At monday.com, we invest significant efforts in ensuring that our products and practices comply with all global data protection and privacy laws that apply to us and our customers.
This page was created to provide you with information about the CCPA and the ways in which monday.com complies with its current requirements; and to help you keep up with the legislative and regulatory developments coming from the State of California.
CCPA – what is it all about?
The California Consumer Privacy Act of 2018 (CCPA) – which came into effect on January 1, 2020 – consists of a series of Bills that gave new privacy rights to consumers residing in the State of California, and imposed obligations on businesses processing their personal information.
While the bills were signed in October 2019 and the CCPA did come into effect on January 2020, CCPA enforcement have not yet started as California’s Attorney General is still in the process of finalizing its Proposed Regulations on implementing the CCPA.
Based on the expectation that the Regulations would have a significant impact on how the CCPA is interpreted, implemented and enforced by the relevant stakeholders, the California AG have provided a “grace period” until the time in which the regulations will be approved – currently set for July 1, 2020.
During this interim period of uncertainty, monday.com is dedicated to comply with the requirements of the CCPA and the Proposed Regulations, in light of similar regulations worldwide (such as the GDPR) and evolving industry standards – to ensure that our customers may continue using monday.com without interruption and process the personal information of California consumers as they would in other locations around the world.
Roles, responsibilities & exemptions
The CCPA distinguishes between three roles for companies involved in the processing of personal information:
● Business (similar to ‘controller’ under the GDPR)
● Service Provider (similar to ‘processor’ under the GDPR)
● Third Party (similar to a Business, but one that does not have direct interaction with the consumer)
The obligations imposed on ‘Businesses’ outline the limits of ‘sale’ of personal information and define specific actions that Businesses are required to perform, such as (but not only):
● Create “Do-Not-Sell-My-Personal-Information” button on your homepage
● Inform consumers of categories & specific pieces of information collected/sold of them
● Provide at least 2 methods of communications for requesting to exercise consumer rights
As the CCPA currently only applies to ‘consumers’ (and not ‘Data Subjects’ as defined by the GDPR), certain relationships were exempt from CCPA enforcement (pending additional debate) until January 1, 2021:
● Employee information (this includes past, current and potential employee information)
● B2B interactions (information obtained in the course of an activity between companies) For more information, visit:
● ‘Californians for Consumer Privacy’ – informational website by the movement that pushed to the creation of the CCPA
● Xavier Becerra – California’s Attorney General webpage.
How is monday.com complying with the CCPA?
● Identified monday.com’s role as a “Service Provider” under the CCPA, where we process personal information solely on behalf of our customers (the “Business” in such cases);
● Identified monday.com’s role as a “Business” where it processes personal information of Californian consumers for its own purposes. Due to the nature of monday.com’s services, its activities are typically exempt from CCPA enforcement as monday.com: (a) does not sell personal information of California consumers (or of any other data subjects); (b) obtains such information in the context and course of B2B relationships and services;
● monday.com already abides by the GDPR requirement for the right to access personal data, and has simply widened the sphere of such ability to include Californian consumers, thereby complying with the so-called “look back” requirement to ensure that consumers are able to access their personal information covering the preceding 12-month period;
● monday.com already provides technical and organizational measures for sufficiently exercising other proposed consumer rights that are similar to the GDPR (such as the right to disclosure, deletion and opt-out);
● We introduced additional amendments to monday.com’s DPA and internal procedures to reflect the specific requirements of the CCPA (such as with respect to entity roles, the maximum response time and data subject verification process, and the commitments required of a Service Provider towards the Business under the CCPA);
monday.com closely follows any developments in the legislative and regulatory process surrounding the CCPA and the AG’s Proposed Regulations, as well as engages in regular ‘benchmarking’ in light of emerging industry practices and standards.
If you have any further questions concerning monday.com’s privacy program and our ongoing efforts surrounding the CCPA, please feel free to contact our Data Protection Officer & Privacy Team, at firstname.lastname@example.org