The California Consumer Privacy Act regulates the collection of data from California residents and households.
It gives consumers the right to know what information your business collects about them and how that information is used. It also establishes a right to say no to the sale of their data to third parties.
The following five steps can help you comply with the CCPA and protect the rights of online users.
Step 1: Update Privacy Notices and Policies
The information on your Privacy Policy page should outline the specific personal information collected through your website, as well as the category the information use falls into.
The purpose of this collection should also be included on this page. Update privacy policies to include the rights guaranteed through the CCPA.
Step 2: Develop Process of Tracking Data Collection
Websites will need to track data collection and business processes, as outlined above.
Third parties will also need to be noted, including products, devices, and applications that may also access user information. Add columns identifying:
- Data “sold”
- Categories of information shared with third parties
- HIPAA, the FCRA or other laws that make data from the CCPA scope excused
- Data collected over 12 months ago, making it excused from the CCPA law
Step 3: Inform Users of Their Rights
CPAA guarantees specific rights to California users who visit your website.
- Right to Notice: notify users about the personal information collected and why it is being collected. This notice should occur on the first page users encounter on your website.
- Right to Access: users have the right to request their personal information that is being collected. This information should be delivered by mail or electronically.
- Right to Know: users have the right to request the categories of personal information collected, how the information was collected (the sources), why the information was sold, if applicable, what third parties also receive the information, and the specifics of personal information collected by the website.
- Right to Delete: notify users about the right to request deletion of personal information collected about them.
- Right to Opt Out: notify the consumer of the steps to opt out of the sale of personal information, if applicable.
- Right to Notification of Financial Incentive: users have the right to know that by opting out or deleting information, that they might miss out on different prices, rate, level or quality of goods/services if directly related to the use of consumer data.
- Right Not to Be Discriminated Against: no bias may exist on users who opt out/delete their personal information. These biases include:
-
- Refusing goods/services
- Changing prices or rates for goods or services, including discounts, benefits or penalties.
- Changing the quality of goods or services.
- Implying that users who opt out or delete personal information have a different price for goods or services, or a different quality of goods or services.
Companies must also provide at least two of the following to submit requests for information:
- A toll-free telephone number
- A website address
- An email address
Step 4: Check Security Measures
Make sure you don’t have any excess information being shared with third parties. Find your data risks and determine the best way to alleviate the risk.
Step 5: Training
Train your staff on the best way to handle both personal information of users and requests for personal information from users.
Designate one individual to be the point person on data collection and the maintenance of staying within CCPA.
The bottom line is that consumers want to know what personal information you are collecting about them. They also have the right to decide whether or not they want you to collect that information.
The easiest way to comply with the CCPA would be to have a pop-up for anyone visiting the site for the first time from a specific date informing them that their personal information is being collected. If they would like to learn more or opt out they can visit your privacy policy page and link in the policy page to the pop-up. Then, on your privacy page, include all the pertinent information above.
