Data Privacy Compliance Series: What Engineering and IT Leaders Need to Know
A Guide to CCPA Compliance When Using Third-Party APIs
If your business is using third-party APIs, you could face some unique data privacy and compliance challenges under the new CCPA law. As an engineering or IT leader, understanding those challenges is a critical first step to implementing proactive approaches to protect your customers’ privacy.
What the CCPA Is
The California Consumer Privacy Act (CCPA) was implemented in January 2020 and outlines new requirements for managing, tracking and deleting consumers’ personal information. The CCPA is based on the idea that your customers own their personal information and gives them rights and protections to reflect that idea.
What It Protects
The CCPA protects California residents and their personal information. Even if your business is outside of California but there is a chance that you could be collecting data from a resident of California – including through the use of third-party APIs – then the CCPA applies to you.
The new act defines personal information broadly and includes any information that is “reasonably linkable” to a person’s identity, as well as biometric information (like DNA or fingerprints), internet activity information, geolocation data, employment or educational information (unless it’s publicly available) or any inferences drawn from personal information to create a profile of a consumer’s behavior, preferences or characteristics.
The CCPA also notes that businesses can’t sell or share the personal information of children under 17 without their consent (or their parents’ consent if they’re under 13). There are further personal information privacy protections for children outlined in the Children’s Online Privacy Protection Act (COPPA).
Why It Matters to You If You’re Consuming APIs
The CCPA law applies to your business if it collects or controls California residents’ personal information and meets just one of these requirements:
An annual revenue in excess of $25 million Annually buys, sells or shares the personal information of 50,000 or more households, consumers or devices - note this includes buying, selling or sharing personal information through third-party APIs Derives 50% or more of its annual revenue from selling California customers’ personal information
The fine for noncompliance with CCPA laws is $7,500 for intentional violations per incident and up to $750 per incident for violations resulting from a data breach – so depending on how many customers you have, fines can add up quickly. However, the CCPA does give you 30 days to rectify the violation before issuing a fine.
What You Need to Provide for Your Customers
Under the CCPA, your customers or users have five new rights when it comes to their personal information. They have the right to:
- Know what personal information is being collected about them
- Know whether their personal information is sold or disclosed and to whom
- Say no to the sale of their personal information
- Access the personal information that has been collected about them
- Request that a business delete their personal information (unless it’s information that needs to be retained for legal reasons)
- Not be discriminated against for exercising these privacy rights (meaning that businesses can’t deny services, adjust prices or offer a different quality of service to customers who make any of the above requests)
What the CCPA Requires of Your Business
To be in compliance with the CCPA, you need to provide a notice to your customers before you collect any of their data and give them a clear, accessible place to submit requests about accessing or deleting their data. The CCPA even specifies that businesses should include a “Do Not Sell My Personal Information” link on their website or app homepage to make it as simple as possible for customers to opt out of the sale or sharing of their data.
Businesses also need to maintain records of all data privacy requests received and how the business responded to those requests for 24 months to prove their compliance.
Three Things You’ll Need to (Easily) Comply with the CCPA
To comply with the CCPA and honor the rights of customers who want to know what personal information of theirs your business has collected or shared (or who want to delete their information altogether), you’ll need clear visibility into every data transaction between your company, your customers and any third-party APIs you’re using. It’s important to have an auditable system of record that clearly and reliably keeps track of every piece of data, how it’s used and where it goes.
Develop a reliable system for monitoring all data transactions and automatically flag any violations (i.e. if the personal information of a customer who “opted out” is shared with a third-party API in error).
- Data Policy Controls
Make sure you have enforceable data policy controls across all of your integrations. Controlling which data can be shared with each vendor can mitigate compliance violations and reduce the fallout if a vendor has a breach.
Hoss lets you track, tag and monitor all of your data processing activities with third-party APIs to help you protect your customers’ privacy and stay compliant with the CCPA as simply as possible. Get in touch to learn more.