CCPA Compliance: 4 Things You Should Know - Part 1

Regulation ¦ June 16th, 2020, 10:00 pm

The California Consumer Privacy Act (CCPA) enforcement deadline of July 1st, 2020, is coming closer by the day. With that, it’s time to ask yourself whether your business is ticking all of the CCPA’s boxes. In this short 4-part series, we will look at the key topics to address and how to tackle them.

The CCPA Privacy Policy

The privacy policy is one of the most important forms of communication with your customers about your data-handling practices. Therefore, it is essential to write in a tone which is easy to understand for the average consumer, and to be transparent and clear. 

Below we outline regulatory must-haves, best-practices and common mistakes made with the CCPA privacy policy. 

Ready to get started? Find our template CCPA privacy policy here.

Must haves 

A CCPA compliant privacy policy consists of several indispensable building blocks:

1) A summary of the consumer’s rights and how to exercise them

Consumers have the following rights:

  • The right to request a copy of their personal information (‘specific pieces of information’), or a list of the categories of information your organization has on them, including a list of sources, purposes for collection and categories of third parties the data has been shared with.

  • The right to request the deletion of information

  • The right to opt-out of the sale of their personal information. The term sale is interpreted broadly under the CCPA and includes any transfer of data for monetary consideration as a sale. We will outline the most important things to know about Do Not Sell requests in part 4 of this series. If your organization does not sell information as per the extensive CCPA definition, you should state this fact. 

  • The right not to be discriminated against for exercising any of these rights.

Your CCPA privacy policy should explain to consumers that they have these rights and how to exercise them, for instance by using the web form powered by Datawallet, calling or emailing. 

2) A description of your organization’s request verification process

Before responding to requests to access or delete personal information, you are obligated to verify the identity of the requestor. For example, Datawallet Compliance offers a built in identity verification mechanism, which asks customers who have a password-protected account with your business to re-authenticate themselves by logging in. Customers without an account are asked to provide a minimum of three data points, of which two (the phone number and email address) are verified by the sending of a one-time code. 

This process should be described in your CCPA privacy policy. 

3) A list of categories of information your business collects, discloses for a business purpose, or sells

As preparation for the compilation of such lists, it is useful to prepare an internal data-map and/ or data inventory, in which you describe exactly which data-categories you collect, in which elements or products they are used, from which sources and for which purposes they are collected, with which third parties they are shared, where they are stored, who is responsible for them, who has access to them, and how often they are deleted or archived. This datamap or inventory should be a living document, which is constantly updated as data-sources and flows change. The data-map or inventory should remain an internal document, which you can use to quickly detect data, once an access or deletion request comes in. You can also use it as the foundation for the information contained in your public-facing CCPA privacy policy. 

The CCPA mandates that your privacy policy includes separate lists for the information you collect, the information you disclose for a business purpose, and the information you sell. You should also provide the sources of the information and the purposes for collection. For the latter two lists, you should include information about the categories of third parties the data is shared with.  

4) For businesses that sell personal information...

As mentioned above, the term ‘sell’ is interpreted broadly under the CCPA. There is an ongoing debate about whether websites (‘publishers’) who participate in Real-Time-Bidding practices are considered data-sellers, since they provide certain pieces of information, such as IP addresses, to an ad network and - indirectly - gain from this monetarily. We will discuss this in depth in part 4 of this series. It is important to note that even though you might not be selling information in the traditional sense, your data-sharing practices might still be considered CCPA data-sales. 

If you are a CCPA data-seller, you are obligated to include the following in your CCPA privacy policy:

  • A statement, pertaining to the fact that your business is selling data

  • The fact that consumers may use authorized agents to exercise their opt-out of sale rights, and a description of how authorized agents can proceed with these requests 

  • A link to the ‘Do Not Sell My Personal Information’ page, which describes a consumer’s right to opt out of the sale of their data and directs them to the web form, where they can submit their requests. 

  • If you are catering to minors below 16 years old, it is important to note that they must actively opt-in to the sale of their data, instead of only having a right to opt out. Your privacy policy should include information about how they can provide and withdraw this consent. You should also describe your business’ process for verifying the identity of parents or legal guardians. 

5) For businesses that offer incentive programs…

The CCPA strictly forbids the discrimination of consumers as a response to them exercising their rights. Discrimination includes charging the consumer who opts out a different price or providing him/her a different quality of goods or services. The CCPA knows one exception, which allows you to offer a financial incentive for the collection, deletion, sharing or sale of personal information. In this case, the difference in price or the reward for the consumer must be reasonably related to the value provided by the consumer’s data. 

If you are offering such an incentive program, you should describe the details in your privacy policy: How does it work, how can consumers opt-in and how can they withdraw? You should also detail how you are calculating the value of consumer-data, and provide a good-faith estimate of the value of different information-types. 

6) For businesses that handle the personal information of >10 million consumers…

If your business handles the personal information of over 10 million consumers, you must provide insights into certain key metrics:

  • The number of Data Subject Requests received, split per request type

  • The median number of days it takes your business to respond to such requests

You can either directly display these numbers in your privacy policy or link to them. 

7) Contact information and last updated date

Last but not least, you should alway include your business’ contact information and the date, the policy was last updated. Be aware that you should update your privacy policy at least once per twelve months. 

Best practices and common mistakes

Overview of data-categories collected, disclosed and sold

As mentioned above, the CCPA dictates that your privacy policy includes separate lists: One list of data-categories collected, a second list for the categories disclosed for a business purpose, and a third list for the categories that are being sold. Some businesses have chosen not to force their customers to scroll through multiple lists, but are instead presenting the information in a table format. 

Apple is a great example:

Literally speaking, Apple does not provide the consumer with separated lists as mandated by the CCPA. However, consumers can find all information they need in this matrix and they can easily distill whether their information is being shared and for which purpose. The information is ordered by product or service offered by Apple, which gives them an easy way to find the section applicable to their data. Many businesses are providing similar tables instead of separated lists. The question is, whether the attorney general will accept this method as CCPA-compliant. In our view, all required information is available and cleanly presented to consumers, perhaps in an even better way than stipulated by the law. 

Easy to find

Your CCPA privacy notice should be easy to detect on your website, so that your customers don’t need to spend any time searching for key information about their rights and how to exercise them. It is advisable to provide a separate link to your California Privacy Policy in the footer of your website right next to the link to your US/worldwide privacy policy, which can be seen on any page of your website and which is just as conspicuous as any other link in the footer. Clicking this link could either redirect the consumer to a separate page containing only the CCPA privacy policy, or to the CCPA-specific section within your US/worldwide policy which details the information directed at California residents. 

Easy to read

As an unwanted result of the myriad of privacy laws and regulations that have popped up over the past years, such as the EU-GDPR, the ePrivacy regulation and HIPAA, we have seen long, jargon-filled and complex privacy policies. These policies completely missed the mark: Instead of providing consumers with valuable information about their data and empowering them to make sound choices, they created confusion and forced consumers to blindly give their consent, or to walk away and hand over their business to a more trustworthy business. 

Over the past years we have seen a clear shift in paradigm, where consumers are demanding for real transparency about why and how their data is collected. A study by PriceWaterhouseCoopers from 2017 showed that 88% of consumers say the amount of data they share with a company depends on how much they trust it, and 85% stated they will not do business with a company if they have concerns about their security practices. Smart businesses are adapting to this growing consumer awareness by keeping their privacy policies concise and easy to read and understand. They are replacing legal or technical jargon to shorter, more common phrases that are easily digestible to the average consumer. 

Datawallet can help you make sure that your privacy policy is phrased in the best way possible. Our Consent Manager gives your consumers real clarity on your data-handling practices, so that they can easily decide to provide or revoke consent. 

Sign up now to use our DSR Manager for free (no credit card required), or immediately.  

Disclaimer: The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational and marketing purposes only.

Get the Data Digest in your inbox