TeleSign and the CCPA

From January 1, 2020, California is the frontier of establishing a new data privacy framework in the United States. California has its matchup to GDPR, a data privacy law called California Consumer Privacy Act (CCPA). The CCPA has the potential to become as consequential as the GDPR. In 2018, TeleSign developed a global GDPR compliance program that we are very proud of. In the world of ever rising threats to consumer liberties, TeleSign is committed to personal information privacy as one of the pillars of customer trust. As a company established in the sunny state of California, collecting and processing personal information of California residents, we worked passionately to comply with the CCPA. Here is what we did:

One Privacy Framework

At TeleSign, privacy is in our DNA – it is embedded in everything that we do in service to our customers and taken very seriously by all TeleSign employees. Foundationally, the CCPA is very similar to the GDPR. TeleSign implemented GDPR globally, not only for EU operations. Consequently, the GDPR compliance program was leveraged to comply with the CCPA. We choose to follow “one privacy framework” rule for all regulations materially addressing the privacy matter, based on the strictest, but still allowing for specific differences to be addressed and implemented separately.

Customer Trust

Our customers are Businesses covered by the CCPA in whose service TeleSign is acting as a Service Provider. Customers disclose personal information to TeleSign solely for a valid business purpose and for TeleSign to perform the services. TeleSign warrants that we shall not further sell, retain, use, or disclose personal information for a commercial purpose other than the defined business purpose. TeleSign will not abuse or in any way compromise the trust given to us by our customers and end users (consumers). We understand we have earned this trust by how we handle personal information and are determined to maintain full compliance with the CCPA.

Consumer Consent

In the delivery of our products and services, we are using personal information for approved business purposes, which are defined in relevant contracts. Personal information belongs to the end user (consumer). The owners of the personal information have given permission (consent) to use their personal information, either directly to us or to our customers, for purposes that have been transparently disclosed to them. In short, the consumer is giving a restricted license to use his/her personal information, and TeleSign conducts business strictly within those limitations.

Verifiable Consumer Requests

We established processes for responding to requests for access, deletion and opt-out of sale of personal information in a timely and effective manner. Most of our end users should be contacting our customers, CCPA covered Businesses, to exercise their consumer rights. As a Service Provider, we are committed to facilitating the consumer rights on behalf of our customers. If you are a CCPA covered Business, please reach out to your Technical Account Manager for additional details.

Transparency and Accountability

In our Privacy Notice we transparently disclose:

  • WHO we are (as a CCPA covered Business and a Service Provider),
  • WHAT categories of personal information we collect and/or sell,
  • WHY we are processing personal information, including the lawful basis,
  • WHERE we got personal information from and the categories of third parties, we are sharing it with,
  • WHEN we will delete this personal information, and why we need to retain it until that time,
  • WHICH other rights all consumers have, including the right to opt-out of sale (“Do Not Sell My Personal Information”), and
  • HOW to exercise any of the consumer rights.

Third Party Risk Management

To avoid being characterized as “selling” personal information to third parties, that receive personal information from TeleSign, we identified and contacted all third parties to include appropriate contract terms to address CCPA requirements. Through our diligent vendor assessment process, any company that wants to do business with TeleSign is made aware of our privacy and security standards and their obligation to comply with them.

Reasonable Security Framework

TeleSign has an internal Global Information Security Policy (GISP) based on the ISO 27002:2013 standard for information security management. We employ various independent third parties to perform an ISO 27002-based Enterprise Risk Assessment (ERA) across the entire network on an annual basis to measure our compliance with the ISO-based standard and GISP. For more information, please visit: Security.

Mandatory employee training

Prior to the CCPA official effective date (January 1, 2020), we conducted a mandatory companywide privacy and security training in Marina del Rey, CA and Belgrade, Serbia. In addition to that, we updated our internal policies, including the Privacy Policy and GISP. This way, all of our employees know how to handle and maintain confidentiality, integrity and availability of personal information.

Team of Privacy Experts

CCPA compliance efforts are led by our Privacy Office(PO), which is comprised of IAPP-certified members of the Legal, Privacy andSecurity teams, and complemented by IAPP-certified employees in the Sales andEngineering teams. They are available to answer any questions regarding privacyand the CCPA at our Contact Us page.

Verifying consumers through our services

Our SMS (two-factor authentication) product provides universal verification of identity using mobile phone numbers, thus ensuring that consumer’s identity is verified before he/she submits a request to exercise any of their rights. If you are a CCPA covered Business and need an identity verification method for consumer requests, please reach out to our Sales team to ask about our SMS 2FA solution.