Fishbowl is committed to honoring and protecting the privacy of our website visitors and our clients’ information, as well as the personal information of their customers. Since 2000, Fishbowl’s mission has been to provide highly functional and valuable marketing tools to its clients backed by best-in-class customer service. Our privacy initiatives are the latest step in fulfilling our mission.
Compliance is an intensive process that requires consistency, diligence, and, perhaps most importantly, collaboration. Fishbowl (as a processor/service provider) believes that a strong partnership with our clients (as controllers/”businesses”) is an important part of the compliance process. Fishbowl believes in being transparent and forthright with our clients as to our information security protocols. We find that compliance works best when our clients feel similarly.
You are probably already familiar with the CCPA and the fact that its January 1, 2020, effective date is quickly approaching. As a reminder, the CCPA requires covered businesses (like most of our clients) to provide California residents substantially increased notice, access, and control of their personal information. For an overview of the CCPA, please see the following resources:
- CCPA Fact Sheet by California Attorney General’s Office
- Text of CCPA
- Proposed California Attorney General Regulations for CCPA
As expected, there are many questions that have arisen in the course of analyzing the CCPA with our clients and partners. This privacy brief is intended to provide an update regarding Fishbowl’s current thinking on certain aspects of the new law as they may apply to Fishbowl and the services we provide to you.
From a compliance readiness perspective, Fishbowl has conducted a cross-functional review of our various business functions to develop methods of compliance for Fishbowl to utilize throughout the entire data lifecycle — from receipt of our clients’ content to destruction or return of the same.
Fortunately, Fishbowl is not starting from square one. As a result of the GDPR initiative and our goal of future-proofing our compliance, we built a framework to handle many of the requirements. Nevertheless, there are differences that will require additional work to get ready for the CCPA. Below are a few examples of some of the similarities and differences.
|Sample Business Requirement||GDPR||CCPA|
|Applies to both “offline” and digital personal data/information||Yes||Yes|
|Must provide detailed information on how personal data/information collected is used and processed||Yes||Yes|
|Must provide consumers access to information held about them||Yes||Yes|
|Must provide a right to rectification (i.e., correction)||Yes||No|
|Must provide individuals a right to have data about them deleted||Yes||Yes|
|Must include a “Do Not Sell My Personal Information” link on websites and privacy notices||No||Yes|
Not only do we have extensive experience based on our GDPR readiness efforts, but we have implemented procedures that, in our view, will ultimately enable us to help our Fishbowl meet its compliance and contractual requirements to its clients. To reacquaint you with the GDPR and UK privacy laws, please visit these sites:
- United Kingdom’s Information Commissioners Office
- European Commission Rules for Businesses and Organisations
- E-Privacy Directive
Based on the type of personal information that Fishbowl has and the purposes the data is used for, we have identified a number of broad, but interrelated, workstreams that must be addressed: impact to processing/storage of client data, impact to Fishbowl data products/solution offerings, internal documentation/training, and obligations for employee data.
Importantly, the CCPA prohibits a service provider like Fishbowl from retaining, using, or disclosing personal information provided to it by its clients or a consumer for any purpose other than for the specific purpose of performing the services set forth in the contract, and Fishbowl’s collection, sale (broadly defined under CCPA), or use of the personal information disclosed must be limited to perform the “business purpose” for which Fishbowl was retained. These expressions of intent must be incorporated into our written agreement with our clients.
As with the GDPR, the CCPA requires consumer access to their personal information, which covers three types of data: (i) data collected, (ii) data sold, and (iii) data disclosed. Our clients – as a “covered business” – must be able to provide California consumers who make access requests a report showing the categories of personal information and “specific pieces of information” for the data the Client has collected or had collected on its behalf, and the categories of personal information and third parties for the data it has sold or disclosed. Under our current agreements, any client content (including any consumer data) belongs to our clients – as it should. Accordingly, Fishbowl is not permitted to access, delete, or otherwise manipulate that client content in the processing of a consumer request exercising a right under applicable privacy laws. This general prohibition will remain unchanged when the CCPA becomes effective. However, in 2018, we added functionality in our platforms to allow our clients in meeting their compliance obligations under the GDPR. This same functionality will allow our clients to meet their obligations under the CCPA. For more information about this functionality, please contact your Account Manager or email@example.com. Of course, we will continue to diligently inform you of any consumer requests we receive on your behalf. Fishbowl – as it has been since 2000 – is here to assist you in using our services and this now includes responding to any consumer requests.
If you have any questions about Fishbowl’s privacy or information security practices, please contact your Account Manager or firstname.lastname@example.org.