Are You California Consumer Privacy Act Compliant? 5 Common Mistakes Companies Make
After nearly 18 months of amendments, legislative debate, and public anticipation, the California Consumer Privacy Act (CCPA) finally went into effect on January 1, 2020. If your company does business in California and you have been following the CCPA (or read our prior articles), you have undoubtedly spent a significant amount of time preparing for the CCPA’s arrival. Perhaps you overhauled your website, privacy policy, and employee handbook. But are you truly meeting the CCPA’s requirements as informed, if not bound, by the Attorney General’s Proposed Regulations? Here are five common pitfalls we see even the most conscientious businesses making.
1. Do You Have Adequate Methods for Submitting CCPA Requests?
Companies must make available to consumers at least two methods for submitting data access and deletion requests. At a minimum, every company covered by the CCPA must provide a toll-free telephone number for submitting CCPA requests at the point of collection.
In addition, if your company has a website, the Proposed Regulations require an interactive webform accessible through your business’s website or mobile application for CCPA requests. Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail.
The Proposed Regulations, if adopted, would also require companies that primarily interact with customers in person at a retail location offer a form that can be submitted in person at the retail location—even if you also have a website. In such cases, the Proposed Regulations would require three methods of submitting requests: toll-free phone, webform, and offline form.
The bottom line is that you cannot rely solely on a webform or email address to receive consumers’ CCPA requests. You must also have a toll-free phone number set up to receive calls and, if you operate a storefront, you may need to have an offline form available too.
2. Are You Ready for Offline Data Collection?
We see businesses making the mistake of compartmentalizing CCPA compliance to their IT and website teams. In reality, the requirements in the Proposed Regulations pertaining to offline collection of personal information are perhaps the most burdensome to implement—and easiest to overlook.
For example, businesses that operate storefronts and collect data offline should (as discussed further below): have available printed CCPA request forms, privacy policies, and notices at the point of collection; train employees who collect personal information; and post conspicuous signage, including “Do Not Sell My Personal Information” notices within their stores. The Proposed Regulations emphasis on offline signage and the availability of printed forms prior to collection suggests that merely including the URL of your homepage (or even, perhaps, your privacy policy) on a receipt, i.e., after collection of personal information, is likely insufficient.
3. Does Your Business Have Adequate “Do Not Sell My Personal Information” Notices?
If your business sells information within the broad meaning of the CCPA, then you are required to have a notice or link titled “Do Not Sell My Personal Information” at the point of data collection. This should be an easy to read notice that draws the attention of consumers before collection.
For online collection, the CCPA requires a clear and conspicuous link titled “Do Not Sell My Personal Information” be posted on your homepage, or on every single webpage that collects personal information. This link must enable a consumer, or person authorized by the consumer, to opt out of the sale of the consumer’s personal information, even if they do not have an account. To be safe, companies may want to post notices directly above all website submission fields, rather than at the bottom of the page or embedded in a footer.
For offline collection, the Proposed Regulations require companies to provide the consumer with a paper version of their notice, or post prominent signage directing consumers to the web address where the notice can be found before any personal information is collected. For example, if your cashier collects email addresses at a retail location, you should have a “Do Not Sell My Personal Information” notice posted, a paper version of your privacy policy available, or prominent signage directing consumers to the web address where the notice can be found.
Furthermore, the Proposed Regulations require the “Do Not Sell My Personal Information” notice be available in languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers. It must also be conspicuous and accessible to consumers with disabilities. For many California businesses, this appropriately means having your notices (whether online or offline) be available in Spanish.
4. Have You Trained Your Employees Who Handle Consumer Data?
Under the CCPA, your employees who handle consumers’ personal information or are responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA must be informed about the requirements in the CCPA. They must also be trained to know how to direct consumers to exercise their rights under the CCPA. This requires establishing and documenting an employee training policy to ensure that all individuals responsible for handling consumer requests or the business’s compliance with the CCPA.
The Proposed Regulations prescribe very detailed requirements and time frames for responding to consumers’ requests to exercise their CCPA rights. If adopted substantially as proposed, the required employee training will likely involve extensive step-by-step procedures to follow and documentation to produce and keep. In anticipation of receiving consumer requests, employees assigned to the CCPA ‘frontline’ are raising questions and concerns about how these new rights will play out in real time.
How does this play out for offline data collection? Think again to the example of a cashier collecting a phone number or email address. These items of data are specifically enumerated pieces of personal information under the CCPA. As such, the collecting employees are required to have training on the CCPA, or, at a very minimum, know how to direct consumers to exercise their rights and provide accessible copies of the business’s privacy policy prior to collection.
5. Is Your Verification Process Tailored to Your Business’s Data Collection?
After receiving a request to access data or request to delete data, businesses are stuck with the difficult task of verifying the request is legitimate. This process should be designed to match collected consumer data with the requesting party’s information on record with the business in a tailored and efficient process. To that end, the Proposed Regulations instruct businesses to avoid collecting new personal information during the verification process, to the extent such collection can be avoided, in order to prevent fraudulent and malicious actors from obtaining sensitive personal information.
Thus, while your instinct might be to collect a requesting party’s name, telephone, email, and mailing address in order to verify their request, such an approach should be avoided unless you already collected these pieces of personal information. As an example, if your data collection is limited to collecting and selling the IP addresses of website visitors to retargeting ad agencies, you should avoid requesting too many additional data points when verifying consumer requests.
In addition, businesses should be ready for the possibility that an authorized agent or representative, like a parent, guardian, or attorney, is making a request on behalf of consumer. The Proposed Regulations require such requests meet a higher bar for verification.
Last, business cannot rely solely on pre-existing consumer accounts as a method of verification. You must also be ready to respond to requests in the event that a requesting consumer or authorized agent does not have, or cannot access, a password-protected account.
Buchanan helps businesses nationwide implement best practices and stay abreast of the ever-changing landscape of consumer protection laws. Contact us if you or your business have questions regarding the CCPA in general or how to stay compliant.