The California Consumer Privacy Act (CCPA) officially went into effect on January 1, 2020. For a full discussion of how the CCPA and the Attorney General’s proposed regulations will impact businesses, see here. To comply with the law, businesses must implement technical solutions to the CCPA’s various notice, submission, verification, and opt-out of sale requirements. Here are a few technical updates to facilitate compliance with the CCPA.

1. Methods for Consumers to Submit Requests to Know, Access, Deletion

  • U.S. Toll-free number (with live person responding or voicemail).
  • Webform that consumers can fill out to make requests. This webform should be available on your website and available via your mobile apps (in settings or via download page for the app). We suggest creating an area on your website called “Privacy Rights Portal” or something to that effect where the webform lives and include a link to the webform in the business’s privacy policy.
  • You should also accept requests via the business’s existing customer service email address or a separate dedicated email address for consumer requests.
  • If you collect personal information from consumers at a physical location, provide a method to submit a consumer request in person as well.

2. Process for Verifying Requests

  • For account holders: Have user authenticate by entering login name and password to make the request. Before deleting or disclosing personal information (PI), have the user re-authenticate.
  • For non-account holders: For categories of PI, match at least two data points provided by the consumer with reliable data points maintained by the business. We recommend browser and device ID. For specific pieces of PI, match at least three data points.
  • Sensitive Data: Be mindful to avoid collecting the types of sensitive personal information identified in Civil Code section 1798.81.5(d) when possible. When a user requests access to sensitive information that the business maintains, require the consumer to provide evidence that matches the personal information provided by the business. For example, if the business maintains the consumer’s name and credit card number, require the consumer to provide the credit card’s security code and identify a recent purchase made with the credit card to verify the user’s identity.

3. Do Not Sell Opt-Out Requests

  • If your company is selling PI, put a clear link titled “Do Not Sell My Personal Information” (or “Do Not Sell My Info”) on your website homepage and the mobile app download or platform page. You should also put a link in your privacy policy and privacy rights portal that we suggest (see above).
  • The Do Not Sell link should take the user to a Notice of Right to Opt-Out containing:
    • Description of right to opt out;
    • Link to privacy policy; and
    • Link to opt-out meth.

4. Notice at Point of Collection

  • Put link on website homepage and mobile app download or platform page that contains a list of categories of personal information to be collected and purposes for which it will be used OR provide a deep link into the section of your privacy policy that addresses this.
  • If you collect personal information from consumers at a physical location, provide on-premise notice at collection.

5. Do Not Track (by April 1, 2020 est.)

  • Treat Do Not Track requests from browsers and browser plug-ins where the consumer’s choice is evident as requests to opt out of sale.

6. Authorized Agent

  • In Notice of Opt-out, state any proof that would be required if a consumer uses an authorized agent to exercise their opt-out right.
  • In the privacy policy, explain how consumers can designate an authorized agent to make a CCPA request on the consumer’s behalf.

When a consumer uses an authorized agent to submit a request, you may require the consumer to provide authorized agent written permission to do so and to verify their own identity directly with you, but not if the consumer provides the authorized agent with a power of attorney.