Legal

California Consumer Privacy Act - Eleven

Background

The new "California Consumer Protection Act" (CCPA) came into effect on January 1, 2020. The state law grants California consumer residents new rights over their personal information. These rights are, the right to know (or access), the right to delete, and the right to opt-out of sale of personal information that a company may collect, retain, or disclose about a consumer. Additionally, the CCPA prohibits businesses from discrimination against consumers in terms of access to services if they choose to exercise their rights under the CCPA.

The CCPA applies to for profit entities doing business in California that collect, share, or sell California consumer residents personal information and either: 1) has annual gross revenues in excess of $25 million; 2) possesses the personal information of over 50,000 consumers, households, or devices; or 3) 50% or more of gross revenue comes from selling personal information.

Business-to-Business Exception

The CCPA is subject to a variety of amendments including Assembly Bill 1355 which the California Governor signed on October 11, 2019 ("AB 1355"). AB 1355 gives business-to-business solution providers a temporary, one-year exemption from the compliance requirements. A “business-to-business” solution provider refers to any company focused on selling products or services to other businesses rather than to consumers.

Specifically, AB 1355 exempts flows of personal information that are "part of a transaction where the consumer is a natural person who is acting as an employee owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency."

Eleven processing and use of personal information through the Eleven products are designed to help businesses digitize their operations and scale their growth. Eleven does not monetize the personal information handled by Eleven within the services it provides, nor does it require the use or sale of consumer personal information in rendering its services. Eleven processes business email addresses solely for the purposes of providing its business-to-business solutions.

Likewise, Eleven would not be considered a "service provider" as defined in the CCPA since it is subject to the AB 1355 exemption. Eleven will continue to monitor any further legislation that helps clarify business relationships, including the extension of AB1355 beyond 2020.

Security

Eleven has stringent state-of-the-art security controls designed to protect your data. Specifically, cybersecurity risks are taken very seriously at Eleven and are managed daily by our Security and Compliance Team. All employees are required to review and agree to Eleven strict IT Security Policies, which are annually reviewed to incorporate periodic updates. Eleven is also annually audited by 3rd party auditors for ISO 27001 compliance as well as annually audited by 3rd party auditors for penetration and vulnerability testing. All data transacted by Eleven is encrypted when in transit and at rest.