CCPA Compliance: What Do You Do When a User Opts Out?
Published: June 29, 2020
Author: Joe Stanton
Come July 1st, any businesses operating in California will be required to adhere to the California Consumer Privacy Act (CCPA), a mandate that seeks to give individual California residents more control over the distribution and collection of their personal information. Though similar in scope and purpose to the EU’s GDPR, CCPA more specifically defines what constitutes personal information for an individual by adding any data that can be linked directly or indirectly within a household or through a device.
Allowing users the chance to protect their PI is great – but only if you respect their request. In practice, this means you must:
- Create a process to enforce PI opt-out and deletion requests, both internally and with service providers and vendors.*
- The CCPA introduces the right for users to get a copy of all information a company has on them. Ensure that you can export all PI for California consumers within 45 days of an access request so that you can provide someone with a copy of all information you have about them; if you can’t confidently ensure you’ll act within 45 days, ensure that you can export this data within 90 days of an access request.
- If your business has a brick-and-mortar presence, provide both an online form and a toll-free number that customers can use to request that their PI be protected.
- Create a system and process to verify the identity of users making data-related requests, especially those asking for a copy of their data. Given the nature of the data involved, this step is crucial to ensure you confirm the requestor is, indeed, the individual before responding to any request for a copy of information.
- Create a playbook, including template responses and guidance, for customer service personnel handling data-related requests.
- Train the same personnel, along with any others responsible for general CCPA compliance, in how to handle data-related requests. Make sure to document the training sessions themselves and to document any training materials.
- Determine whether you can make exceptions for obeying deletion requests for data you need to keep for compliance or other legal purposes such as automatic data backup records.
- If you’re working with vendors, understand what data flows between you and each vendor, understand how it flows, examine the current contractual relationship. Assess whether CCPA contract addenda are needed, and obtain the addenda as needed.
In addition to the actionable items above, it is strongly recommended to incorporate a consent management system to help make sure user requests are being honored throughout.
CCPA is the first of its kind in the United States (and we’ve put together a common-sense guide to CCPA compliance). However, other states are beginning to follow suit and enact similar legislation to protect the distribution and storage of the individual’s personal information. As long as there is a continued outcry from the public to hold companies accountable for data security, the focus will be put on the data controllers and processors to step up and provide such protections. Instead of waiting for the next wave of legislation, prudent companies will take the initiative to build partnerships that emphasize respect and protection of consumer data, and to create, implement, and continuously optimize a process for consumers to keep control over their data.