CP Notify is now compliant with California Consumer Privacy Act (CCPA). If a citizen makes a request to their local government to have their data removed, the client can contact support to remove the citizen’s information.
- Data Owner: Local Governments (you, the client) are referred to as the Data Owner. Data Owners are fully responsible to make decisions about the data. Data Owners play an administrative role in ensuring data remains secure.
- Data Custodian: CivicPlus is referred to as the Data Custodian. Data Custodians are responsible for the technical stack and securing data. Data Custodians play a technical role in ensuring that data remains secure.
- Exceptions: There are exceptions in which data does not have to be deleted.
- For example, an individual is part of an investigation. This data would be an exception and would not be required to be deleted.
- Data is directly tied to a transaction such as a credit card payment.
- The citizen will need to make requests directly to local government such as the City of Manhattan, KS.
- The client can then request of CivicPlus that the request can be completed by CivicPlus. There will be a single location for clients to make the request regardless of the product line.
- All requests will be tied directly to the client. This means, that if a citizen exists in multiple client sites, the citizen will then have to request from each client site to be removed. While this may seem to put additional work on both the citizen and CivicPlus, the following outlines the reasoning to do this:
- Only Data Owners can make decisions about the data for their data. Because Data Owners must make the decision on how to respond, one Data Owner cannot make a decision for another Data Owner
- CivicPlus cannot possibly know if a citizen qualifies to be forgotten. For example, if a citizen requests to be forgotten by the City of Manhattan, the City of Manhattan may be okay with that. However, if that citizen is also part of Riley County, Riley County may decide that the same user is under investigation or has transactions tied their identity, and thus, cannot be forgotten. Therefore, the request will have to be made directly through each client.
- If a citizen is part of CP Notify, and that citizen wants to be forgotten by Manhattan, the citizen will be moved from Manhattan's view, and Manhattan will no longer have access to that citizen. If they are only part of Manhattan, the user will be truly forgotten. If the user is part of other organizations, that client will have to contact other organizations to be forgotten. This will be clearly stated in any responses to requests made by the citizen to ensure that the citizen is aware that they still may exist in other client systems hosted by CivicPlus.
Handling a CCPA Request for CP Notify
CP Notify is now compliant with California Consumer Privacy Act (CCPA). If a citizen makes a request to their local government to have their data removed, the client will contact support to remove the citizen’s information.
Only super users can handle CCPA requests for CP Notify. To handle the request, first, navigate to the client’s CP Notify instance and add “/privacy” to the end of the URL (i.e. https://notifications.civicplus.com/ORGNAME/privacy).
You will then need to type in the citizen’s email address and select “Search”. If there is no user found for that organization, it will return a “No user found” result.
If that user is found, you will see the user information that is stored in the system for that organization displayed below the “Search” button. This information can include:
- User Id
- First Name
- Last Name
- Email Address
- Phone Number
To remove the user’s data from the organization, select the “Delete User from Organization” button.
If you want to verify the user was removed successfully, you can search for the user again, and it should return a “No user found” result.
- This only removes them from CP Notify, so this request will also need to be handled in each of our products separately.
- If they are in multiple organizations, the citizen will just be deleted from this organization and will have to contact any/all other organizations to have their information removed.
- If they are in just this organization, they will be completely removed