monday.com & the CCPA
At monday.com, we invest significant efforts in ensuring that our products and practices comply with all global data protection and privacy laws that apply to us and our customers.
This page provides information about the California Consumer Privacy Act of 2018 (CCPA) and how monday.com complies with its current requirements.
CCPA – what is it all about?
The CCPA grants privacy rights to “consumers” residing in the State of California, and imposes obligations on businesses processing their personal information. The California Privacy Rights Act (CPRA) amended the CCPA in 2023 to introduce additional safeguards and restrictions for businesses to further strengthen the privacy rights of California consumers. Further regulations which are issued from time to time by the California Attorney General and the California Privacy Protection Agency continue to introduce additional requirements to the CCPA.
Roles & responsibilities
The CCPA distinguishes between certain roles and responsibilities for companies involved in the processing of personal information:
- Business (similar to ‘data controller’ under the GDPR),
- Service Provider/Contractor (similar to ‘data processor’ under the GDPR),
- Third Party (similar to a Business, but one that does not have a direct interaction with the consumer).
How does monday.com comply with the CCPA?
monday.com has done the following to comply with the CCPA:
- Identified monday.com’s role as a “Service Provider” under the CCPA, where it processes personal information solely on behalf of our customers (the “Business” in such cases);
- Identified monday.com’s role as a “Business” where it processes personal information of California consumers for its own purposes (e.g. website visitors’ information);
- In monday.com’s activities as a Service Provider, monday.com does not sell or share personal information of California consumers (or of any other data subjects). Where we act as a Business, monday.com offers California consumers the opportunity to opt out of the sale or sharing of their personal information (e.g. the use of advertising cookies via our website);
- monday.com has already invested significant efforts and resources into its GDPR program for the right to access personal data, and has widened the scope of applicability to include California consumers, thereby complying with the so-called “look back” requirement to ensure that consumers are able to access their personal information covering the preceding 12-month period;
- monday.com already provides technical and organizational measures for sufficiently exercising other proposed consumer rights that are similar rights granted under the GDPR (such as the right to disclosure, deletion and opt-out);
- Updated our Privacy Policy to ensure that it sufficiently addresses CCPA consumer rights and industry standard practices;
- Introduced additional amendments to monday.com’s data processing addendum (DPA) and internal procedures to reflect the specific requirements of the CCPA (such as with respect to entity roles, the maximum response time and data subject verification process, and the commitments required of a Service Provider towards the Business under the CCPA);
- Having procedures for handling suspected breaches concerning personal information, limiting use, disclosure and retention of personal information, and regularly conducting privacy training for all relevant members of our staff.
If you have any further questions concerning monday.com’s privacy program and our ongoing efforts surrounding the CCPA, please feel free to contact our Data Protection Officer & Privacy Team, at dpo@monday.com.