Our tl;dr for California’s new privacy law: Do not sell

Developers know that guarding privacy is key to building trust. A positive development in privacy regulation is the California Consumer Privacy Act (CCPA), which goes into effect in January 2020. This law requires businesses to make tough choices about how they handle user information, including to publicly declare whether they sell users’ personal information. In line with our standing commitment to preserving user privacy, GitHub has chosen a clear pro-privacy path, and we encourage other internet platforms to follow in our footsteps for the benefit of users. GitHub does NOT sell our users’ personal information. While CCPA only covers California residents, GitHub will voluntarily extend its core rights for people to control their data to all of our users across the United States, not just those who live in California.

GitHub and the CCPA

Like the European Union’s landmark privacy law, the General Data Protection Regulation (GDPR), the CCPA gives users control of their personal information. The CCPA provides users with the right to access their personal information that a business collects, uses, or sells. It also provides users the rights to ask businesses to delete their personal information and protects users from discriminatory treatment if they exercise their CCPA rights. But unlike GDPR, this law only imposes requirements on businesses and only gives rights to California residents. Although that is the extent of the law, GitHub will voluntarily extend the core rights for people to control their data under CCPA when it takes effect to all of our users in the U.S., not just those who live in California.

The CCPA also requires businesses that sell user information to post a button or logo that says “Do Not Sell My Personal Information” clearly on their homepage as a way to allow users to opt out of the sale of their personal information. This law uses a broad definition of “sale”—the act of disclosing personal information “for monetary or other valuable consideration.” In other words, selling doesn’t require the exchange of money—anything of value counts under the CCPA. GitHub does not sell our users’ personal information, so you won’t see a “Do Not Sell” button on our website or any of our services. 

Learn more from the CCPA page for California residents

What this means for developers

The CCPA goes into effect in January 2020. Businesses whose activity falls within the definition of “sale” either need to display a “Do Not Sell” button prominently on their website or change their business practices so they no longer fall within that definition.

The GDPR and CCPA aren’t the only data protection laws that developers shipping to a global audience will need to consider. At least 107 countries have data protection laws, with many expected to work on new or updated legislation in the coming year. The US Congress will likely consider federal legislation, which may or may not preempt state laws—and we’re looking forward to robust privacy protections it may establish for users. In addition, the US state of Washington’s legislature is considering a similar privacy act to the CCPA.

In order to determine what data protection laws are applicable and what specific actions are necessary for compliance, many developers will work with an in-house legal team or outside counsel. However, there are several general principles and practices that developers can keep in mind to help prepare for compliance with the CCPA or other new data protection laws, and more importantly, help protect the users of whatever developers are building. The following sections cover a few ways you can prepare. 

Understand, map, and document data flows

• Data inventory: To adequately protect your users’ data, you need to make sure you’re tracking data flows to know who has access to what data, where it goes, and where it’s stored.
• Internal documentation: Make sure you have clear rules and explanations for anyone who handles or touches user data in any way.
• External documentation: Revisit your privacy policy to see whether you need to update it, for example, with additional disclosures about when and with whom you share user information.

Track data so you can respond to user requests

Mapping your data flows isn’t only to help you better understand how you can protect it. It will also help you respond to requests from users to access their data, or, in some cases, delete it. 

Keep in mind, the CCPA law uses a different framework along with different definitions and has a different scope than GDPR. This means that it’s not as simple as just doing whatever you’re already doing for GDPR compliance. For example, the CCPA law requires certain disclosures that GDPR doesn’t and it structures user information requests differently. You’ll need to alter your system for responding to those requests accordingly.

Make sure that businesses who have access to your users’ data protect it

Like GDPR, the CCPA requires you to disclose who you share information with. The CCPA also requires you to say what categories of data you share both at the time you collect it and in response to user requests. To make sure vendors or anyone else you share user information with is adequately protecting it, it’s a good idea to sign an agreement on data protection. Since we’re not your lawyers, that’s about as far as we’ll go—but it’s probably a good idea to get one to help you with that.

How you can contribute

The California Attorney General’s office released its proposed rules to implement this new privacy law. They’re inviting public comments until December 6 (by 5 pm PT). 

This is a great opportunity to contribute to a crucial topic for anyone who handles users’ personal information. Consider the views of both digital rights and start-up organizations and tell the AG’s office why privacy matters to developers.