Introduction to US Privacy RegulationsUnderstanding roles and responsibilities in data processingApplicability and thresholdsSmilecloud's role as a service providerContinuous compliance and updates

Smilecloud and the CCPA (and other US Privacy Regulations)

The following is for informational purposes only and does not constitute contractual obligations. Our legal relationships with customers are governed solely by our formal legal agreements. For specific legal advice, please consult with your own legal counsel.

Introduction to US Privacy Regulations

The US privacy laws landscape is a mix of federal and state regulations, each designed to safeguard personal data. These laws protect individual privacy rights and ensure responsible data handling by organizations. Central principles of these regulations include transparency in data practices, consumer control over personal information, and accountability for data security. They aim to foster trust and privacy in the digital age.

State-specific laws like the California Consumer Privacy Act (CCPA) complement federal regulations, addressing unique aspects of data privacy at the state level and introducing additional protections and obligations for businesses.

Understanding roles and responsibilities in data processing

Similar to the GDPR's distinction between controllers and processors, the CCPA and other US privacy laws differentiate between:

  • 'businesses': the entity that determines the purposes and means of processing personal information and 
  • 'service providers': which process personal information on behalf of a business under specific contractual agreements and guidelines.

Applicability and thresholds

Most US privacy laws set specific thresholds to determine their applicability to businesses. These criteria often include factors like annual revenue and the volume or nature of data processed. Only entities meeting these thresholds are required to comply with the specific provisions of these laws.

At Smilecloud, our operations typically fall below these specified thresholds when functioning as a business. This means that while we are mindful of the regulations, we are not always subject to all the requirements imposed by these privacy laws.

In any case, our GDPR compliance provides a strong foundation for alignment with US privacy laws, including the CCPA. The principles we follow under GDPR overlap significantly with those required by US regulations, facilitating our compliance in multiple jurisdictions.

Smilecloud's role as a service provider

As a service provider processing information on behalf of our customers, we have undergone the following compliance efforts:

  • Our terms of service incorporate a Data Processing Addendum (DPA) that specifies our role as a service provider.
  • Our DPA requires us to assist businesses in responding to consumer rights requests under the CCPA and other US privacy laws. This includes requests for access to (including the "look back" requirement), deletion of, and information about the sharing of personal data. 
  • We have implemented and maintain reasonable security measures to protect the personal information we process, including measures to prevent unauthorized access and exfiltration, theft, or disclosure of personal information.
  • We ensure that our employees who handle personal information or consumer inquiries are trained and aware of their responsibilities under various privacy regulations. 
  • We conduct regular compliance audits and monitor our data processing practices to ensure they align with our contractual obligations as a service provider.
  • We ensure that similar data protection obligations bind our subcontractors and third parties that handle personal information.
  • We do not sell personal information that we process on behalf of a business.
  • We maintain records of our processing activities and consumer requests. 
  • We collect and process only the personal information necessary to fulfill the purposes outlined in our contract with the business.
  • We have an incident response plan in case of a data breach.

Continuous compliance and updates

Smilecloud is committed to continuously monitoring changes in privacy regulations. We regularly update our data processing and privacy practices to align with legal changes, ensuring our methods are current and effective in meeting regulatory standards.

For further information or support regarding our privacy practices and compliance, please contact us at contact@smilecloud.com. Our Data Protection Officer may be reached at dpo@smilecloud.com.