Guide

California Consumer Privacy Act (CCPA) and Fullstory

California Consumer Privacy Act (CCPA) and Fullstory

Updated November 2020

About the California Consumer Privacy Act and Fullstory

First, a disclaimer: The information we discuss in this article is provided for informational purposes only and is not meant to serve as legal advice. You should work closely with legal and other professional counsel to determine exactly how the CCPA may or may not apply to you and your company. In some places we will cite specific sections of the CCPA for your reference.

In this article: If you’ve landed here, you’ve likely already heard lots about the California Consumer Privacy Act (CCPA). There is already a lot of other great content that explains in detail what the CCPA is. Here, we’ll mostly focus on the CCPA’s impact on your business and how it relates to your use of Fullstory.

1. What is the CCPA?

California Assembly Bill (AB) 375, also known as The California Consumer Privacy Act of 2018, was signed into law by Governor Jerry Brown in June 2018 and went into effect January 1, 2020. Officially, the goal of The California Consumer Privacy Act (CCPA), is “to further Californians’ right to privacy by giving consumers an effective way to control their personal information.” The act outlines five new rights protecting California consumers (See CCPA Sections 1798.100-125):

  • The right of Californians to know what personal information is being collected about them.

  • The right of Californians to know whether their personal information is sold or disclosed and to whom.

  • The right of Californians to say no to the sale of personal information.

  • The right of Californians to access (or request deletion of) their personal information.

  • The right of Californians to equal service and price, even if they exercise their privacy rights.


2. Does the CCPA apply to your business?

Since the CCPA was enacted to protect the privacy rights of consumers in California, you may be wondering how this will affect you and your business (especially if you aren’t located in California). When determining how your business might be impacted by the CCPA, there are a few things you might want to consider:

  • The CCPA applies to companies that “do business” in California and meet ONE or more of these minimum thresholds:

    • Has annual gross revenues in excess of 25 million dollars ($25,000,000).

    • “Collects” or “Sells” the personal information of 50,000 or more consumers, households or devices.

      • “Collect” - “...buying, renting, gathering, obtaining, receiving, or accessing any ‘personal information’ pertaining to a consumer...actively or passively, or by observing the consumer’s behavior.”

      • “Sell” - “...selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating...a consumer’s personal information...for monetary or other valuable consideration.”

    • Derives 50% or more of its annual revenues from selling consumers’ personal information.

  • The CCPA does not apply when the collection or sale of personal information occurs “wholly outside of California” (See Section 1798.145 (a)(6)).

  • A covered “business”, as defined by the CCPA, may require its “service provider” to comply with the CCPA if the business shares personal information with the “service provider.” A “service provider” is defined as legal entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.

What is ‘valuable consideration’?

While “valuable consideration” is not defined in the CCPA, the concept of “consideration” is defined in the California Civil Code (§ 1605) and is a well understood concept of California contract law.

Basically, “valuable consideration” can be taken to mean that if your business exchanges end-user personal information for a business benefit, then you are likely “selling” personal information.


3. What does the CCPA require of your business?

Most of what the CCPA mandates is related to being upfront and transparent with consumers about data collection practices. While best practices around operationalizing the CCPA are subject to change in the short term, there are a few key concepts that are clearly important for you to keep in mind when considering how the CCPA relates to your business’ use of personal information.

  • Have a clear understanding of what constitutes “personal information.”

  • Update privacy policies to include descriptions of data collection practices and a summary of consumer’s rights under the CCPA. For businesses that sell or otherwise disclose (see above for a definition of “sell”) personal information for a “business practice”:

    • The privacy policy must disclose this fact.

    • The privacy policy must also contain a link to an “opt-out” page where a consumer can choose for their personal information to not be sold.

  • Respond to verified consumer requests for information disclosure or deletion within the appropriate window of time.

What does the CCPA consider “personal information?”

The definition of personal information included within the CCPA is quite expansive. The CCPA states that:

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The law includes many examples of things that can be considered personal information. These range from where a person lives, geolocation information, social network information, and biometric information. Familiarizing yourself with how the concept of “personal information” applies to your business should be an important consideration.

This only begins to scratch the surface of a very complex topic, but there are more detailed breakdowns of the CCPA’s concept of “personal information” available elsewhere on the web.

Note: As a reminder, the Fullstory Acceptable Use Policy already prohibits transmitting sensitive personal information such as social security numbers, health information, etc., to Fullstory. We have worked hard to provide easy-to-use tools that allow you to ensure these kinds of sensitive information never leave the end-user’s browser.

We will discuss more about how the CCPA’s requirements and the concept of “personal information” relates to Fullstory and session replay below.


4. How does the CCPA affect your business and Fullstory?

It is natural to wonder how the CCPA might affect the relationship your company has with Fullstory—or the relationship we both have with your end-users. The good news is that things haven’t really changed.

If you are a Customer (“business” under the CCPA) using Fullstory, then you can consider Fullstory a “service provider” under the CCPA. As a service provider Fullstory will process personal information for business purposes on your behalf. Fullstory will not sell, retain, use, or disclose any personal information except as necessary to perform our agreed upon business purpose. Pretty much business as usual!

But what about end-users … do I need permission from them to keep using Fullstory?

The CCPA requires companies to disclose their practices of information collection and sale in their privacy policies. Businesses are required to provide consumers an opt-out for the sale of personal information but are not required to offer a similar opt-out for information collection.

Note: Fullstory’s Terms & Conditions require our Customers to have obtained all consents and approvals necessary in order to use the data collected by Fullstory and that they do not and will not violate any law or regulation applicable to them. For more information on this topic please reference this article or see section 11.1 of Fullstory’s Terms & Conditions. And remember, you cannot sell or exchange any information obtained by using Fullstory.

Now, you may run into situations where obtaining more specific, explicit end-user consent makes sense for your digital property. In these cases, the FS.consent API allows you to selectively record parts of your site or app based on explicit end-user consent. For more information regarding use of the FS.consent API in your deployment of Fullstory please check out this knowledge base article.


5. Fullstory data collection and the CCPA

At Fullstory, we want to empower you and your company to create more perfect digital experiences for your customers. In order to accomplish this, Fullstory stores and organizes a lot of data on your behalf. To better understand where Fullstory and the CCPA intersect, you need to know what kinds of information Fullstory collects, what we do with it, and how that information is visible in the platform.

What types of data does Fullstory collect?

Fullstory makes a detailed accounting of every action that takes place on your site or app. From mouse movements and clicks to screen swipes or typing, we store and organize as much as you tell us to! We also store copies of page assets such as images, text, CSS, etc.

It is important that any elements in your digital property that can potentially contain sensitive data are properly excluded from collection.

It is also possible to pass information into Fullstory that was obtained elsewhere. We will discuss this in more detail in a later section.

What does Fullstory do with the data we store on your behalf?

Fullstory allows you to get at both qualitative and quantitative insights from a single set of data. To do this, we use digital experience data to generate charts and graphs, create heatmap visualizations, and render pixel-perfect session replays. In addition, we make all of the raw event data available via data export (JSON format) for you to slice and dice using the data visualization tool of your choice.

Where is personal information visible in the Fullstory platform?

There are basically two places in the Fullstory platform where it would be possible to view collected personal information. These two places are Session Replay and Data Export.

  • Session Replay: Session replay is the reproduction of a user’s interactions on a website or web application exactly or as close as possible to how the user actually experienced it. In order for any session replay tool to work, session replay vendors (like Fullstory!) must store users’ digital interactions on websites and apps down to the individual clicks, taps, scrolls, mouse movements, etc. By reproducing these interactions, just how they happened, the result is a DVR-like reproduction of those experiences, just how they happened (Learn how session replay works in our definitive guide).

    Replay is useful for all sorts of reasons—e.g. to support customersdebug errorsoptimize pages, and more—and offers a totally different level of insight than traditional analytics alone.

  • Data Export: Fullstory’s Data Export provides a periodic, raw data extract of events that have been recorded for your organization and an API endpoint to retrieve the data extracts. This data set can be used on its own or to supplement existing models that aim to analyze user interactions on a website or app.

Although personal information can be visible in both session replay and data export, data export only contains a subset of the information potentially visible in session replay. This is because data export contains only information related to events, like text or elements a user clicked.

Session replay, on the other hand, contains the event information as well as the images and other text that make up the site or app itself. Because session replay has the most surface area we recommend you optimize exclusions with session replay in mind. Doing so should result in a clean data export as well.

Fullstory and personal information

How do Fullstory and the collection of personal information intersect? Just because something is considered personal information, doesn’t mean you cannot collect it or pass that information to Fullstory. There are valid business reasons why a company would know a person’s name or email address, for example, and why having that information in Fullstory might make sense.

Your business must determine what kinds of personal information to collect for valid business purposes. Based on these determinations, your business must inform consumers appropriately through your privacy policy and/or terms of service.

Now, there are two main ways personal information can make its way into Fullstory:

  1. The first way personal information can make its way into Fullstory is through the collection of non-excluded text content in a website or app. This text may be either part of the site, or something typed into a field by an end-user. Either way, this collected text would be visible in a session replay. It is up to you, the Fullstory customer, to ensure any page elements or fields that contain sensitive personal information are properly excluded. We have provided the tools necessary for you to accomplish this and you can read more about that process here.

  2. The second way that personal information can end up in Fullstory is that you can actively send user data like name, email address, company, etc. to Fullstory using one of our APIs (FS.identify or FS.setUserVars) or one of our many integrations. For more information, including best practices, on passing additional end-user data into Fullstory check out our help articles on FS.identify and FS.setUserVars.

Now that you understand how personal information flows into Fullstory, it is important for you to verify that sensitive information is being properly excluded from collection and that the information you are using is appropriate and necessary for improving the digital experience of your end-users.

But what about IP addresses... are they personal information?

This is a great question because people have a whole range of differing intuitions when it comes to IP address. Unfortunately, there isn’t a simple yes or no on this one.

Whether or not an IP address will be considered personal information may depend on what other information you have in addition to the IP address itself. Work with your legal counsel to determine how you wish to treat IP addresses in the case of your business. If you determine IP addresses are personal information in the context of your business, it doesn’t mean you can’t still use them, but it likely means that if updating your privacy policy for CCPA compliance, you will want to keep this decision in mind.

If for some reason you decide to ditch IP addresses all together, then Fullstory is here to help make that easy for you. Fullstory allows you to discard all end-user IP addresses via your in app settings. Learn how to do this here.


6. Honoring end-user personal information requests

As previously mentioned, the CCPA grants consumers the right to request that a business discloses information collected about them or to delete said information. While you will be the one working directly with your end-users to honor their requests, Fullstory wants to be sure you have all the tools at your disposal to make this as frictionless as possible.

Let’s dive into some specifics around how Fullstory empowers you to comply with information requests and process user deletions.

Deletion requests

Fullstory users with admin privileges can entirely erase end-users from their account at the click of a button. (Okay, two buttons.) The “Delete User” button is located at the bottom of a User Card in Fullstory. The whole user deletion process looks like this:

how-to-delete-fullstory-user

After a user is completely deleted, a discreet email is sent acting as a receipt to confirm that the appropriate action has been taken. In addition to this deletion via the Fullstory UI, we also offer an API endpoint for deleting users.

Personal information access requests

California based end-users may submit personal information requests of your company at any time. It is likely that personal information about your end-users may be spread across multiple systems, but finding any personal information you may have passed into Fullstory should be quite straightforward.

Using Fullstory’s OmniSearch you can quickly narrow in on any information you may currently be storing related to an individual consumer or household. Using this information, you can have an informed conversation with your end-user about their data and even provide them a copy if needed.

Like with the “Delete User” functionality that we discussed above, the buttons allowing you to “Download user events” and “Download user pages” are available at the bottom of the User Card in Fullstory. The User Event download contains all the recorded event data for a particular user that is searchable/viewable in Fullstory. The User Pages download file contains a series of all the pages that the end-user has visited on your site/app.

Learn more about downloading end-user data files.

Note: Fullstory will not deal directly with end-users regarding personal information requests (or user deletions). Because the data held in Fullstory belongs to you/them, we will direct them to you in order to discuss these matters.


7. Does Fullstory offer a Data Processing Agreement (DPA)?

Yes. You can view and sign our DPA online or send your version to privacy@fullstory.com for review.


8. How will I know if I'm compliant with the CCPA?

There is currently no means by which a company can be “certified” as compliant with the CCPA. We recommend that you consult your legal advisors to determine what actions you should take in order to become and remain compliant with the CCPA.

As the CCPA has yet to come into effect, it is important to stay up to date with any last minute changes made to the act before that date. The California Attorney General’s office posts resources related to the CCPA here and has a CCPA newsletter you can subscribe to for updates here.

Another helpful resource is the CCPA amendment tracker maintained by the International Association of Privacy Professionals.