks) except for the final digit. The original version of the data with full PII is immediately deleted and not stored on our servers.
Deleting & Opting Out
If a customer currently is under contract, do we still have to delete them from our system upon request?
No, there are nine (9) exceptions regarding deletion requests included in CCPA. As always, consult your attorney to ensure your specific use case is excluded under CCPA. Following are the nine exceptions found within the Act:
1798.105 (d) A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:
- Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Comply with a legal obligation.
- Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
Is this service just for California or can it be used for residents in other states as well?
Alerts.com can be used for residents throughout the USA, and we recommend doing so. You’ll be prepared for pending Privacy legislation that has been introduced in multiple state legislatures and which, we believe, will eventually lead to the passing of nationwide Privacy legislation.
How do we determine that a request for information by a consumer is not being requested by another party?
We verify each consumer request utilizing a third-party verification service which leverages a large ID verification database to identify and reduce potential fraud. In order to verify a given individual, the system receives consumer-input information such as name, address, email and last 4-digits of Social Security Number and confirms that information with data in the ID verification database.
If our file is multi-sourced, do we need to list each sourcing or can we list the primary sourcing used?
We recommend listing each source.
Do I have to upload all information I have on contacts or only certain headers?
We recommend that you upload all information. Consult with a privacy attorney before doing otherwise. The platform allows you to mask all sensitive Personally Identifiable Information (i.e. -Social Security Number becomes ***-**-***2 and discards the original data provided to ensure sensitive information isn’t compromised).
Will Alerts.com be available via API?
Yes! We are currently developing API functionality along with a wide range of platform improvements.
Are we able to broker this site to our clients for profit?
For legal and insurance purposes, no. However, we do have a lead referral program available only to current clients. Call your salesperson to learn more.