Hailed by some to be a landmark law heralding the future of consumer privacy, the California Consumer Privacy Act (CCPA) will change the way we do business – across all industries – forever.
Nicknamed by some GDPR Lite because of how twin-like it is to the EU’s privacy law, the CCPA leverages a lot of the same strategies as GDPR. And just like its brother from across the pond, this U.S.-based, paradigm-shifting consumer privacy law is a gamechanger for everyone.
In fact, if your business is in the United States and collects information about California residents, the CCPA applies to you.
Small businesses who think they’re off the hook are in for a shock. If you have a contact form on your website, collect resumes from candidates for job openings, or operate a brick-and-mortar location, the CCPA probably applies to you.
Technically, the CCPA rules apply to a for-profit “business” that does business in California. It also conforms with one or more of the following:
- Generates an annual gross revenue in excess of $25 million
- Derives at least 50% of its annual revenue from selling California consumers’ personal information
- Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices
Even if you think the CCPA doesn’t pertain to your business, you’d be wise to implement the requirements anyway. Although it’s the first state law of its kind, it most certainly won’t be the last. Consumers are growing more and more concerned about their private information, and there may be no going back.
The new individual rights requirements in the CCPA are so significant, the risk of non-compliance is an accident waiting to happen.
To help, we created this comprehensive field guide. It explains the CPPA individual rights requirements and provides step-by-step recommendations for implementation so U.S. businesses can comply with accuracy, timeliness, and confidence.
CCPA Individual Rights Defined
Before anything, businesses must understand the sweeping provisions of the CCPA related to individual rights and how it impacts their day-to-day.
In the CCPA proposed regulations summary and key focus areas, the governing body defines “personal information” much more broadly than other state privacy laws. It includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This broad definition breaks down into six specific areas of compliance and execution.
#1: Right to Notice
The individual rights under the CCPA require businesses to inform customers about their data collection practices.
For an online-only business that has a direct connection with customers, an email address or contact form on your website is acceptable. However, for all other businesses, you also need to provide a toll-free number plus one other method of contact (email, website form, or physical form).
You’re compelled to inform customers at or before the point of collection what categories of personal information will be collected and the purposes for which these categories will be used.
It’s also imperative to update your privacy policy. Disclose the individual rights consumers have access to and how to use them via the contact methods you’ve provided.
#2: Right to Request Access to Information
This provision of the CCPA emphasizes the importance of getting your data house in order.
That’s because under the new law, consumers have the right to request a business disclose a variety of information:
- The categories of personal information collected
- The categories of sources from which personal information is collected
- The business or commercial purpose for the data
- The categories of third parties with which the business shares personal information
- The specific pieces of personal information the business holds about a consumer
Organizing and managing your data should be a top priority. You’ll need an easily accessible and complete population of information about every single one of your consumers.
#3: Right to Get Data in an Easily Accessible Format
This provision simply allows for consumers to request to be informed of certain transfers of their information. Basically, if you’ve sold or shared their data, they have a right to know. Most importantly, you must provide this data in an easily accessible format so the consumers don’t have to struggle with getting to it.
#4: Right to Deletion
This part of the individual rights portion of the CCPA can be misunderstood.
Consumers can ask for their information to be deleted from your database if that information was collected directly from the consumer. That being said, companies should be on high alert when it comes to collecting data at all, as consumers assume all data – whether by consent or not – is included in this provision of the law.
Experts agree the law gets vague here when it comes to the listed exceptions. You don’t have to delete information:
- Necessary for detecting security incidents
- Required for exercising free speech
- Protecting or defending against legal claims
- For internal uses reasonably aligned with the consumer’s expectations
While these exceptions are all up for interpretation, the last one seems the most subjective. However, this doesn’t mean businesses can use it as an excuse to keep the status quo.
What it does mean is that you should review and document what it means for your business and have a process in place to put it into practice.
#5: Right to Opt Out
Opting out of receiving information is nothing new. This is something that’s a best practice of most businesses, especially with the advent of the GDPR.
The CCPA defines the right to opt out as essentially the right to stop the sale.
It also provides for minors. That’s because the right to opt out applies to consumers 16 years old or older. Everyone who’s under 16 is considered a minor, and you can’t collect information from them unless you receive an explicit opt in either from the parent themselves (for children under 13), or from the minor directly for children between 13 – 15 .
#6: Right to Equal Service and Price
Finally, and perhaps most importantly, businesses can’t deny equal service and prices if a consumer exercises any of these individual rights under the CCPA.
This stands in contrast to the fact that a business can offer financial incentives to collect a consumer’s data. The price must be directly related to the value of the information. And, of course, the consumer must have the chance to review and consent to the terms of the financial incentive well before they’re opted in. Exactly what this means is likely a topic that will see additional discussion in 2020.
Best Practices for Managing Consumer Rights Requests
Knowing what the individual rights are that are included in the CCPA is one thing. Putting them into action is something else entirely. The deadline hits on January 1, 2020 and consumer requests could start to pour in.
With a tight timeline to respond to these requests, it’s imperative you have a lock-tight process in place.
The Timeline
The CCPA response timeframe differs from privacy laws in other states, including the 2019 Nevada privacy law update. California legislators have set a timeframe of 45 days from the day of request to disclose and deliver information to the consumer.
However, within 10 days you have to acknowledge receipt of the request if it’s a deletion and right to know request. In this acknowledgement message, you’ll have to explain to the consumer how you’re going to process the request.
You’re also allowed a one-time extension of 45 days if needed. But you must notify the consumer you’re taking this extension before the initial 45-day deadline has expired.
For a do not sell request, you have 15 days to act on the request. And you have 90 days to alert the third parties you work with to stop selling the data, too.
The Challenges
When consumers submit requests based on their individual rights under the CCPA, they should be able to do it in one of these ways:
- By calling in to a toll-free 800 number (exempted for online-only companies who have a direct relationship with customers, e.g. eCommerce)
- And by emailing
- And by submitting a form on your website
- And by submitting a physical request at a store, branch, or company HQ
For businesses that don’t operate solely online, you’ll have to provide the toll-free number in addition to one of the other options.
Validating and verifying the submitted information is next, and boy is it a doozy.
According to the CCPA, you can’t release personal information unless you have a verifiable consumer request. This means matching two data points from the consumer with data from your business.
One way to verify a request is if it’s submitted through a consumer’s password-protected account. However, you need a documented ID verification method, and it must be secure. For example, if data is sensitive, valuable, poses harm to the consumer if deleted, or is likely to be targeted by malicious actors, you have to take ID verification more seriously.
But the challenge here is if someone doesn’t have an account. According to the CCPA, you can’t require someone to create an online account with your business for verification purposes. Or perhaps your company doesn’t even offer account-based functionality. It’s difficult to verify a person’s identity thoroughly.
The CCPA provides conditional alternatives for this rock-and-a-hard-place situation. If you can’t verify an individual’s identity, the business doesn’t technically have to provide the requested information to the consumer. However, it doesn’t mean you’re scott-free.
For disclosures of categories that can’t be verified, you have to send these consumers to your privacy policy where you list this information. In the case of a right to delete request that can’t be verified, you have to treat it as an opt-out request. This means unsubscribing consumers from your email lists, advertising lists, and third-party data lists.
And you’re required to communicate this alternative undertaking with the consumer – confirming they’re okay with the action being taken – before executing the opt out.
The Process
A big question mark when it comes to implementing the CCPA is who will process the request and who will make the decision about whether or not the request can be honored. What does the workflow look like for managing these requests?
- Who gets the request first
- To whom does the request get passed to make a final decision about
- Who responds to the requesting individual
- Who records the request was submitted
All of these steps are important in processing an individual rights request and must be addressed specifically by your organization.
Ideally, the requests should go directly to a dedicated referee-type role who manages the whole process from beginning to end to make sure it’s done correctly. This person will monitor the public email account and web form submissions and forward requests to different departments appropriately. He or she will also make sure answers are sent out and recorded, and that everyone is on the same page.
The top-level privacy officer at your company, such as a Chief Privacy Officer (CPO) or Data Protection Officer (DPO), should be involved when there’s an issue and definitely be monitoring the overall process.
You also need to determine the best technology to use to process requests. Some companies are using automated ticketing systems through IT software or privacy management solutions. Others are leveraging simple spreadsheets. Whatever you use, make sure it works and everyone who needs to, knows how to operate it.
This process can get complex quickly. That’s why it’s so important to have a policy, documentation, and training in place before the CCPA deadline hits.
The Messaging
One of the most important aspects of CCPA implementation to get right is the message you’ll use to communicate with the requesting individual.
Note that this pertains to cases when you’re able to honor requests and when you’re not.
The law requires the response to be free of charge, in a readily usable format, and delivered to the account the consumer holds with the business, if applicable. Snail mail or email is acceptable if the requestor doesn’t hold an account with the company.
The wording of the message itself – depending on whether it’s a first response or followup response – should contain:
- A confirmation that the person’s identity is verified or unverified.
- The appeals process if the requesting individual isn’t verified.
- What data you’ve collected about that person.
- Confirmation of opt out or deletion if applicable.
As discussed in the previous section outlining the timelines set forth in the CCPA, each of these messages will send at different points depending on what the consumer is asking for. And they each have different deadlines for execution.
The Reporting
Tracking consumer requests, when they were submitted, who processed the request, and the outcome is essential. The attorney general requires companies to maintain records of consumer requests under the proposed CCPA guidelines. They must also keep records of how the requests were addressed and responded to for at least two years after the request was made.
In addition, large companies (buys, receives, sells, or shares personal information of 4 million or more consumers) have to disclose all of their tracking metrics on their online privacy policies. This includes yearly numbers for access, deletion, and opt-out requests and how long on average the company takes to respond to those requests.
We recommend implementing a data tracking system. This will allow you to tell individuals exactly what information you have about them when they ask for it.
Conclusion: No Time to Waste
Experts are predicting getting compliance right will be a sprint to the finish line.
It’s no wonder, as the new law’s recordkeeping mandate requires you keep records on hand for a 12-month lookback period dating. You have to publish a new privacy notice, put proper agreements in place with third-party service providers, and update systems, policies, and procedures to manage consumer rights.
And taking a laisse fair attitude isn’t an option.
The California attorney general is threatening severe consequences for those who breach the CCPA requirements. Your business can be fined up to $750 per individual, per incident. But the government can also add its own slap on the wrist to that initial fine: Up to $7,500 per violation.
Companies who are affected by the CCPA need to focus on getting the foundation built for individual rights compliance.
- Who will be the point of contact to manage inbound requests
- What tracking system will be used for requests
- Who responds to requests, makes the decisions, and communicates the response
- Who does the reporting and how they do it
Finally, how and when will these employees be trained? Per the CCPA, anyone who will have a role in CCPA compliance needs to be trained on the responsibilities and the law. And although technically anyone can be trained in this knowledge, the law’s specific requirements will present a challenge for training.
For businesses who haven’t started preparing for compliance yet or have started, but are overwhelmed by the complexity and sheer time-suck, bringing in expert hired hands may be just what the doctor ordered.Invest time and resources in a Fractional Privacy Officer now to develop and implement sound response procedures. This will allow you to avoid the roadblocks and be fully prepared to respond to individual rights requests under the CCPA by January 1, 2020.
