Like with any law, you will face penalties if you don’t comply with the California Consumer Privacy Act (CCPA). Since businesses are at risk of being held liable if they fail to follow the CCPA compliance guidelines, we think it’s a pretty smart question to be asking!
As such, it’s important to know all of the requirements you need to meet as well as what steps you’ll need to take to be CCPA compliant. So, to give you a better idea of how to accomplish that, let’s start by discussing the company’s privacy policy.
Changing Your Privacy Policy
Since the CCPA is largely meant to protect the privacy of Californians, naturally you will have to change your privacy policy in order to comply.
More specifically, your privacy policy needs to be explicit about what information is being collected and processed by the company. If you want to avoid potential lawsuits, be as meticulous about this as possible and don’t take shortcuts.
The big thing you need to consider when rewriting your privacy policy is that it needs to include information about the selling of user’s information.
What do we mean by selling?
In most cases, if your company sells your consumer data, you will already know. But for those of you who aren’t sure, this is when a company or business sells personal information about their customers and clients to advertisers. The company benefits from the money and the advertisers benefit from extended reach.
While this is perfectly fair and common, consumers need to know about it. If there is even a possibility that your company will engage in selling user’s information, it needs to be included in your privacy policy.
Mention Consumer Rights
It is also important to include what rights a consumer may have under the CCPA. This should include language for both of the following:
- the right to make requests
- the right to not provide their personal information (opt-out)
Your privacy policy should educate consumers on what control they have over their personal information. One reason this is so important is that it prevents consumers from arguing that they “they didn’t know” if a lawsuit were to be made.
Make Sure Your Privacy Policy Explains The Who
This may not seem like your responsibility, but in order to be compliant with the CCPA, your privacy policy should explain who is affected by CCPA and who CCPA applies to.
A consumer should be able to tell by looking at your privacy policy whether they are eligible for the protections provided by CCPA.
Your policy needs to be explicit about what aspects of it apply to who so that you don’t run into legal trouble down the line.
This is a bit of a preventative measure, but if you want to learn how to be CCPA compliant, this a big part of it.
Say you have a consumer that finds out a month later that they have been eligible for the rights of CCPA without knowing it. They provided their personal information thinking they had to and you sold it. Now they’re complaining because they didn’t want to provide the information and they didn’t want it sold, and they’re going to take it to court.
If you were honest and open about who CCPA applies to in your privacy policy and your policy was easily accessible, they have no case. If you weren’t, well, you could have a problem.
FURTHER READING: What is the California Consumer Privacy Act?
Explain Why You’re Collecting User Data
When going over your privacy policy, make sure that it includes information on why the user’s personal information is needed or is being collected.
If the reason you ask for personal information is that you need it to adequately provide a quality service then this will only be to your benefit. Consumers can relax knowing that your reasons are nothing more than product-related.
If the reason is that you want to sell personal information, consumers can go either way. Maybe they’ll be relieved that there’s nothing sketchy going on with their name and email. And maybe they’ll take a step back and say “No, thanks. I’ll opt-out.”
But as long as you were upfront and fully disclose why you are asking for personal information, you’ll legally be in the clear.
Learn about California Consumer Privacy Act (CCPA) exemptions.
How Can Consumers Opt-Out
This is the biggest one. Users need to not only know how their information is being collected but how they can exercise their rights as granted by the CCPA.
First, How Is The Information Being Collected?
Are they providing it themselves or are you going elsewhere to acquire the information? Does being on their site at all mean that some of their personal information has been collected?
These are questions that your privacy policy needs to answer.
It also needs to tell them how they can opt-out of giving personal information. Is there a button that they need to click on? Is there a link? Do they need to fill out a form online? If so, how can they access this form?
Your privacy policy needs to inform consumers on how they can submit requests. This includes requests to delete information or to know in more detail how their information is being handled.
Provide them with two or more methods for how they can make requests. At a minimum, you should provide a phone number and a web address. This is not a step that can be skipped. The way in which a consumer may exercise their rights needs to be readily accessible.
How Will You Verify Identity Of Consumers To Process Their Requests
Finally, your privacy policy should include your method for verifying the identity of anyone who makes a request. Consumers need to know that you have a way of confirming that it was they who requested to access, change, or delete the personal information that you collected.
This will force you to have a method, which will help you stay CCPA compliant since you will be able to acquiesce to their request in a timely fashion. It will also reassure consumers that no one else will be able to access or change their personal information.
FURTHER READING: Who Must Be CCPA Compliant? Does it apply to me?
CCPA Compliance Beyond Privacy Policy Updates
Unfortunately, your privacy policy isn’t the only thing that may need some adjusting. You will also need to alter your overall processes to make sure that you are in full compliance.
Consent
Although this may not be relevant for your company, if any part of your business involves minors, you need to obtain their consent to access their personal information.
According to the CCPA, a minor is someone under the age of 16.
- For minors between the ages of 13 and 16, you can obtain consent directly from them.
- For minors under the age of 13, you must obtain consent from their parent or guardian.
You need to have a consistent and thorough method for obtaining this consent, and you should always keep a record proving that consent was given. These records should be easily accessible and kept together should you need to provide proof down the line.
Treatment of Individuals Who Opt-Out
If a consumer opts out of giving you their personal information, the CCPA prevents you from treating them any differently.
This means that you cannot:
- raise the price of a product/service
- alter the quality of a product/service
- or deny the product/service altogether
The only exception to this is if you require the consumer’s personal information to maintain the quality of the product/service or to provide the product/service at all.
How Will You Handle Consumer Requests?
You need to have a process for handling consumer requests once the request has been received.
This process is completely up to you; however, all requests must be completely free of charge and you must respond to and/or comply with the request within 45 days of receiving it.
How Will You Secure Consumer Data?
This is a preventative measure. If you want to ensure that there is no risk of a consumer suing your company, you will want to strengthen your security regarding the handling of personal information.
Do what you can to make sure that no one else can get access to it without your permission. The less risk there is of an unauthorized person accessing or mishandling the information, the less risk there is of a lawsuit.
How Will Your Homepage Need To Be Changed?
For the most part, your homepage can stay exactly as it is—and you will not have to forfeit creativity or functionality.
However, your homepage does need to have a “Do Not Sell My Personal Data” link somewhere on it. The link should be easily seen and accessed, and it needs to be functional.
Users must be able to access this link and perform this action without needing to make an account on your site.
Broaden Your Understanding of CCPA Compliance
One of the best things that you can do to make sure that you are always in CCPA compliance is to fully understand everything that CCPA entails. This will help to make sure that you and your employees do not violate the rights protected by the CCPA and avoid a legal scandal.
The Rights
Make sure that you and your employees know and understand the rights that Californians have under the CCPA. You should also know what is required of businesses to make sure that consumer rights aren’t violated.
Exceptions
This also means that you should familiarize yourself with the exceptions to the rules. If you find yourself in a bind trying to uphold CCPA compliance, an exception may release you.
Lawsuits
You and all of your employees should understand that a consumer can sue for damages in the event that their personal information is breached. This could be the result of a security issue or a request that is not complied with.
All Day, Every Day
Keep in mind that the CCPA is ALWAYS in effect. The only exception to this is if complying with the CCPA violates federal, state, or local laws.
Training
You aren’t the only one that needs to understand this law backward and forwards. If you want to be sure that you are in compliance, train your employees. Make sure that they know the procedures that have to be followed, and that they are provided with any and all updates made to the law.
It is also important to inform them if these procedures and regulations are only applied to Californians. Whether or not you choose to apply these regulations to only Californians or all consumers is up to the company’s discretion.
What Does The CCPA Not Do?
There are two big things to remember when trying to discern what the CCPA does and does not require of you.
- For people over the age of 16, you are NOT required to obtain consent for the collection and processing of their personal information. This does not mean that you can abstain from providing them the means to opt-out or request the deletion of their personal information.
- You do NOT need to obtain consent to sell personal information, but you do need to have the “opt-out” option linked on your homepage.
Make Data Mapping A Part Of Your CCPA Compliance Project
One thing that you can do to stay fully aware of everything regarding the personal information of users is data mapping.
What Is Data Mapping?
Data mapping is a process used in data warehousing by which different data models are linked to each other using a defined set of methods to characterize the data in a specific definition.
—Techopedia
Data mapping will help you determine the what, why, and where of a user’s personal information. You will have thorough data on the types of information collected, why it was collected, and where it is.
Having this information at your fingertips will help minimize the risk of violating the CCPA in the event that any of that information is requested. It will also allow you to construct a thorough privacy policy more quickly and update it if necessary.
You may also want to request that any third-party vendors do this as well if they have access to and/or possess any consumer’s personal information. This will help you cover all of your bases when it comes to handling consumer’s personal information.
FURTHER READING: Web Design Standards: Guidelines for Consistency
CCPA is expected to come into effect at the beginning of 2020 and companies will be expected to be in CCPA compliance come the middle of the year.
However, updates may be made to the law. In fact, several have already been made since the writing of the law! So you will want to keep yourself and your employees informed.
As long as you familiarize yourself with the rights protected by CCPA and what is required of you, you should be in a good place to prepare for CCPA compliance.