The California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and the rules promulgated thereunder, as amended or superseded from time to time (the “CCPA”), goes into effect on January 1, 2020. To ensure compliance with the CCPA, Signifyd is rolling out updates to its compliance program for our customers who fall within the scope of the CCPA. To facilitate our customers’ compliance with requirements for contracts between entities involved in processing personal information, Signifyd is providing its customers with a CCPA Addendum which supplements the terms that govern all related orders for fraud-related services between Subscriber and Signifyd, Inc. (the “Agreement”).
On October 10, 2019, the California Attorney General (the “CA AG”) published proposed draft regulations (“Proposed Regulations”) and we expect the final regulations to reflect at least the same level of exceptions for fraud-related service providers. Similar to the General Data Protection Regulation and other privacy regimes, the CCPA recognizes the importance of fraud detection and prevention services. Notwithstanding the limitation on service providers to restrict the use of personal information to providing services under a contract, Section 333.314(c) of the Proposed Regulations permits service providers to “combine personal information received from one or more entities to which it is a service provider, on behalf of such business, to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.” As such, this use of personal information, which would otherwise be considered a sale, is not considered a sale if used for fraud protection.
While the CCPA imposes obligations on companies to pass through deletion and “Do Not Sell My Information” requests from end-users to applicable service providers, it does not require companies to pass on access requests from end-users.
Section 1798.105(d)(2) of the CCPA provides an exemption from the deletion requirement for fraud detection services. Based on the current state of the CCPA, Signifyd’s position is that we would not need to comply with any such requests to delete personal information from California residents in connection with our fraud-related services. However, if we receive a deletion request, we will respond and describe the basis for the denial, including any applicable statutory exception to complying with the request.
As the CA AG provides additional guidance and finalizes the proposed regulations, we will update our CCPA Privacy Notice and modify our practices as necessary to comply with the CCPA.
Who needs to execute Signifyd’s CCPA Addendum?
For any question involving the interpretation or applicability of the CCPA, you should consult with your legal counsel.
In general, Signifyd customers must execute the CCPA Addendum if they provide goods or services to California residents and satisfy one of the following criteria:
- Have at least $25 million in annual gross revenue; and
- Processes the personal information of at least 50,000 consumers, households or devices; or
- Derives at least half of its annual revenues from selling consumers’ personal information.
A Signifyd customer does not need to execute the CCPA Addendum if it does not pass any personal information from residents of California to us; however, because the CCPA applies to a business as soon as it meets the compliance threshold, we request you still execute the CCPA Addendum to ensure compliance should you start to offer goods or services to California residents.
Who should sign the CCPA Addendum for my company, and how can they do so?
The CCPA Addendum should be signed and executed by an authorized signatory for your company. If you are not sure whether you are an authorized signatory, consult your legal counsel before signing.
The DocuSign version of the CCPA Addendum is made available for customers in jurisdictions that accept esignatures and can be completed and signed electronically. If you have multiple entities with master subscription agreements with Signifyd, please enter each such entity on the “Subscriber” line or execute multiple versions of the CCPA Addendum if there are different authorized signatories. If necessary, you can download a PDF version of the CCPA Addendum and manually execute it, and submit it as an email attachment to email@example.com.
What if I have additional questions?
If you have questions that are not answered here, please contact your Signifyd representative, and they will put you in contact with Signifyd’s compliance and legal departments, or reach out to firstname.lastname@example.org.