GDPR and CCPA
How we protect your privacy
The General Data Protection Regulation (GDPR) and The California Privacy Act (CCPA) is a set of laws designed to protect the personal data of EU citizens and California residents. The onus is on organizations to not only secure this data but get consent for collection of data and delete it upon request. GDPR and CCPA may be in place for the security of EU citizens and California residents alike, but any business that collects data of EU citizens or California residents must comply with these laws.
At GrowthZone, we are working to ensure that our own practices are GDPR/CCPA-compliant. This includes our privacy policy with updates on how we handle your data as a processor, how we will assist our client as the controller of data. We are continually working towards compliance with the GDPR and CCPA.
DISCLAIMER: This should not be considered legal advice for your company to use in complying with EU or California data privacy laws. The purpose is to provide background information to help you understand how GrowthZone is helping you to be prepared. We recommend that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.
Below, find a detailed list of how we will handle these situations. In the table below, let’s imagine Elizabeth, one of your portal users, is an EU citizen or California resident. Here’s a primer on the meaning of GDPR’s/CCPA’s regulations and how they will affect your communications with Elizabeth.
Regulation
Meaning
GrowthZone Action
Lawful basis of processing
You must have a legal reason to use Elizabeth’s’ data. That could be consent (opt-in) with notice (you told her what she was opting into), performance of a contract (e.g. she’s your customer and you want to invoice her), or there’s “legitimate interest” (e.g. she’s a customer, and you want to send her product info).
You need the ability to track that reason (also known as “lawful basis”) for a given contact.
We have updated our privacy policy. You should update yours as well to track lawful basis.
Consent
Consent differs under CCPA and GDPR but it merged like this:
- You need to clarify what Elizabeth is opting into. That’s called “notice.”
- She needs to opt-in on her own (meaning pre-checked boxes aren’t valid). Her filling out a form alone cannot implicitly opt her into everything your company sends.
- The consent needs to be explicit on all ways you process and use her personal data (e.g. newsletter or sales calls). You must have a record of what she consented to, what she was told (notice), and when she consented.
- Any information purchased on Elizabeth from other data providers (with or without Elizabeth’s knowledge) included in any request made by or on behalf of Elizabeth.
- In situations where Elizabeth is a minor, the CCPA requires processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes.
At GrowthZone we’re adding features to make collecting tracking, and managing consent in a GDPR/CCPA compliant way as straightforward as possible.
Withdrawal of consent (opt out)
Elizabeth must have the ability to withdraw consent (or object to how you’re controlling her data). Elizabeth must have the ability to withdraw consent of the sales of her personal information. Avoid opt-in requests for the next 12 months following an opt-out request from or on behalf of Elizabeth.
Within GrowthZone, your guests/members may request to ‘unsubscribe’ from further communications as well as ‘remove’ their data. ‘Unsubscribe’ (or ‘opt-out’) will remove their email addresses from further communications which the “remove” request will begin the process of pseudonymization.
Cookies
Elizabeth must be given notice that you’re using cookies to track her (in clear terminology). They must consent to cookie tracking.
We have updated our Privacy Policy to include how the GrowthZone systems utilizes cookies. You may share this information with all guests/Members, if desired. Responding to an invitation, registering or purchasing their spot for an event within the system represents their acceptance of our usage of cookies.
Right to be forgotten
Elizabeth can request that you delete her personal data. This is commonly called the “right to be forgotten” and GDPR/CCPA requires permanent removal of her personal information once the legitimate purpose for which is fulfilled.
As the controller of data, you will be responsible for interpreting this regulation (actions you will take) and provide a method for which the right to be forgotten. You will need to provide an electronic or written process with instruction indicating such process with easy access for your guests to request.
Access and Portability
Elizabeth can request access to a list of personal data you have about her (name and email address, etc). If she requests access, you must provide a copy of the data, in machine-readable format (e.g. CSV or similar).
She can also request to confirm the lawfulness of processing (proof she gave consent for this).
In the Membersuite system, all personal data can be viewed in the membership portal (user profile).
As mentioned above, she will have the ability to view in her profile what she has consented.
Modification
Elizabeth may ask you to modify her personal data if it’s inaccurate or incomplete. In this case, you need to be able to accommodate that request.
You can do so from within Elizabeth’s contact record in the MemberSuite systems. Or depending on how you’ve configured your system a guest/member can login and update information on their own.
Withdrawal of Consent of Sale of Personal information
The GDPR/CCPA requires links and processes that will direct guests to a web page enabling them, or someone they authorize, to opt out of the sale of the resident’s personal information.
GrowthZone states in both our Terms of Service and Privacy Policy that we never sell any information to third parties.