Please note that this article is intended for informational and educational purposes only and does not constitute legal advice.
The much-anticipated California Consumer Privacy Act (CCPA) went into effect as of January 1, 2020, with enforcement expected to begin come summer. The Act grants Californians unprecedented rights regarding the access, sale, and deletion of personal data and stipulates some pretty steep fines for violations.
As a result, companies doing business in California were under pressure to develop and implement a process for handling personal data requests that met all of the compliance measures California Attorney General Xavier Becerra included in the law. Since no fines will be levied until the summer, however, AG Becerra has taken the opportunity to make a few key revisions and clarifications to CCPA based on feedback from California residents and business owners.
Keep reading for an overview of what you need to know as we get closer to CCPA enforcement.
It’s rare to find a business that doesn’t collect customer information in some form or fashion. Whether your company collects shoe sizes or IP addresses, however, doesn’t really matter—what matters is whether or not that data is stored in a way that could link it to an individual customer or group of customers from the same household.
If you can be completely positive that your company does not retain or house customer data in a way that could directly or indirectly connect it to an individual or group of people, then you don’t need to consider that data to be PII.
That being said, the average customer is far better educated about personal data privacy today than even five years ago. If you value strong relationships with your clients and want to ensure that your customer experience remains top-notch, be transparent in your privacy policy regarding the types of data your company collects and how (or if) those data types are associated with others.
Companies that sell PII must provide Californians with a way to indicate their wish that the company not sell their information. The simplest way to do this and ensure your company’s compliance with CCPA regulations is to use the opt-out button designed by the California AG’s office:
This button can’t be used on its own, however. You’ll need to work with your web team to ensure that the button appears to the left of a link labeled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” See below for what the button and the link should look like together:
Remember to point the link either to a page on your website or the section of your company’s privacy policy that explains the customer’s right to opt out of the sale of their personal information.
In the original iteration of the law, businesses were required to employ a two-step process for customers requesting deletion of their personal information. First, the customer would submit a deletion request, and then they would be required to confirm that they did indeed want the company to delete their information.
Under the updated regulations, companies can certainly still offer this two-step process for data deletion requests, but they are not legally required to do so.
If you were paying attention to the first round of CCPA news, you probably have a 45-day turnaround time in mind. And that’s still accurate, but there are additional details you need to keep in mind going forward.
When it comes to personal data requests under CCPA, there are several important things to keep in mind:
CCPA represents a huge step forward in consumer data privacy, but it can also present a compliance minefield for businesses that don’t stay up to date on revisions issued by AG Becerra’s office.
At IDology, we’re committed to providing you with the information you need to stay in the know when it comes to CCPA as well as the tools to help your organization stay compliant as you handle personal data requests. Contact us or request a demo of our solutions today.