monday.com & the CCPA

Last Updated: November 24, 2020

At monday.com, we invest significant efforts in ensuring that our products and practices comply with all global data protection and privacy laws that apply to us and our customers.

In this page we provide information about the California Consumer Privacy Act of 2018 (CCPA) and the ways in which monday.com complies with its current requirements.

CCPA – what is it all about?

The CCPA, which came into effect on January 1, 2020 and became enforceable on July 1, 2020, consists of a series of bills that gave new privacy rights to consumers residing in the State of California, and imposes obligations on businesses processing their personal information.

Roles, responsibilities & exemptions

The CCPA distinguishes between three roles for companies involved in the processing of personal information:

  • Business (similar to ‘data controller’ under the GDPR)
  • Service Provider (similar to ‘data processor’ under the GDPR)
  • Third Party (similar to a Business, but one that does not have direct interaction with the consumer)

The CCPA generally applies to Businesses who fulfil one or more of the following conditions: (i) have a gross revenue greater than $25 million; (ii) Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes; (iii) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The obligations imposed on ‘Businesses’ outline the limits of ‘sale’ of personal information and define specific actions that Businesses are required to perform, such as:

  • Create “Do-Not-Sell-My-Personal-Information” button on your homepage
  • Inform consumers of categories & specific pieces of information collected/sold of them
  • Provide at least 2 methods of communications for requesting to exercise consumer rights

As the CCPA currently only applies to ‘consumers’ (and not ‘Data Subjects’ as defined by the GDPR), certain relationships were exempt from CCPA enforcement:

  • Employee information (this includes past, current and potential employee information)
  • B2B interactions (information obtained in the course of an activity between companies)

How is monday.com complying with the CCPA?

  • Identified monday.com’s role as a “Service Provider” under the CCPA, where we process personal information solely on behalf of our customers (the “Business” in such cases);
  • Identified monday.com’s role as a “Business” where it processes personal information of California consumers for its own purposes. Due to the nature of monday.com’s services, its activities are typically exempt from CCPA enforcement as monday.com: (a) does not sell personal information of California consumers (or of any other data subjects); (b) obtains such information in the context and course of B2B relationships and services;
  • monday.com has already invested significant effort and resources into its GDPR program for the right to access personal data, and has simply widened the scope of applicability to include California consumers, thereby complying with the so-called “look back” requirement to ensure that consumers are able to access their personal information covering the preceding 12-month period;
  • monday.com already provides technical and organizational measures for sufficiently exercising other proposed consumer rights that are similar rights granted under the GDPR (such as the right to disclosure, deletion and opt-out);
  • Updated our Privacy Policy, to ensure that it sufficiently addresses CCPA consumer rights and industry standard practices;
  • Introduced additional amendments to monday.com’s data processing addendum (DPA) and internal procedures to reflect the specific requirements of the CCPA (such as with respect to entity roles, the maximum response time and data subject verification process, and the commitments required of a Service Provider towards the Business under the CCPA);
  • Having procedures for handling suspected breaches concerning personal information, limiting use, disclosure and retention of personal information, and regularly conducting privacy training for all relevant members of our staff.

What’s next?

monday.com closely follows developments surrounding the CCPA and the AG’s Proposed Regulations, as well as monitoring legislative developments both in California and in other US states.

If you have any further questions concerning monday.com’s privacy program and our ongoing efforts surrounding the CCPA, please feel free to contact our Data Protection Officer & Privacy Team, at dpo@monday.com

Empowering teams to accomplish more, together

14-day free trial | No credit card needed