eBooks.com’s Compliance with EU and US Privacy Laws

How eBooks.com complies with GDPR and CCPA privacy requirements

black android smartphone on top of white book
Photo by Pixabay on Pexels.com

You can always access our privacy policy, which sets out what (little) information we collect about you, what (little) we do with it, and how you can access that data or expunge yourself from our systems. We are fully compliant with the stringent privacy protection requirements of the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA).

In this article we set out a summary of our compliance with both of these regimes, for easier reference. The table relates specifically to our reader apps but is more generally applicable to everything else we do at eBooks.com. If you see anything untoward, or that requires clarification, don’t hesitate to post a comment at the bottom of this page!

GDPR RulesCCPA RulesAnswer / Comment
Is there a specific, clear and legitimate purpose for all products/services to collect user’s personal data, and is the collection of such personal data necessary to meet the purpose? Is it possible to ensure that personal data is not used for purposes other than those for which it is intended?5, 61798.100.(b), 1798.110.(a)Yes. (1)  Users do not need to provide any personally identifiable information in order to use the application. (2)  If the user chooses to buy one or more ebooks from eBooks.com, it is necessary for them to visit the eBooks.com website, which contains a a full disclosure of our privacy terms which is complaint with GDPR and CCPA. 
Is there a corresponding control method or means, such as timely discovery, deletion and update of inaccurate personal data, to ensure the accuracy of personal data collected, stored, processed and transmitted by products/services?5, 61798.150. (a) Users can contact us to delete their data.
Is the time limit for product/service to store user’s personal data reasonable? And will it exceed the time required to achieve its processing purposes?5, 61798.130.(a)(5)(1)  Users do not need to provide any personally identifiable information in order to use the application. (2)  If after opening the app, a user acquires one or more ebooks from the eBooks.com website, they will have lifetime access to that content. It is therefore necessary for eBooks.com to retain basic identifying information such as email address and password so that, should the user wish to do so in future, the user can login to their account at eBooks.com and access their collection of ebooks. 
Does the product/service involve the processing of special categories of personal data? (Including data on revealing race or ethnic origin, political views, religious and philosophical beliefs, trade union membership, genetic data, biometric data, personal health-related data, personal sexual life and sexual orientation, etc.) and is this processing necessary for realizing the interests of data subjects?9/No
If the product/service is provided for children under 16 years of age, is the processing of their personal data agreed by their parents or guardians? Does the product/service have a parent monitoring system?81798.120.(c)Ebook Reader app is not targeted at children under 16. Moreover personally identifying information is only collected at the time of purchase of one or more ebooks. In order to purchase ebooks from eBooks.com, credit card similar payment is required each time, eliminating the risk of minors purchasing content on eBooks.com.
If products/services are provided for children under 13 years of age, is there an automated analysis of their personal data?8/Ebook Reader app is not targeted at children under 13 Moreover personally identifying information is only collected at the time of purchase of one or more ebooks. In order to purchase ebooks from eBooks.com, credit card similar payment is required each time, eliminating the risk of minors purchasing content on eBooks.com.
When a company sells consumer personal data, will it get affirmatively authorization from consumers aged 13-16, and will the company get affirmatively authorization from parents or guardians for consumers under 13 years of age?/1798.120.(c), 1798.120.(d)We do not share users’ data with third parties.
Is there a case of transferring user’s personal data to third-party enterprises or institutions? If so, is it possible to obtain the user’s consent in a clear and understandable way, and to show the content, purpose and mode of data transmission to the user in detail and clearly, as well as the identity of the third party enterprise?26, 28, 291798.115.(a)No.
Whether it clearly identifies all third parties (such as service providers, business partners, seconded employees, IT operations personnel, etc.) who can legally access personal data in the product/service, and establishes corresponding role responsibilities and authority control for personal data processing?26, 28, 291798.115.(a)We do not share users’ data with third parties.
Are contracts or agreements signed with third parties, requiring third parties to publish privacy protection policies, requiring third parties to follow internal privacy policies, clearly specifying the content of data collected and transmitted by third parties, the conditions under which data subjects exercise their rights, and the technical means adopted in transmission, in order to ensure that third parties meet relevant requirements and are subject to confidentiality provisions?26, 28, 291798.140.(w)We do not share users’ data with third parties.
When a third party requests personal data processing such as access, transmission, etc., does it check the legal basis of the request and verify the identity of the requester?26, 28, 291798.115.(b), 1798.115.(c)We do not share users’ data with third parties.
If consumers’ personal data is sold to third parties, and third parties will sell data to others, will consumers be explicitly notified that they can choose not to allow third parties to sell their personal data?/1798.115.(d), 1798.120.(b)We do not share users’ data with third parties.
If the processing of personal data involves cross-border transmission (involving third countries or international organizations), can enterprises clearly list the transmission purposes and scenarios, data processing types, data geographic storage location and so on?44, 45/Yes. If a user creates an eBooks.com account, their personally identifiable data (email address and password) will be stored at out contract data center / hosting provider, Aptum, in Toronto, Canada.  No other third party has access to user’s data.
Whether the cross-border transmission of all personal data involved in products/services meets any of the following conditions: 1) the data recipient is a member of the EU; 2) the data recipient is a fully protected country/region approved by the European Commission; 3) the enterprise provides appropriate safeguards for the cross-border transfer of data, such as the establishment of binding business rules, data protection standard provisions authorized by the European Commission or specific regulatory bodies, etc. (4) Special cross-border transmission situations, such as the explicit consent of the data subject, transmission is necessary for fulfilling contract requirements or realizing the interests of the data subject, etc.44, 45, 46, 47, 48, 49/Yes. The data recipient is in Canada, which ensures an adequate level of protection under EU GDPR guidelines
Does it evaluate the purpose and mode of cross-border data transmission and clarify its legal basis? And have appropriate security measures been taken for personal data protection based on assessment?44, 45, 46, 49/Yes.
Are Terms of Use and Privacy Statements/Agreements displayed prior to service delivery? And can this clause be accessed and understood by users in a simple and clear way at any time, and the user’s consent can be consulted in a clear way?7, 12, 141798.130.(a).(5), CalOPPA § 22575.(a)Terms of use and privacy policy are accessible at all times from the app’s menu, under “Settings”.
Does the privacy declaration/protocol show users of the product/service their rights as data subjects in a detailed and clear manner, including consent withdrawal, data erasure, etc?16, 17, 18, 191798.105.(b)Yes
When the user agrees that the product/service collects or processes special personal data, does the interface clearly indicate that such a situation is occurring (e.g. icons, highlights, pop-ups, etc.)?12/We do not collect any special personal information.
Does the product/service clearly provide a means of communication to the user to ensure that the user can effectively consult personal data related questions and issues?121798.130.(a)(1)Yes. We have made our contact information public.
Does the Privacy Statement/Protocol describe in detail the identity of the data collector of the product/service, what kind of user personal data will be collected, how personal data will be stored, the objects that may be disclosed, the processing and analysis that may be used, and the corresponding duration? Is it clear to the user the purpose of all the above-mentioned personal data related operations?13, 141798.100.(a), 1798.110(a), 1798.110.(c), 1798.130.(a)(5)Yes
Before the point of collection, is there a clear and conspicuous link”Personal Data Collection Consent” (different from “Privacy Policy”), indicating the categories of personal data to be collected and the purposes for which the categories of personal information shall be used?/1798.100.(b)No
If the business sells personal data, does the personal data collection prompt include the option “Do not sell my data”? If the prompt is offline version, is there a link to this option?/1798.120.(a), 1798.135.(a)We do not sell our user’s data.
If the business sells personal data, does it provide customers with the right to opt-out of the sale their personal information./1798.120.(a)We do not sell our user’s data.
Does the company provide financial incentives for the collection, sale or deletion of personal information, and does the company provide consumers with different services at different prices, rates, levels or quality?/1798.125.(b)No
Does the product/service interface have “privacy” settings and provide users with easy-to-access ways and means for users to access and modify privacy settings?7, 12, 131798.140.(i), 1798.145Yes
Is there a case of obtaining user’s personal data from other sources rather than from the data subject himself? If the user’s personal data collected or processed by the product/service is not from the data subject himself, is it timely and effective to inform the data subject of the situation and source of data acquisition?15/No
Do data subjects have appropriate and convenient ways to modify their inaccurate personal data or to improve their inadequate personal data?16/Yes
Are there concise and clear suggestions and instructions to guide users to clear relevant personal data when users uninstall/disable services, scrap/abandon products, or other similar situations occur?17, 191798.105.(a), 1798.105.(c)Application usage statistics, operational log data for user, and crash data will be deleted after 14 months.
Is there a reasonable way to clear personal data when a product is lost, stolen, or other similar situation?17, 191798.105.(a), 1798.105.(c)Yes
When the data subject proposes a reasonable deletion of data, does it completely delete all the corresponding data records, and requires all data processors to delete the data records? Is there a way to prove that the data has been completely deleted?17, 191798.105.(a), 1798.105.(c)Yes. it will be completed within 60 days.
In the case of requests from data subjects, Does it provide users with personal data collected and processed by products/services? And can it ensure that the personal data provided to users is in a structured, commonly used and readable format?15, 201798.100.(a), 1798.100.(d), 1798.110(a)There is no useful data we could provide to users.
Does the user have the right to object to data processing at any time and to stop the product/service from collecting and processing part or all of its personal data? Is the way to raise objections simple and clear, and easy for users to operate?18, 211798.135.(a)(4)Yes. Users can stop the collection.
Is the user’s personal data processing behavior effectively terminated after the user withdraws the consent for the collection and processing of personal data? Is there a way to prove that the processing of this user data has been terminated (e.g. by querying, exporting data storage and processing records, etc.)?18, 21/Yes.
Is the company discriminate against consumers, including denying goods or services, charging different services or rates for goods or services and providing different level or quality of services, etc./1798.125.(a)No
Is there a list of data types that must be anonymized based on the content of the personal data, the form of the stored data, and the identified privacy risks?24, 25, 321798.145.(a)(5), 1798.140.(h) Application usage statistics, operational log data for user, and crash data has been anonymized.
Is there a permanent anonymization for data that needs to be anonymized? If the data is not permanently anonymized, are other tools for meeting the anonymization needs used in the processing, transmission, and storage of personal data? (If there is any tools, please list, such as partial deletion, encryption, hashing, etc.)24, 25, 321798.145.(a)(5), 1798.140.(h) Yes
Does the device test perform for non-real/anonymous data?32/Yes
In order to ensure the confidentiality of stored data (in databases, in flat files, in backups, etc.), are personal data that must be encrypted determined based on the form and required performance of stored data? (including the entire hard disk, partitions, containers, specific files, data from databases or communication channels, etc.)24, 321798.150. (a) (1), 1798.81.5.(a) (1)Yes
Does it choose the appropriate encryption type and mode, and adopt the encryption management mechanism so that no one can read personal data without access authorization?321798.150. (a) (1)Yes
Are devices (e.g. workstations, servers or mobile media) or containers properly encrypted so that no one can read personal data without authorization, to reduce risks associated with device recovery, server theft, inappropriate physical access to workstations or servers, and administrator direct access to server data?321798.150. (a) (1)Yes
Is the database properly encrypted so that no one can read the data without access authorization, thereby reducing the risks associated with server theft, inappropriate physical access to workstations or servers, and administrators’ direct access to server data?321798.150. (a) (1)Yes
Are separate files containing personal data properly encrypted so that no one can read data without access authorization to reduce risks associated with stolen workstations or servers, inappropriate physical access to workstations or servers, and direct access to data by administrators?321798.150. (a) (1)Yes
Are e-mails properly encrypted so that no one can read the data contained in the e-mail without access authorization, in order to reduce the risk associated with e-mail interception?321798.150. (a) (1)Yes
Is the communication channel between the authenticated server and the remote client encrypted so that the personal data during processing and transfer is not known to any individuals, organizations, that unrelated to the purpose of processing, to reduce the risks associated with data flow interception?32/Yes
Are personal data partitioned to reduce the possibility of personal data interrelated and full disclosure?32/Yes
Is there a security control and arrangement for processors who need to access the data? In the process of data processing, is it controlled the authority of personnel who can access personal data to reduce the risk of unauthorized access to personal data (user file management, authentication mechanism, password policy, etc.)?32/Yes
Are individuals wishing to access personal data authenticated?321798.100.(c), 1798.130.(a)(7), 1798.130.(a).(3)Yes
Are privileged accounts allocated and managed according to  “need to know” and the principle of minimum privilege?32/Yes
If password authentication is used, is the password rule defined and set (minimum length, required characters, expiration date, number of attempts to fail before the account is locked, initial login to change the default password, secure display password, store password, etc.)?
32/n/a
In the data processing process, are there any measures to deal with the role change in the system (such as employee turnover and job change)?24, 25, 32/Yes
Are data processing processes and activities logged so that evidence can be provided during the investigation, as well as timely attribution and remediation of risk leaks?24, 25, 30, 32/Yes
Are appropriate methods (hash functions, message validation codes, electronic signatures, prevention of SQL injection, etc.) selected to monitor the integrity of personal data to ensure that warnings can be issued in case of accidental modification or disappearance of personal data?24, 32/It is not open to the public.
Only authenticated users can access it.
Does the data processing system produce or print paper documents and reports containing personal privacy data? If so, are measures taken to mitigate the risk of unauthorized access to paper documents containing personal data? Such as marking documents containing personal data, recording the printing process, limiting the spread, transmission traceability and so on.5, 25/No
Are measures taken to prevent the leakage of paper documents containing personal data in order to reduce the possibility that the characteristics of paper documents will adversely affect individuals?24, 32/n/a

Leave a Reply