US State Privacy Law Compliance

Overview

A growing number of U.S. states have enacted comprehensive consumer data privacy laws. The best known is California's, but most states now have, or are introducing, broadly similar legislation. These laws regulate how businesses handle the personal information of that state's residents, and they generally distinguish between the "business" (or "controller") that decides how personal information is used, and the "service provider" (or "processor") that handles it on the business's behalf.

Although the detail of each law varies, our position in relation to all of them is the same, and is explained below.

How these laws apply to MIDAS

MIDAS is a room booking and resource scheduling tool. When you use MIDAS, you decide what personal information, if any, is entered into your booking system. In the language of these laws, this means that you act as the "business" (or "controller") in respect of that information, and we act as your "service provider" (or "processor"), handling it only on your behalf and only in order to provide the MIDAS service to you.

As a service provider:

• We do not sell your personal information, or the personal information held within your MIDAS system. We never have.
• We do not "share" personal information for cross-context behavioural advertising. Where our website uses analytics or similar cookies, these remain disabled until a visitor gives their express consent via our cookie consent banner.
• We do not retain, use, or disclose the personal information held within your MIDAS system for any purpose other than providing the MIDAS service to you.
• For "cloud-hosted" systems, this relationship is already governed by our Data Processing Agreement, which sets out how we handle personal information on your behalf.

How we handle personal information generally, including the rights available to individuals and how to exercise them, is described in our Software Privacy Policy and our GDPR Statement. Individuals can request a copy of the personal data we hold on them at any time using our self-service Subject Access Request tool.

California: the CCPA and CPRA

California's law is the most established of these, and the one customers most often ask about. The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, and was amended and expanded by the California Privacy Rights Act (CPRA), whose provisions took effect on January 1, 2023. Together they regulate how the personal information of California residents is handled, and they recognise the same business / service-provider distinction described above. Our position in respect of California residents' personal information is exactly as set out above: we act only as your service provider, and we do not sell or share it.

Other U.S. state privacy laws

The same position applies equally under the comprehensive privacy laws of other U.S. states. These currently include:

• Virginia: Consumer Data Protection Act (VCDPA)
• Colorado: Colorado Privacy Act (CPA)
• Connecticut: Data Privacy Act (CTDPA)
• Utah: Consumer Privacy Act (UCPA)
• Iowa: Consumer Data Protection Act
• Indiana: Consumer Data Protection Act
• Tennessee: Information Protection Act (TIPA)
• Texas: Data Privacy and Security Act (TDPSA)
• Oregon: Consumer Privacy Act (OCPA)
• Montana: Consumer Data Privacy Act (MCDPA)
• Florida: Digital Bill of Rights (narrower in scope than the others)
• Delaware: Personal Data Privacy Act (DPDPA)
• New Hampshire: Privacy Act
• New Jersey: Data Privacy Act (NJDPA)
• Nebraska: Data Privacy Act (NDPA)
• Maryland: Online Data Privacy Act (MODPA)
• Minnesota: Consumer Data Privacy Act
• Kentucky: Consumer Data Protection Act (KCDPA)
• Rhode Island: Data Transparency and Privacy Protection Act (RIDTPPA)

This list is not exhaustive, and further states are expected to introduce comparable laws. Regardless of the state, the differences between these laws fall on you as the business or controller; our role, as your service provider, remains the same. We handle the personal information within your MIDAS system only on your behalf, and we do not sell or share it.