Home Compliance StandardsCalifornia's Cybersecurity RegulationsCalifornia Consumer Privacy Act (CCPA) Privacy Policy Requirements For CCPA
California Consumer Privacy Act (CCPA)

Privacy Policy Requirements For CCPA

by RSI Security
written by RSI Security

People want privacy when it comes to their personal information; however, sometimes they don’t realize how other companies use their information. Third party involvement and the use of online platforms increase the chances that consumer data will be sold or affected by a data breach. Consequently, California took action to empower consumers. Are you aware of the privacy policy requirements outlined by CCPA? Find out everything you need to know with our complete guide. 

 

What Is the CCPA?

In 2018, the California State Legislature passed the California Consumer Privacy Act (CCPA). The act specifies that consumers have a right to know what information is collected about them and a right to forbid the sharing of personal information. Furthermore, it outlines the consequences companies will face for failing to adequately value consumer privacy. Compliance is required by January 1, 2020. Although the CCPA legally affects California companies (and those that interact with California customers) companies based in other states would be wise to review the CCPA requirements as well.

Also Read: What are the penalties for Non-Compliance with CCPA?

 

CCPA Legal Requirements

The CCPA highlights how today’s society requires people to submit personal information, from biometrics to family relations, in order to function as a member of society. For example, simply applying to a job requires at least an address, email, and phone number. Since consumers, in many cases, do not have an option to avoid disclosing personal information, the California legislature determined that it falls to companies both to safeguard collected personal data and strengthen the trust people put in those companies. To further these goals, CCPA compliance includes the following six privacy policy requirements.

 

Assess your CCPA compliance

 

Requirement 1

Consumers have the right to know what information is being collected about them. This grants consumers the right to submit a request for details regarding what personal information is collected. Furthermore, companies are obligated to answer such requests. Good documentation and clear communication internally will assist with such requests. If a request is answered in the negative by an uninformed individual, the company may be liable in the future. For example, a consumer asks if emails are stored and an employee, who does not understand the data collection process, answers no. If the real answer is yes, and the customer confirms this through other sources, a company will likely face legal action. 

 

Requirement 2

Customers have the right to know if personal information is sold or disclosed and to whom. This requirement covers quite a few scenarios. First, if the information is sold, companies must reveal what information category is sold and the name of the third-party to which it is sold. Second, if companies do not sell information, but rather disclose it, they must explain why the information is disclosed. For example, are addresses disclosed for financial transactions to occur? Third, if no information is disclosed or sold, companies must still send the requestee a response detailing that fact. 

Also Read: CCPA vs. GDPR: What’s the Difference?

 

Requirement 3

Consumers have the right to opt-out, meaning they can stop a company from selling their information. A consumer can use this right at any time. Additionally, if a company is going to sell consumer information, they need to alert consumers and clearly offer the opt-out option. The opt-out option requires that departments coordinate efficiently. A company that receives a request to opt-out cannot legally sell information after the date the request is received. However, if the department receiving the request does not immediately notify the department that manages data sales, the information may accidentally be illegally sold. 

 

 

Requirement 4

A consumer who opts-out or requests information shall not be penalized by changes in either price or services provided. This requirement is pretty self-explanatory; however, for the sake of clarity, the CCPA outlines four different prohibited responses to an opt-out request: 

  • denying goods or services to the consumer; 
  • charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties 
  • providing a different level or quality of goods or services to the consumer 
  • suggesting that the consumer will receive a different price/rate for goods or services or a different level/quality of goods or services

 

Requirement 5

As noted above, consumer’s have the “right to know,” and companies are required to clearly disclose information collection activities. CCPA guidelines stipulate that companies must implement at least two methods for consumers to submit information requests and provide a toll-free number. If a consumer requests information, a company is obligated to respond within 45 days and to deliver the information free of charge. If a business uses a website, it must update its privacy policies on the website. Such policies should cover the consumer’s rights, a list of what information is collected, and what information, if any, is sold. A business is only required to supply information once a year to a consumer’s request. 

 

Requirement 6

Companies must actively enable consumers to request information or opt-out. CCPA guidelines require that a  “Do Not Sell My Personal Information” link be clearly visible on a company’s website. Companies cannot require consumers to create an account if they want to opt-out. In addition to informing customers of their rights, companies should make their customer service representatives aware of all consumer rights. If a consumer requests to opt-out, a company must wait 12 months before re-contacting the customer to ask if he/she would like to reconsider. 

 

Deleting Data

In September 2018, California amended CCPA guidelines regarding the “right to erasure.” The amendment stipulates that companies must provide a method for requesting deletion that is “reasonably accessible to consumers.” Under the CCPA, companies are obligated to delete customer data upon request. The amendment simply calls more attention to the deletion clause, a clause that was previously required only within the privacy policies and not as a separate section. However, the “right to erasure” does not apply under several circumstances. These include:

  • Data necessary to complete a transaction related to goods or services
  • Data required to maintain a company-consumer relationship
  • Data used in contracts
  • If data is required for security purposes (e.g., detect a security incident, inhibit fraudulent activity)
  • Public interest research (e.g., statistics)
  • Internal use of data necessary for fulfilling consumer expectations
  • Legal obligations
  • Free speech clause (i.e., exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.)

 

Who Must Comply?

Any business that collects personal information on California residents (and then sells or discloses that information to another party) falls within the purview of the CCPA. According to the CCPA documents, a “business” refers to a sole-proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, that does business in the State of California. Compliance extends to companies based outside of California but that still do business with California residents. Additionally, if a California resident is traveling outside the state, the law still applies to companies collecting information in California. 

Also Read: California’s New Cybersecurity Regulations: Internet of Things law

 

Exemptions

The CCPA does not affect federal regulations already in place that involve collecting personal information — such as the following:

 

Businesses only fall under CCPA guidelines if they:

  • Have annual gross revenues in excess of USD 25 million
  • Sell/disclose/collects/shares the personal information of 50,000 or more consumers, households, or devices
  • Earn 50 percent of revenue from selling the personal information of customers

 

The business exemptions assist smaller entities that, due to limited resources, would likely find it difficult and expensive to conduct CCPA audits and comply with the guidelines. 

 

 

What Does Personal Information Mean?

Since the whole concept of the CCPA involves protecting personal data and one’s right to privacy, it’s worth understanding the definition. CCPA defines “personal information” as information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device. A few examples include names, addresses, property records, products obtained, geolocation data, and sensory data. If the information is publicly available, it does not fall under the CCPA protection. Unfortunately, this definition is on the vague side. What if a person publicly posts information on Facebook? Does it then fall under the “publicly available” category? 

The best option for businesses is to err on the side of caution. If there are any doubts about the status of information, contact a CCPA expert or check out the legislations website.  

 

Non-Compliance Consequences

The Attorney General, in most cases, will penalize non-compliant businesses. The Attorney General deals with statutory violations, with a penalty of up to USD 7,500 per violation. If a company fails to utilize proper security measures which result in the disclosure of consumer information, consumers may sue for USD 100 – USD 750 per violation (or actual damages if greater). 

 

Beginners Guide

If your company deals with California residents but hasn’t considered how to begin CCPA compliance, check out the beginner’s guide below.

 

Step 1: Designate a CCPA Lead 

Like almost all compliance policies, whether privacy or security related, the first step is to have a knowledgeable person at the helm to create a compliance strategy. Even better, assemble a small team tasked with preparing for the 2020 CCPA compliance deadline. A well-rounded team, including both legal and operations experts, will help expedite the compliance process and reduce the likelihood of strategy gaps. 

 

Step 2: Take Stock and Catalog

Review all company processes and catalog what consumer information is needed/collected. For example, create a spreadsheet with columns for type of information, sold, not sold, intended use, and (if sold) to whom. Notably, if a company fails to list a type of collected information in its published privacy policy, that information cannot legally be collected. Consequently, it’s worth doing a thorough examination of operations.   

 

Step 3: Distribution

After carefully cataloging what personal information is collected, if/who it is sold to, and the use of personal information, companies should develop a customer distribution plan. As noted above, the CCPA requires that companies inform their consumers about their rights and make the privacy policy readily available. For example, a company could distribute via email an infographic detailing what and why personal information is collected.

 

Step 4: Categorization

Helen Streck, CEO of Kaizen Infosource, aptly noted: “If you don’t classify (this) data, deleting it upon request is almost impossible, as is complying with other regulatory obligations for recordkeeping.” Companies can utilize the same style of a spreadsheet (or similar organization software) for cataloging (step 2) but must link it to a person versus broad categories of information. For each piece of information collected for an account, companies must record:

  • When it was collected/acquired
  • If it was sold
  • If it was transferred to a third party
  • whether the data falls under federal purview (e.g., HIPAA)
  • If the data was purchased

 

Step 5: Record External Interactions

Since consumers have the right to know how their information is used, companies must meticulously record external relationships that involve consumer data. For example, keep track of what data is sold to whom. For example, consider creating a map linking third parties to the type of personal information they receive. Even if the information isn’t sold, but is disclosed, companies should still note those relationships.  

 

 

Step 6: Establish Easy Deletion and Modification Procedures

Since the CCPA only allows 45 days for companies to respond to a consumer request, having a well-organized, intuitive modification system is crucial. Any such system should accomplish the following procedures:

  • Process consumer requests
  • Verify a request is from a customer whose information is collected
  • Determine where that data is stored (as it may be stored/used in different capacities)

Lastly, make sure to train employees on how to use any such system.

 

Need Help?

California’s law, although passed by only one state, impacts business across the country. Additionally, many of the CCPA guidelines mirror those of the EU’s GDPR guidelines. Taking the time to understand the new privacy landscape will ensure compliance and attract greater customer loyalty. To receive help with your CCPA action plan or to learn more about the CCPA policy requirements in general, contact RSI Security today.

Speak with a CCPA compliance expert today!

 

 

Download Our CCPA Compliance Checklist

Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

What is the CCPA Breach Notification Timeline?

April 8, 2022

Data Security Awareness for CCPA Compliance

January 3, 2023

Beginner’s Guide to Privacy By Design Principles

March 13, 2023

How to Meet the CCPA Requirements for Enterprise...

February 25, 2022

CCPA Compliance: What You Need To Know

June 12, 2019

What Are The Penalties For Non-Compliance With CCPA?

June 21, 2019

How Does CCPA Differ From Federal Regulations?

July 24, 2020

What is the CCPA Statute of Limitations?

December 2, 2021

Do Other States Need to Worry About CCPA?

April 8, 2020

CCPA vs. CPRA: What’s the Difference?

February 4, 2021

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More