California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"), which amends and extends the CCPA, aim to “give consumers more control over the personal information that businesses collect about them”. If your organization is for-profit, "does business" in California, and either:
- Has annual gross revenues of greater than $25 million.
- Holds data for more than 100,000 consumers.
- Generates at least 50% of revenue from selling or sharing of data.
then you need to comply with the CCPA/CPRA.
The sections below detail the key requirements of CCPA/CPRA and explain how NoahFace provides businesses with capabilities in the NoahFace Service to help you comply with each of them.
Notice at Collection
The CCPA/CPRA requires that "a business that collects personal information from a consumer shall provide a notice at collection". This notice at collection must:
- "Be made readily available where consumers will encounter it at or before the point of collection of any personal information."
- "Use plain, straightforward language and avoid technical or legal jargon."
- "Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California."
- Include "the categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared."
- Include "the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared."
- Include "the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose."
The NoahFace Service includes a privacy statement that:
- Is presented when a consumer (eg: an employee) registers to use the NoahFace App for the first time, before the consumer's photo and biometrics are recorded.
- Uses plain, straightforward language.
- Is available in multiple languages (eg: English and Spanish).
- Lists the personal information and sensitive personal information (ie: photos and biometrics) that is collected.
- Explains the business purpose of the personal information and sensitive personal information that is collected.
- Explains how long the personal information and sensitive personal information will be retained.
- States that the personal information and sensitive personal information will not be sold or shared.
- Can be extended with additional disclosures if required.
If the privacy statement is accepted, the NoahFace Service will capture the consumer's photo and extract their biometric data. If the privacy statement is not accepted, the consumer can still use the NoahFace Service by manually identifying themselves using non-biometric methods (eg: passcodes).
The date and time each consumer accepts the privacy statement is recorded and can be viewed through the NoahFace Service.
All Californian residents (including employees from 1st Jan 2023) are considered "consumers" and have the following rights under the CCPA/CPRA:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to access the personal information a business has collected about them;
- The right to correct inaccurate personal information a business has collected about them;
- The right to delete personal information a business has collected about them (with some exceptions);
- The right to opt-out of the sale of their personal information;
- The right to opt-in to the sale of their personal information (for minors and those previously opting out);
- The right to limit use and disclosure of sensitive personal information; and
- The right to non-discrimination for exercising their CCPA/CPRA rights.
The NoahFace Service provides businesses with capabilities to help you comply with these consumer rights as follows:
- As detailed in the above Notice at Collection section, the privacy statement in the NoahFace App informs consumers about personal information collected and how it is used.
- Businesses that use the NoahFace Service can authorize individuals (eg: HR Managers) that can view, export, update, and delete personal information held in the NoahFace Service.
- Consumers (eg: employees) that do not want their personal sensitive information (ie: biometrics) collected can still make use of the NoahFace Service by identifying themselves using non-biometric methods (eg: passcodes).
It is also important to note that NoahFace, as a Service Provider to businesses, does NOT sell or share personal information or personal sensitive information stored in the NoahFace Service.
CCPA/CPRA requires that "businesses should take reasonable precautions to protect consumers’ personal information from a security breach."
NoahFace has designed data protection into the core of the NoahFace Service. In particular, the NoahFace Service:
- Encrypts personal information both in transit and at rest.
- Only permits authorized individuals within a business (eg: HR Managers) to view, export, update, or delete personal information.
- Does not permit the export of biometrics, even by system administrators.
- Enforces business configurable password rules (eg: minimum length, complexity, and expiry periods).
- Automatically destroys a consumer's biometrics whenever either:
- The consumer's record is removed from the NoahFace Service (eg: when the employer / employee relationship is terminated).
- The consumer's consent to the use of their biometrics is removed. In this case, the consumer can continue to use the NoahFace Service by manually identifying themselves using non-biometric methods (eg: passcodes).
- Records all accesses to the NoahFace Service in an audit log.
It is also important to note that NoahFace, as a Service Provider to businesses, does NOT access or use personal information or personal sensitive information stored in the NoahFace Service for our own purposes.