Disclaimer: This content is for informational purposes only, and should not be used as legal advice regarding data privacy laws.
What is CCPA & CPRA?
CCPA is California’s Consumer Privacy Act and has been in place since January 2020. It provides residents of California with data rights to enable them to take control of their personal information. The California Privacy Rights Act (CPRA) will amend the CCPA, strengthening rights and bringing in new requirements for organizations. It takes effect on January 1, 2023.
How are things changing?
The CPRA grants additional consumer rights and expands these rights to employees. The changes include:
Establishing ‘sensitive personal information’ (SPI) as a new category and providing individuals with the right to specify how this data is used.
Strengthening rights around data access and deletion.
Establishing new opt-out rights for consumers. Under the CCPA, opt-out was permitted from the sale of personal information. The CPRA extends the opt-out to the sharing of personal information as well.
Introducing a new requirement for companies processing ‘high-risk’ data to perform annual cybersecurity audits.
In addition, the CPRA establishes a new Agency, the California Privacy Protection Agency (CPPA) to oversee and enforce data privacy regulations.
Is Sign In Scheduling CCPA & CPRA Ready?
Yes. Sign In Scheduling takes data privacy seriously and as well as having tools for GDPR (for EU businesses) and HIPAA (US medical businesses) we can help you be compliant with the CCPA and CPRA.
As always with data privacy; it is ultimately you who will need to use Sign In Scheduling and your other software tools in an appropriate way to make sure you comply with the CCPA and CPRA.
What steps should I take to ensure compliance with the CCPA and CPRA?
Check if your business is included in the scope of the new CPRA, as the qualifying criteria and thresholds have changed.
Make sure you know the ‘purpose’ for the information that you collect and use.
Know what data you hold and who you share it with, especially if it is sold to, or shared with, third parties.
Have a privacy policy that complies with the CCPA and CPRA guidance.
Have consent from all your customers to use their data for the purpose for which you hold it (i.e. your privacy policy), including opt-outs if you sell or share their data to third parties.
If you are dealing with any data classed as ‘sensitive personal information’, you will need to inform customers about this and provide them with the option to limit how their SPI is used.
Be ready to respond to requests for access and deletion of client data, and ensure you communicate requests for deletion to any third parties you have shared the data with.
Check if you need to undertake annual audits.
Always carry out your own due diligence and monitor regulatory updates, to ensure you’re compliant with data privacy laws.
Does Sign In Scheduling sell or share user data to third parties that I need to declare to my clients?
Whilst the CCPA made it mandatory for any business selling PII to let consumers opt-out of having their data sold (often via a ‘do not sell my info’ link on the website homepage), the CPRA expands these rights by enabling consumers to also limit sharing of their data (with a ‘Do not sell or share my personal information’ opt-out, for example).
Whilst Sign In Scheduling does not sell any user data, we do share it with trusted third parties. We share your data with third parties who provide services on our behalf, relating to the infrastructure and operation of Sign In Scheduling. All our third-party service providers are required to take appropriate security measures to protect your data and we do not allow them to use your data for their own purposes. We permit them to process your data on a minimum access basis only.
Do I need to change the way I manage bookings or take bookings online?
With CCPA and CPRA, it’s important to get your customers’ consent at the point of booking to collect their data. Sign In Scheduling’s opt-in feature allows you to ask key questions at booking, and then store and manage those responses (such as permission to use their data).
How does Sign In Scheduling help me with requests for information access or deletion?
Access: Sign In Scheduling has standard tools to help you access all customer information stored in Sign In Scheduling automatically so that you can supply it to them.
Deletion: We have a standard process for deleting user information in a secure manner.
Remember that you must verify that the person requesting the information is either the person in question or a legitimate agent of that person.
What data do I need to tell my customers I store in Sign In Scheduling?
That depends on how you use Sign In Scheduling and what data you store. You are the one who puts data into Sign In Scheduling so it is up to you to make sure that it complies with your policies.
We believe that a good privacy policy should inform all customers about what data you store, how you use it, how long you store it for, and who you share it with. Where you are processing SPI you will also need explicit consent from users to collect this category of data.
Sign In Scheduling stores and processes client information in the following manner:
For booking appointments so that the Individual User can access Sign In Scheduling Client’s facilities and services;
To set up and send reminders for bookings via email, social media platforms and SMS messaging;
To send messages related to specific bookings via email, social media platforms and SMS messaging;
To send general messages to Individual Users when requested to, by the Client.