VWO Logo
Dashboard
Request Demo

VWO and the CCPA

Last updated: Nov 07, 2019

VWO’s commitment to data privacy and protection

VWO believes privacy and protecting data are core aspects of trust in today’s technology world. We take our own data protection commitment to you and your customers very seriously. We are acutely aware that we need to earn and maintain your trust on a daily basis.

VWO is committed to protecting your privacy and sees CCPA as an opportunity to strengthen our commitment even further. We don’t collect & process users’ personal information beyond what is required for the functioning of our services, and this will never change.

VWO has put in place processes and procedures to comply with the various provisions of CCPA—consumer rights, data protection addendum, data deletion, data retention, and pseudonymization, which align with our core values of customer trust and data privacy.

What Is the CCPA?

The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) is a U.S. law that was enacted in 2018 in the State of California. Generally, it expands upon the privacy rights available to Californian citizens and listing data protection requirements, with which companies must comply. 

Similar to the GDPR, the CCPA establishes and enhances consumer privacy rights for California residents and imposes rules on businesses that handle their personal information that relates to, describes, is associated with or can be linked to an individual.

The CCPA grants Californian consumers new rights with respect to the collection of their personal information and requires a business to comply with certain obligations, including:

  1. The consumer’s right to receive a copy, in a readily usable format, of the specific personal information collected about them during the twelve (12) months prior to their request.
  2. The consumer’s right to know a business’s data collection practices, including the categories of personal information it has collected, the source of the information, the business’s use of the information, and to whom the business disclosed the information it has collected about the consumer.
  3. The consumer’s right to have such personal information deleted.
  4. The consumer’s right to know the business’ data sale practices and to request that their personal information not be sold to third parties.
  5. A prohibition on businesses on discrimination for exercising a consumer right.
  6. An obligation on businesses to notify a consumer of their rights.

Data Privacy and Information Security Certifications

We have been certified for the following certifications to ensure CCPA preparedness:

  1. ISO 27001:2013 Information Security Management Systems [ISMS]: ISMS ensures a systematic approach to managing sensitive company information so that it remains secure. ISMS includes people, processes, and IT systems by applying a risk management process.
  2. ISO 27701:2019 Privacy Information Management System [PIMS] & CCPA Act ComplianceISO 27701 is internationally recognized and built as an extension of the widely-used ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. It is a global privacy standard that focuses on the collection and processing of personally identifiable information (PII). This standard was developed to help organizations comply with international privacy frameworks and laws.
  3. System and Organization Controls 2 Type II (SOC 2 Type II): SOC 2 Type II is a rigorous auditing standard developed by the American Institute of CPAs (AICPA). It ensures that companies have established and maintained effective controls to protect the security, availability, processing integrity, confidentiality, and privacy of customer data.

How does the CCPA apply to VWO customers?

VWO customers that collect, and store personal information are considered Businesses under the CCPA. Businesses bear the primary responsibility for ensuring that their processing of personal information is compliant with relevant data protection law, including the CCPA. 

VWO acts as a Service Provider, as such term is defined in the current version of the CCPA, and shall collect, access, maintain, use, process and transfer the personal information of our customers and our customer’s end-users solely for the purpose of performing our obligations under our existing contract(s) with our subscribers; and, for no commercial purpose other than the performance of such obligations and improvement of the Services we provide.

How VWO is Helping Businesses Become CCPA- ready

The California State Legislature has indicated that it may further amend the CCPA. In light of such amendments, VWO is actively tracking the law and we will continue to keep our customers updated on features and functionality they can use to support their compliance efforts. Customers can also view the below table for more detailed information on how to use VWO Services to comply with data privacy laws.

The CCPA will become enforceable on January 1, 2020. We will evaluate and adapt our practices where necessary to ensure that we will be compliant.

At VWO, we ensure that our customer data is secure and easily accessible. VWO is built on a foundation of trust, security, and compliance to ensure that our internal data practices are CCPA-ready. An equally important part for us is to assist our customers and partners in their journey toward compliance. With that in mind, we have the following details about the VWO Experience Optimization Platform:

  VWO Features How it works
Storing and managing personal information for visitors Session Recordings

By default, VWO anonymizes all key presses to avoid storing or transmitting any personal or sensitive information on VWO servers. We’ve features to anonymize the following:

  1. Hide all text in the HTML body.
  2. Whitelist using CSS selectors path: This option can be used to specifically anonymize or whitelist an input/non-input field or text labels.
  3. Anonymize a specific element by using the nls_ protected class.

Read more

  Custom Dimensions

We have the process of creating a custom dimension in VWO to include the following features:

  1. By default, VWO will filter all incoming data for a custom dimension for personal properties like email addresses, credit card numbers, and others.
  2. Users are recommended to encrypt all incoming data. Read more
  Location Information

Customers can customize what location information of visitors is stored or completely disable storing any location information. 

Read more


IP Address- By default, VWO replaces the last octet of IP address with 0 before saving it. Customers can now customize this setting and disable storing the IP address.

Read More

Collecting Consent On-page Surveys

We have the option to display a consent message at the beginning of each survey. The message can also include links to policies and other information. 

Read More

  Browser Privacy Settings

Customers can configure their privacy settings in the VWO app to stop recording any information about the website visitors who have “Do Not Track” setting enabled on their browsers.

Read More

Consumer Rights Security Settings

Customers can request data for their website or mobile app visitors through a visitor’s UUID. A link will be generated by VWO that will collect all the data for specific UUID or potential data such as URLs and visitor recordings for a defined time period.

Read More

 

  Security Settings

Customers can request the deletion of data for their website or mobile app visitors through their visitor’s UUID. 

Read More

 

What We Are Doing to Ensure You Can Use VWO Product in a CCPA Ready Manner

The CCPA is focused on organizational compliance instead of product-level compliance. However, we attach the utmost importance to how we build our products and have adopted a Privacy and Security by Design approach. Our products are designed with privacy and security in mind and as a core component of our development process.

As a business, you will need to ensure you are compliant with your own obligations under the CCPA. However, if you buy a VWO Services, we aim to ensure that you can use our Services in a CCPA-Ready manner, helping you to satisfy your obligations under the CCPA. For example, we design our products to facilitate data minimization and provides better insight into and control over your data flows in order to make it easier for you to satisfy your CCPA obligations as a business.

Does VWO sell personal information?

We do not sell our customer’s personal information as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to a third party for monetary or other valuable consideration. We may share aggregated and/or anonymized information regarding your use of the Service(s) with third parties to help us develop and improve the Services and provide our customers with more relevant content and service offerings as detailed in our customer agreements.

What guidance can VWO provide regarding the CCPA?

VWO cannot provide legal advice to customers regarding the CCPA at this time. Customers should consult their legal counsel on how the CCPA specifically applies to them and how to achieve their own compliance.

VWO values our customers’ trust, and we share the same concerns as our customers over the privacy of our customers’ information. As part of its robust privacy program, VWO has mapped its global privacy practices to E.U. data privacy law. 

For information on these practices and the functionality we provide to support our customers’ compliance, please visit the rest of our Privacy PolicyCookies Stored by VWO, How to Opt-out, and Data Deletion Policy. These resources detail the privacy and security measures undertaken by VWO to protect its customers’ personal information, our data retention/deletion policies, and features available in our Services that enable our customers to comply with their end-user privacy requests.

You can also learn more about our privacy practices here. You can obtain our current Data Processing Addendum here.

Privacy and information protection act FAQ

Frequently Asked Questions about the California Consumer Privacy Act (CCPA).

1. What is CCPA?

The California Consumer Privacy Act (CCPA) is created to protect the privacy and personal information of consumers. The CCPA initiative states that the act is intended to give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information. The act requires businesses to tell consumers what information its collecting and gives consumers the right to say no to the sale of their personal information. It will also allow consumers to sue companies if their personal information is breached.

 

2. Who does it apply to?

CCPA applies to any organization that works with the personal information of California residents. This law introduces new obligations for business processing information while clearly stating the accountability of business information controllers.

 

3. Where does the CCPA apply?

This law doesn’t have territorial boundaries. It doesn’t matter where your organization is from — if you process the personal information of consumers of California, you come under the jurisdiction of the law.

 

4. What are the penalties for non-compliance?

The CCPA is enforced primarily by the California attorney general, who may seek civil penalties of up to $2,500 per violation or up to $7,500 per intentional violation. The law, however, also provides a private right of action for certain data breaches arising from violations of California’s data security law. Affected California residents can seek $100 to $750 in statutory damages per individual per incident or actual damages, whichever is greater.

 

5. Who are the key stakeholders?

Consumer– The CCPA defines consumer as a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, however identified, including by any unique identifier. According to the referenced state regulations, a California resident is any individual who is

  1. “in the state of California for other than a temporary or transitory purpose,”
  2. “domiciled in the state” of California and “outside of the state for a temporary or transitory purpose.”

Business– A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

  1. Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185
  2. Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
  3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Service Provider– “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing personal information for a commercial purpose other than providing the services specified in the contract with the business.

Third Parties– Under the California Consumers Privacy Act (CCPA) entities that process data subject to CCPA but are neither businesses nor service providers are considered ‘third parties’ (See, Section 1798.140(w) of the California Civil Code).

Under 1798.115 (d) of the California Civil Code, a third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received an explicit notice and is provided an opportunity to exercise the right to opt-out.

 

6. What is personal information or Personally Identifiable Information (PII)?

Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc).

 

7. Where is my information located?

The data of vwo.com customers will reside in the US  with IBM Softlayer and Google Cloud Platform (GCP).

 

8. Comparison with GDPR

The European Union has been at the forefront of consumer privacy since the 1996 Data Privacy Directive to the current GDPR, which provides even greater privacy rights to EU residents. Some even refer to the CCPA as California’s GDPR. While there a number of similarities between the two, there are also many differences. Table 1 provides a comparison. Companies that implemented GDPR-level compliance can leverage parts of their program to meet CCPA requirements. However, additional program development for CCPA will still be required.

CCPA compared to the European Union’s GDPR
  California CCPA EU GDPR
Scope Rights, disclosure, transparency Omnibus -covers much more
Personal Information Broader-includes households and devices Includes personal data as well as special categories
Rights Rights to access and deletion broader Similar rights to erasure
Security Not Included Procedures for protecting information
Disclosures Specific requirements for disclosure Less prescriptive
Data Sharing More restrictive -but no rules for transfers outside the USA Restriction on data transfers outside of specific countries
Privacy By Design/Default Not Includes Required
Data Protection Impact Assessment Not Includes Required if Criteria met
Breach Notification Not Includes 72-hours requirements
Data Protection Officer Not required Required if Criteria met
Enforcement Attorney general and Litigators. Privacy regulators

 

9. Where can I find additional resources on CCPA?

Here are some links you can refer to for additional reading on the CCPA:

Note: 
VWO /Wingify is not responsible for the above mention link in section 9.

Please feel free to ask questions and share concerns with us at  privacy@wingify.com 

Choose Privacy. Choose VWO.

Enterprise-Grade Data Security
You Can Trust

With certifications such as ISO 27001:2013, ISO 27701:2019, and SOC 2 Type II, VWO upholds a high level of data privacy and security, as expected by world-class businesses.

GDPR Icon