California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:
The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale or sharing of their personal information including via the GPC;
The right to non-discrimination for exercising their CCPA rights.
Definitions
“JEMHC” : Enterprise Mail Handler for Jira Cloud
“Controller” : Our customer subscribing to the JEMHC Service
“We” , “Processor” : Us, The Plugin People Ltd, vendor of the JEMHC Service
“End-User” : a person or entity, sending email to Controller managed mailboxes that are processed by the JEMHC Service, or that are notified by the JEMHC Service
“Sub-Processor” : Service providers The Plugin People Ltd use in order to deliver the JEMHC Service and/or provide support for same
Appendix A - Para 5 : What businesses does the CCPA apply to?
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
Have a gross annual revenue of over $25 million;
Buy, sell, or share the personal information of 100,000 or more California residents or households; or
Derive 50% or more of their annual revenue from selling California residents’ personal information.
Why the CCPA does not apply to The Plugin People Ltd
Have a gross annual revenue of over $25 million | We don’t currently exceed this level |
|---|---|
Buy, sell, or share the personal information of 100,000 or more California residents or households; or | We do not Buy, Sell or Share personal information, period. We only process personal information under contract with the Controller in the role of Processor in provision of the JEMHC Service to enable processing of email sent by End-Users to Controller managed mailboxes, and/or in response to support interactions carried out by those End-Users |
Derive 50% or more of their annual revenue from selling California residents’ personal information. | We do not sell End-User (or Controller) data, period. |
Whilst CCPA doesn’t apply to the Processor but it may apply to the Controller entity using the JEMHC Service, we are happy to help assist Controller in their obligations under the CCPA and clarify the responsibilities below.
All requests by End-Users require verification/validation in order to be acted on.
Right to know
Controller is responsible for related responses
Processor can be asked for confirmation of data held in our support system.
Right to delete
Controller is responsible for deleting data, specifically:
Audit history (in/out)
Test Cases
Processor may hold data provided through support by the Controller. Deletion from our system can be made through the Controller, and/or directly, by email, from the same account to be deleted.
Right to opt-out of sale or sharing
Controller should be contacted for any concerns.
Processor does not sell end-user data. Processor uses Sub-Processors to process End-User data in delivering the JEMHC Service and providing support to the Controller for same. Processor does not share End-User data beyond this scope.
Right to correct
Controller has responsibility to correct email address information within their Jira system.
Processors don’t retain End-User data in any meaningful context that could be corrected.
Right to limit use and disclosure of sensitive personal information
Controller is responsible for configuring the processing of inbound mail from End-Users.
Controller is responsible for any customization of outbound notifications that End-Users receive.