The California Consumer Privacy Act (CCPA) officially went into effect on January 1, 2020. For a full discussion of how the CCPA and the Attorney General’s proposed regulations will impact businesses, see here. To comply with the law, businesses must implement technical solutions to the CCPA’s various notice, submission, verification, and opt-out of sale requirements. Here are a few technical updates to facilitate compliance with the CCPA.
1. Methods for Consumers to Submit Requests to Know, Access, Deletion
- U.S. Toll-free number (with live person responding or voicemail).
- You should also accept requests via the business’s existing customer service email address or a separate dedicated email address for consumer requests.
- If you collect personal information from consumers at a physical location, provide a method to submit a consumer request in person as well.
2. Process for Verifying Requests
- For account holders: Have user authenticate by entering login name and password to make the request. Before deleting or disclosing personal information (PI), have the user re-authenticate.
- For non-account holders: For categories of PI, match at least two data points provided by the consumer with reliable data points maintained by the business. We recommend browser and device ID. For specific pieces of PI, match at least three data points.
- Sensitive Data: Be mindful to avoid collecting the types of sensitive personal information identified in Civil Code section 1798.81.5(d) when possible. When a user requests access to sensitive information that the business maintains, require the consumer to provide evidence that matches the personal information provided by the business. For example, if the business maintains the consumer’s name and credit card number, require the consumer to provide the credit card’s security code and identify a recent purchase made with the credit card to verify the user’s identity.
3. Do Not Sell Opt-Out Requests
- The Do Not Sell link should take the user to a Notice of Right to Opt-Out containing:
- Description of right to opt out;
- Link to opt-out meth.
4. Notice at Point of Collection
- If you collect personal information from consumers at a physical location, provide on-premise notice at collection.
5. Do Not Track (by April 1, 2020 est.)
- Treat Do Not Track requests from browsers and browser plug-ins where the consumer’s choice is evident as requests to opt out of sale.
6. Authorized Agent
- In Notice of Opt-out, state any proof that would be required if a consumer uses an authorized agent to exercise their opt-out right.
When a consumer uses an authorized agent to submit a request, you may require the consumer to provide authorized agent written permission to do so and to verify their own identity directly with you, but not if the consumer provides the authorized agent with a power of attorney.