The new ‘California Consumer Protection Act’ (CCPA) came into effect in on January 1, 2020. The state law grants California consumer residents new rights over their personal information. These rights are, the right to know (or access), the right to delete, and the right to opt-out of sale of personal information that a company may collect, retain, or disclose about a consumer. Additionally, the CCPA prohibits businesses from discrimination against consumers in terms of access to services if they choose to exercise their rights under the CCPA.

The CCPA applies to for profit entities doing business in California that collect, share, or sell California consumer residents personal information and either:
1) has annual gross revenues in excess of $25 million;
2) possesses the personal information of over 50,000 consumers, households, or devices; or
3) 50% or more of gross revenue comes from selling personal information.

Business‐to‐Business Exception

The CCPA is subject to a variety of amendments including Assembly Bill 1355 which the California Governor signed on October 11, 2019 (“AB 1355”). AB 1355 gives business-to-business solution providers a temporary, one-year exemption from the compliance requirements. A “business-to-business” solution provider refers to any company focused on selling products or services to other businesses rather than to consumers.

Specifically, AB 1355 exempts flows of personal information that are “part of a transaction where the consumer is a natural person who is acting as an employee-owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.”

Engagedly’s processing and use of personal information through the Engagedly performance review platform are designed to enable employee engagement. These services fall squarely within the business-to-business context. Engagedly does not monetize the personal information handled by Engagedly within the services it provides, nor does it require the use or sale of consumer personal information in rendering its services. Engagedly processes business email address solely for the purposes of providing its business-to-business solutions.

Likewise, Engagedly would not be considered a “service provider” as defined in the CCPA since it is subject to the AB 1355 exemption. Engagedly will continue to monitor any further legislation that helps clarify business relationships, including the extension of AB1355 beyond 2020.


Engagedly has stringent state‐of‐the‐art security controls designed to protect your data. Specifically, cybersecurity risks are taken very seriously at Engagedly and are managed daily by our CISO. All employees are required to review and agree to Engagedly’s strict IT Security Policies, which are annually reviewed to incorporate periodic updates. Engagedly is also annually audited by 3rd party auditors for SSAE‐18 SOC2 Type 2 compliance as well as annually audited by 3rd party auditors for penetration and vulnerability testing. All data transacted by Engagedly is encrypted when in transit and at rest.