CCPA Best Practices

,
CCPA privacy notice requirements

What if we told you that there was something that you could do that would:

  1. Build better relationships with your customers
  2. Protect your business
  3. Get you on the right side of data privacy laws and regulations
  4. Was totally achievable regardless of how big or busy your business is AND
  5. Would take your mind off of the crazy times we’re living through right now

We bet you didn’t think we were talking about working on California Consumer Privacy Act (CCPA) compliance, but it’s true. 

With all that’s happened in 2020, CCPA’s enforcement date came and went without the hubbub that it was due, but that’s okay. It’s always a good time to get compliant. 

Let’s take a look at the CCPA best practices and see what you can do to make your 2020 just a little better. 

CCPA: A View from the Top

If you’re just tuning in now to CCPA, welcome to the show. Privacy regulations are notoriously opaque and difficult to parse, but we’ve distilled the main goals down to the key takeaways.

CCPA went into effect on January 1, 2020 and became enforceable on July 1 and applies to any business that either: 

  • Earns more than $25 million in revenue per year OR
  • Collects or processes 50,000 consumer records per year OR
  • Derives 50% of its annual revenue from selling personal information

Don’t meet those thresholds? You might think compliance doesn’t need to be on your radar. But remember, consumer privacy is the new standard and if you don’t comply with CCPA (or any other major privacy regulation — we’re looking at you, EU’s General Data Protection Regulation), it may give customers pause. And more than that, it might cause you to miss out on that next big sale or investor.

Also remember, under CCPA, you’re not the one that needs to be in California – it’s your customers. California residents have the following privacy-related rights:

  • Right to know all data collected on them, the categories of data, and the purpose of collection
  • Right to refuse the sale of their information
  • Right to request deletion of their data
  • Mandated right to opt-in before the sale of information of children under 16
  • Right to know the categories of third parties with whom their data is shared, as well as those from whom their data was acquired

Have questions about CCPA regulations? Learn more about it here.

What do you need to do: The short and sweet version

What do all those rights mean for your business? I.e., how do they translate into operational practices. When you translate legalese into action items, it’s easier than it sounds.

  • Keep your privacy policies up to date and make sure to include CCPA disclosures in them
  • Make sure consumers have the ability to submit individual rights requests, including the right to delete, right to access, and right to opt-out of sale  
  • Create opt-ins for the sale* of minors’ data: 
    • For children under the age of 13, parents or guardians must opt-in
    • For children ages 13-16, the minor must opt-in  
  • Put a “Do Not Sell My Personal Information” link on your homepage that takes consumers to an opt-out form. 
  • Give consumers at least two ways to request any of their information that you’ve collected, shared, or sold. 
    • Toll-free phone number is required.  For companies who operate solely online (ensure you review with a privacy professional to see if you qualify), they do not have to provide a phone number.  They can provide an email address.  Generally, all companies provide either a web-form or email address to submit requests.
    • Web forms are required to opt-out of the sale of information
  • Make sure you fulfill any consumer requests when they ask for what information you’ve collected or sold*. If they want you to delete it, make sure to delete you fulfill this request too. 
    • If a third-party vendor is involved, you’ll also have to make sure they’re in compliance, too. Vendor management programs that incorporate thorough contract reviews and assessments can facilitate this. 

*CCPA uses a broad definition of the term “sell.” It doesn’t necessarily mean that money is changing hands. Besides, sell, it can refer to “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…”

Getting from point A to B to C(CPA)

Okay, we’re on the same page of the general requirements for CCPA. But what are the best ways to accomplish these line items? 

#1: Get your privacy notice squared away

Whether you’re baking up a privacy notice from scratch or you’ve got one already completed, you’ll want to put some dedicated effort and attention towards this task. A copy-paste privacy policy and privacy notice from a template (or from another business — but let’s not go there right now) isn’t going to serve you well. Your privacy documents need to speak to your business practices and to your customers. Customize it. 

It’s also important where you put it. You shouldn’t tuck it away in some deep, dark corner of your website. As per CCPA, it needs prime real estate. To meet compliance requirements, your privacy notice needs to be put in a conspicuous place — most commonly on the home page — and anywhere data is collected. 

Keep your policy updated

Privacy policies are kind of like updates for your iPhone. You get everything updated and working smoothly…and then there’s another update. 

Thankfully, you don’t need to update your privacy documents quite that often. As per CCPA, you’re required to update annually. 

#2 Train Your Team on CCPA 

You — along with legal, marketing, IT, or consultants — come up with your privacy policy, but your employees execute it. The ones handling consumer questions, facilitating individual rights requests, assessing vendors, and so forth? Or maybe the ones handling marketing campaigns

They need to know how that all fits into CCPA compliance and why. They need to know what data security risks are present, what the implications of a data breach are, and a whole host of other critical points. 

There are philosophical, and mission- and values-based reasons for training. There are also legal ones; CCPA requires employees managing individual rights requests to be trained. But when it comes down to it, your team just plain need to be trained on how to correctly do that part of their job. Note, CCPA doesn’t dictate how employees need to be trained, but there are several ways to accomplish this, including using materials from the International Association of Privacy Professionals (IAPP), creating your own curriculum, or working with a privacy professional.  

#3 Keep Your Records Up to Date

Records are critical in compliance land. Without them, it’s simply not feasible to maintain compliance. So where do you start? 

Get yourself a data inventory. This will be your roadmap, helping you understand the flow of personal information across its entire lifecycle at your business. For CCPA, this will include tracking what information qualifies as “sold.” 

You need to keep your records up to date for consumer records requests as well; as per CCPA, you have to retain any request for at least twenty-four months. A data inventory also helps you track which of your vendors have access to your customer’s data. (See more on that below.)

But be diligent about security when it comes to your record-keeping practices; CCPA also requires that you implement “reasonable security procedures and practices.

#4 Review and update vendor contracts

Dust off your vendor contracts. It’s time to take a look and see who is doing their part for CCPA compliance. If you don’t have in-house counsel, contact your favorite law firm to get help assessing these contracts. 

Support from privacy professionals is also a big asset in these tasks, too, particularly when it comes to building a process around your vendor contracts. We look at how vendors are:

  • Keeping system, data security, and privacy as per best practices and the industry standards
  • Meeting confidentiality and privacy requirements
  • Committing to notify you of security breaches, incidents, and potential vulnerabilities 
  • Committing to independent audits and assessments and to providing you access to audit documents

As with so many things in our professional lives, these tasks are never truly and finally complete. You should plan to review your contracts annually. #5 Make it easy for customers

Finally, let’s not just make compliance easier on ourselves. Let’s make it easier on your customers. Your customers, after all, are giving you their personal information. It’s theirs! Respect that! Make sure they can control it. 

CCPA is intended to give customers that control through rights like opt-in, opt-out, consumer requests, and more. But these rights have to be implemented by you, the business. CCPA may provide guidelines on how you should do it, but there are ways to go above and beyond that build trust and transparency with your customers. 

Creating a preference center for your customers to access their preference choices, edit their contact information, adjust what data is being collected, and offer additional insight into your data collection and usage.

Finding your best path to compliance doesn’t have to be difficult. We won’t break out into a rendition of “ Get By With A Little Help From My Friends,” but having the right help in your corner makes a huge difference. That’s what we’re here for. Drop us a line and let us know how we can help you.

Get our free guide on Getting From Point A to B to C(CPA)!