1. Do You Have Adequate Methods for Submitting CCPA Requests?
Companies must make available to consumers at least two methods for submitting data access and deletion requests. At a minimum, every company covered by the CCPA must provide a toll-free telephone number for submitting CCPA requests at the point of collection.
In addition, if your company has a website, the Proposed Regulations require an interactive webform accessible through your business's website or mobile application for CCPA requests. Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail.
The Proposed Regulations, if adopted, would also require companies that primarily interact with customers in person at a retail location offer a form that can be submitted in person at the retail location—even if you also have a website. In such cases, the Proposed Regulations would require three methods of submitting requests: toll-free phone, webform, and offline form.
The bottom line is that you cannot rely solely on a webform or email address to receive consumers' CCPA requests. You must also have a toll-free phone number set up to receive calls and, if you operate a storefront, you may need to have an offline form available too.
2. Are You Ready for Offline Data Collection?
We see businesses making the mistake of compartmentalizing CCPA compliance to their IT and website teams. In reality, the requirements in the Proposed Regulations pertaining to offline collection of personal information are perhaps the most burdensome to implement—and easiest to overlook.
3. Does Your Business Have Adequate "Do Not Sell My Personal Information" Notices?
If your business sells information within the broad meaning of the CCPA, then you are required to have a notice or link titled "Do Not Sell My Personal Information" at the point of data collection. This should be an easy to read notice that draws the attention of consumers before collection.
For online collection, the CCPA requires a clear and conspicuous link titled "Do Not Sell My Personal Information" be posted on your homepage, or on every single webpage that collects personal information. This link must enable a consumer, or person authorized by the consumer, to opt out of the sale of the consumer's personal information, even if they do not have an account. To be safe, companies may want to post notices directly above all website submission fields, rather than at the bottom of the page or embedded in a footer.
Furthermore, the Proposed Regulations require the "Do Not Sell My Personal Information" notice be available in languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers. It must also be conspicuous and accessible to consumers with disabilities. For many California businesses, this appropriately means having your notices (whether online or offline) be available in Spanish.
4. Have You Trained Your Employees Who Handle Consumer Data?
Under the CCPA, your employees who handle consumers' personal information or are responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with the CCPA must be informed about the requirements in the CCPA. They must also be trained to know how to direct consumers to exercise their rights under the CCPA. This requires establishing and documenting an employee training policy to ensure that all individuals responsible for handling consumer requests or the business's compliance with the CCPA.
The Proposed Regulations prescribe very detailed requirements and time frames for responding to consumers' requests to exercise their CCPA rights. If adopted substantially as proposed, the required employee training will likely involve extensive step-by-step procedures to follow and documentation to produce and keep. In anticipation of receiving consumer requests, employees assigned to the CCPA 'frontline' are raising questions and concerns about how these new rights will play out in real time.
5. Is Your Verification Process Tailored to Your Business's Data Collection?
After receiving a request to access data or request to delete data, businesses are stuck with the difficult task of verifying the request is legitimate. This process should be designed to match collected consumer data with the requesting party's information on record with the business in a tailored and efficient process. To that end, the Proposed Regulations instruct businesses to avoid collecting new personal information during the verification process, to the extent such collection can be avoided, in order to prevent fraudulent and malicious actors from obtaining sensitive personal information.
Thus, while your instinct might be to collect a requesting party's name, telephone, email, and mailing address in order to verify their request, such an approach should be avoided unless you already collected these pieces of personal information. As an example, if your data collection is limited to collecting and selling the IP addresses of website visitors to retargeting ad agencies, you should avoid requesting too many additional data points when verifying consumer requests.
In addition, businesses should be ready for the possibility that an authorized agent or representative, like a parent, guardian, or attorney, is making a request on behalf of consumer. The Proposed Regulations require such requests meet a higher bar for verification.
Last, business cannot rely solely on pre-existing consumer accounts as a method of verification. You must also be ready to respond to requests in the event that a requesting consumer or authorized agent does not have, or cannot access, a password-protected account.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.