CCPA Compliance: 4 Things You Should Know - Part 1
The California Consumer Privacy Act (CCPA) enforcement deadline of July 1st, 2020, is coming closer by the day. With that, it’s time to ask yourself whether your business is ticking all of the CCPA’s boxes. In this short 4-part series, we will look at the key topics to address and how to tackle them.
1) A summary of the consumer’s rights and how to exercise them
Consumers have the following rights:
The right to request a copy of their personal information (‘specific pieces of information’), or a list of the categories of information your organization has on them, including a list of sources, purposes for collection and categories of third parties the data has been shared with.
The right to request the deletion of information
The right to opt-out of the sale of their personal information. The term sale is interpreted broadly under the CCPA and includes any transfer of data for monetary consideration as a sale. We will outline the most important things to know about Do Not Sell requests in part 4 of this series. If your organization does not sell information as per the extensive CCPA definition, you should state this fact.
The right not to be discriminated against for exercising any of these rights.
2) A description of your organization’s request verification process
Before responding to requests to access or delete personal information, you are obligated to verify the identity of the requestor. For example, Datawallet Compliance offers a built in identity verification mechanism, which asks customers who have a password-protected account with your business to re-authenticate themselves by logging in. Customers without an account are asked to provide a minimum of three data points, of which two (the phone number and email address) are verified by the sending of a one-time code.
3) A list of categories of information your business collects, discloses for a business purpose, or sells
4) For businesses that sell personal information...
As mentioned above, the term ‘sell’ is interpreted broadly under the CCPA. There is an ongoing debate about whether websites (‘publishers’) who participate in Real-Time-Bidding practices are considered data-sellers, since they provide certain pieces of information, such as IP addresses, to an ad network and - indirectly - gain from this monetarily. We will discuss this in depth in part 4 of this series. It is important to note that even though you might not be selling information in the traditional sense, your data-sharing practices might still be considered CCPA data-sales.
A statement, pertaining to the fact that your business is selling data
The fact that consumers may use authorized agents to exercise their opt-out of sale rights, and a description of how authorized agents can proceed with these requests
A link to the ‘Do Not Sell My Personal Information’ page, which describes a consumer’s right to opt out of the sale of their data and directs them to the web form, where they can submit their requests.
5) For businesses that offer incentive programs…
The CCPA strictly forbids the discrimination of consumers as a response to them exercising their rights. Discrimination includes charging the consumer who opts out a different price or providing him/her a different quality of goods or services. The CCPA knows one exception, which allows you to offer a financial incentive for the collection, deletion, sharing or sale of personal information. In this case, the difference in price or the reward for the consumer must be reasonably related to the value provided by the consumer’s data.
6) For businesses that handle the personal information of >10 million consumers…
If your business handles the personal information of over 10 million consumers, you must provide insights into certain key metrics:
The number of Data Subject Requests received, split per request type
The median number of days it takes your business to respond to such requests
7) Contact information and last updated date
Best practices and common mistakes
Overview of data-categories collected, disclosed and sold
Apple is a great example:
Literally speaking, Apple does not provide the consumer with separated lists as mandated by the CCPA. However, consumers can find all information they need in this matrix and they can easily distill whether their information is being shared and for which purpose. The information is ordered by product or service offered by Apple, which gives them an easy way to find the section applicable to their data. Many businesses are providing similar tables instead of separated lists. The question is, whether the attorney general will accept this method as CCPA-compliant. In our view, all required information is available and cleanly presented to consumers, perhaps in an even better way than stipulated by the law.
Easy to find
Easy to read
As an unwanted result of the myriad of privacy laws and regulations that have popped up over the past years, such as the EU-GDPR, the ePrivacy regulation and HIPAA, we have seen long, jargon-filled and complex privacy policies. These policies completely missed the mark: Instead of providing consumers with valuable information about their data and empowering them to make sound choices, they created confusion and forced consumers to blindly give their consent, or to walk away and hand over their business to a more trustworthy business.
Over the past years we have seen a clear shift in paradigm, where consumers are demanding for real transparency about why and how their data is collected. A study by PriceWaterhouseCoopers from 2017 showed that 88% of consumers say the amount of data they share with a company depends on how much they trust it, and 85% stated they will not do business with a company if they have concerns about their security practices. Smart businesses are adapting to this growing consumer awareness by keeping their privacy policies concise and easy to read and understand. They are replacing legal or technical jargon to shorter, more common phrases that are easily digestible to the average consumer.
Sign up now to use our DSR Manager for free (no credit card required), or immediately.
Disclaimer: The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational and marketing purposes only.