GiveGab and CCPA
What is CCPA?
The California Consumer Privacy Act (CCPA) is legislation passed within the California State Government that focuses on protecting the personal data of California citizens. The legislation is unique in that it is the first of its kind in the United States and sets forth regulations for any for-profit business that collects consumer privacy data for California citizens, regardless of that company’s location. It grants individuals greater control over their personal information, giving them a say on how their data is handled, including what information can be used, whether it can be transferred to third parties, and when it should be erased. CCPA was signed into law in 2018 and is enforced starting roughly Q2 of 2020.
If you’re interested in learning more, the full legislation and additional regulation details can be found here: http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article=
What is GiveGab's role in enforcing CCPA?
GiveGab collects standard personally identifiable information (PII) on volunteers, donors, nonprofit administrators, and others that leverage our platforms to interact with nonprofit organizations. In this case, GiveGab operates as the business on behalf of organizations (e.g., nonprofits) which receive this information within the context of CCPA.
GiveGab primarily does business with not-for-profit (i.e. nonprofit, NPO) organizations, which are not within the scope of CCPA; however, GiveGab does allow individuals to opt to share PII about their giving history, publicly with other users and in some cases, their employers. Full details are noted in the "Scope of Applicability" section below.
How does GiveGab comply with CCPA?
We have detailed out below how, as a business, we comply with CCPA.
Scope of Applicability
CCPA only applies to for-profit companies which collect and handle the personal information of Californians, regardless of a physical location in the state, and which meet one of the following criteria: (a) annual gross revenue in excess of $25M, (b) receive or share personal information of more than 50,000 California consumers annually, or (c) derive at least 50% of annual revenue from the sale of personal information of CA consumers.
More specifically GiveGab collects PII about donors, volunteers and fundraisers within the following contexts:
- GiveGab primarily does business with not-for-profit (i.e. nonprofit, NPO) organizations, which are not within the scope of CCPA.
- When users donate, volunteer, or fundraise, they are given options to share or not share their giving activity and PII publicly and/or with the organization that is receiving the benefit of their action.
- In some cases, such as with our Giving Day platform, users are able to choose to associate with and share their giving activity with their employers or businesses that they are affiliated with.
Personal Information Collected
Consent and Right to Opt Out
When Creating a GiveGab User Account:
While not required, users that choose to create an account on GiveGab are consenting to our Terms and Conditions which are publicly available at GiveGab.com. Users that choose to create accounts are provided the opportunity to hide their PII, as well as adjust communication settings including unsubscribing from notifications.
We capture consent during the signup process to more clearly articulate that users are agreeing to GiveGab's terms and conditions as noted above.
When Donating, Volunteering, or Fundraising:
While not-for-profit organizations are not within the scope of CCPA, we do provide users a number of opportunities during the giving processes to remain anonymous and to hide their information publicly. Additionally, users are not required to affiliate with an employer during the giving process.
If a user does not feel that their information is being adequately hidden from the benefitting organization (i.e. while donating, etc), the user can follow the steps within the "Right to Deletion" section below.
Right To Know / Access / Portability
Consumers also have the right to know and to request access to their personal information collected by a business, including information about what categories of personal information have been collected, disclosed or sold, categories of sources from which the information was collected, categories of third parties receiving the personal information; and the purpose for collecting or selling such information. Additionally, consumers have the right to know specific pieces of personal information collected by a business (not just the categories) and to receive their personal information in a “readily usable format” that is also portable, free of charge and delivered within 45 days of their request.
GiveGab users can request this either directly from the organization with which they have a relationship or by contacting email@example.com. We will be able to provide them secure access to a full user account where they can view all giving history and information that has been collected. They are able to receive a copy of this information in a couple different formats, including exporting giving history as a CSV. Furthermore, they can request deletion follow the steps within the "Right to Deletion" section below.
Right to Deletion
Any user with an account, or any individual interacting with the platform where PII data has been collected, has the right to have their PII deleted. While we are contractually obligated to keep information about interactions and transactions with the nonprofit organizations, we can eliminate a user's PII via anonymization of that PII data. We provide the process and mechanism to do this; however, ultimately, need to notify the organization that this is happening.
Users can request this either directly from the nonprofit organization with which they have a relationship or by contacting firstname.lastname@example.org. If the user contacts GiveGab support, we still have to interact with the organization to notify them of the deletion.
While GiveGab can guarantee that we have removed PII from our platform, ultimately, the NPO organization, which is out of scope of CCPA may still have your PII within their database. At this point, it is up to the user to work directly with the organization if they desire further deletion.
Right to Equal Services and Price
The CCPA prohibits businesses from discriminating against CA consumers in retaliation for exercising their rights under the law. However, they are permitted to offer different prices or levels of service, if such differences are reasonably related to the value provided to the consumer by the consumer’s personal information.
GiveGab does not discriminate against any user. Our pricing is based on different levels of service and volume of processing our platforms perform.
Security and Privacy Program Management
GiveGab securely stores all PII encrypted at rest. All data is securely transferred over TLS 1.2. All data is secure and only accessible by appropriate administrative levels of authority within the system.
Consumers who choose to leverage our services but remain anonymous have their information redacted from the platform in appropriate measures that prevent unauthorized viewers from seeing this information.
GiveGab leverages Data Protection by Design (DPD) principles in its daily development and operations workflows. Our code is continuously tested including analyzing any third party libraries for security vulnerabilities so that we can ensure those are updated and addressed. We leverage single sign-on tools, public/private key encryption for system access, and all data is transmitted securely over Transport Layer Security (TLS) 1.2+ or Hypertext Transfer Protocol Secure (HTTPS).
All data within GiveGab platforms is encrypted at rest within highly secure cloud IaaS and PaaS. All GiveGab data is securely stored within a PCI and SOC compliant IaaS provider. Any sensitive information falling under other compliance is protected with multiple levels of authorization access. All passwords are securely hashed.
Consumers have a private right of action in accordance with CCPA if their information is not properly secured. Further questions may be directed at GiveGab’s Data Protection Officer (DPO) by emailing email@example.com.
Disclosure of Personal Information Sold
Under the CCPA, businesses that sell or disclose personal information for business purposes will be required to disclose certain information to consumers upon receipt of a verifiable consumer request. In connection with this requirement, they must also maintain separate listings for data collected, sold or shared for business purposes and for commercial purposes.
GiveGab users can request this by contacting firstname.lastname@example.org.
Privacy Policies Disclosures
Effective January 1, 2020