Movable Ink's Commitment to CCPA

What is the CCPA?

The California Consumer Privacy Act (CCPA) gives consumers residing in California more control over the personal information that businesses collect about them and grants them GDPR-like rights of deletion, access, portability, as well as a right to opt-out of the sale of their personal information. The CCPA took effect on January 1, 2020, with enforcement beginning July 1, 2020.The California Privacy Rights Act (CPRA), a ballot measure that was approved by California voters on Nov. 3, 2020, significantly amends and expands the CCPA, and it is sometimes referred to as “CCPA 2.0.”The CPRA took effect on Dec. 16, 2020, but most of the provisions revising the CCPA became “operative” on Jan. 1, 2023, at which point the CPRA rights and obligations will cover employee and business data, in addition to service data. Among other things, the CPRA (i) creates a category for “sensitive personal information” and a corresponding consumer’s right to limit the use of such information (ii) adds a consumer’s right to opt out of the sharing of their personal information with third parties for purposes of cross-context behavioral advertising and (iii) requires businesses collecting personal information from consumers to clearly inform them when they employ automated decision-making technology.

‌

To Whom Does the CCPA Apply?

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

• Have a gross annual revenue of over $25 million;

• Buys, “sells” or “shares” the personal information of 100,000 California residents or households; or

• Derive 50% or more of their annual revenue from selling California residents’ personal information.

‌

Is Movable Ink Compliant?

Yes. Movable Ink’s dedicated Information Security & Compliance team maintains a comprehensive privacy and security program which is based on the principles of transparency, fairness, and accountability. Some examples of data protection measures that Movable Ink has implemented include:

• Annual internal Security Risk Assessment (SRA) with remediation;

• Annual internal Compliance Control Assessment with remediation;

• Annual third-party penetration testing by a qualified supplier with remediation;

• TLS 1.2 or SNI fully supported for data encryption in transit;

• AES-256 fully supported for data encryption at rest;

• Customer data is not stored in non-production environments (e.g., Movable Ink’s staging environment);

• Regularly scheduled Qualys network and application vulnerability scans with remediation.

As a “service provider” to our clients, Movable Ink processes personal information in order to meet its contractual obligations and does not “sell” or “share” personal information, as those terms are defined in the CCPA, does not process any Sensitive Personal Information and does not engage in cross-context behavioral advertising or automated decision making. Movable Ink’s general privacy statement on the CCPA is located at https://movableink.com/privacy-policy. Movable Ink also has processes in place to ensure timely processing of consumer requests submitted by our clients who are subject to CCPA. While our existing privacy practices already satisfy the core requirements of the CCPA, we are actively monitoring the evolving CCPA regulations in order to address any additional compliance requirements that may be promulgated.