Updated: Sept. 28, 2020
Originally Published: Aug. 6, 2020
While many of us have been busy trying to figure out what to watch next on Netflix, the California Attorney General (AG) has been busy moving the California Consumer Privacy Act (CCPA) forward.
On June 1, the California AG submitted the final regulations for the CCPA. These regulations are an extension of the original law. In addition to publishing the new regulations, starting July 1 the California AG began enforcing the original version of the CCPA.
Now that enforcement is in full swing, you’ll want to ensure your business is compliant with the CCPA’s full scope. While many people are familiar with the initial requirements, the proposed final regulations add additional steps for compliance.
Overview of Updates to the Original CCPA Law
Here are just a few of the takeaways from the newly proposed additions:
1. Notices to Consumers
Including the required CCPA notices in your privacy policy isn’t the only notice you’re required to provide. Now, you must provide notice at the point of collection.
Your point of collection notice should include the categories of personal information (PI) that are being collected and the business purpose for them. This notice must be simple and free of legal jargon; and, it must also be compliant with WCAG 2.1 accessibility guidelines. You may link to your privacy policy as part of the notice at the point of collection, but the link must go to the section that directly applies to the data you’re collecting.
2. Privacy Policy
The new regulations also provide a broader definition of what information needs to be included in a company’s privacy policy, such as:
- The Right to Know About Personal Information Collected, Disclosed, or Sold
- The Right to Request Deletion of Personal Information
- The Right to Opt-Out of the Sale of Personal Information
- The Right to Non-Discrimination for the Exercise of a Consumer's Privacy Rights
- How Authorized Agents make requests
- Provide consumers with a contact for questions
- The date the privacy policy was last updated
3. Handling Consumer Requests
The original CCPA law laid out several requirements for business when collecting and processing consumer information. One of the first significant changes is that companies that operate exclusively online will now only be required to provide an email address for consumers who wish to submit requests. This change removes the requirement of the toll-free phone number for online-only businesses. In addition to this clarification, there is also clarification on selecting how users submit requests and how to manage incorrectly submitted requests.
Once these new regulations become law, companies will need to respond to requests within 10 business days. Responses must include confirmation of receipt of the request and provide an overview of what the requester can expect for the remainder of the process. Also included in the new regulations is additional definition around internal training and record keeping.
The full list of regulations totals 29 pages and provides much-needed clarification on the original text of the law. In addition to the 29 pages of regulations, the AG also published a final version of the Statement of Reasons. This document outlines the thinking behind the development and changes to the regulations.
What to Do if You’re Not Yet CCPA Compliant
If you haven’t begun the process of CCPA compliance yet, don’t panic! You’ll want to start as soon as possible, though. The best place to begin is to work with your legal team to understand if your organization is required to comply with the law. Remember, just because your business doesn't operate out of California doesn’t mean it’s exempt from CCPA compliance.
If your company is required to comply with the law, you’ll want to perform an audit of how you collect and store personal information. Your audit should include data that comes in via your website and other channels, as well. (Here are some additional steps we recommend you take.)
Once you’ve completed your audit, you’ll need to establish and document processes around responding to and receiving requests. Your processes will need to extend to any third parties with whom you share or sell information.
Now that you have processes in place and your team is thoroughly trained, you’ll need to update your website to support your processes. First, you’ll need to implement methods for allowing users to opt-out of data collection. Online data privacy tools can go a long way in helping with this. Remember, you’re required to receive consent at the point of data collection. In addition to adding opt-out methods, you’ll need to update your privacy policy to inform users of their rights.
Final Thoughts
As more data privacy laws are passed, companies will need to understand what data they’re collecting and how to respond when consumers exercise their rights. While every privacy law requires slightly different compliance steps (and will likely continue to do so for the foreseeable future), the first step to take toward compliance with any privacy law is an audit of your data.
If you need help with a website data audit, choosing or implementing online privacy compliance tools, or even just advice on the best way to achieve online compliance, don’t hesitate to contact us. We’ve worked through many online CCPA and other privacy regulation compliance projects with our clients and are happy to help!