Many businesses don’t realize that the CCPA even covers internal data collection from employees and job applicants. While these consumers don’t have the right to submit privacy requests, such as a request to delete, businesses still must inform them as to what personal information is being collected and why. Employers must give this notice at or before the point of collection, generally in the job application or employment agreement.
They must also post a clear and conspicuous “Do Not Sell My Personal Information” link on their homepage that sends consumers to this notice.
Here are the most important tasks that businesses must take care of to become CCPA compliant.
Part of the reason the data map takes so much effort to create is that most businesses significantly underestimate how much “personal information” they collect, as defined by the CCPA. It’s not just the obvious categories like names, email addresses, social security numbers, and other identifiers; it’s any information reasonably capable of being associated with a particular consumer. Personal information includes IP addresses, geolocation data, interactions with the business’s web pages, and much more.
When new data collection points are identified, you must trace where this information goes, categorize its purpose, and determine whether any of it is transferred outside of the business. If the information does go to an outside party, this requires another level of scrutiny as to whether the transfer qualifies as a sale or not.
The CCPA’s definition of selling personal information goes well beyond trading consumer data for money; it is also the disclosure of personal information for any kind of “valuable consideration.” Most importantly, this includes the use of interest-based advertising services, a.ka. retargeting, from platforms like Facebook and Google. For example, if a consumer places an item in their online shopping cart but then leaves your site, using a third-party service to target the consumer with personalized ads for that product is considered a sale of personal information, and the CCPA applies.
This is a very common and effective marketing tool for online businesses, but it doesn’t fit into most people’s understanding of what a sale is, so it is easily overlooked. If your company uses interest-based advertising, it will have to comply with the CCPA’s rules regarding consumers’ right to opt out, or else stop using those services.
One of the most complicated tasks in becoming CCPA compliant is classifying vendors, i.e., deciding whether or not they qualify as “service providers.” It is a critically important step—disclosing consumers’ personal information to a service provider is not considered a sale of personal information, and therefore not covered by the right to opt out.
The classification is complicated because the CCPA’s definition of service providers includes specific contract requirements. Unless the vendor contract expressly prohibits the vendor from using, maintaining, or disclosing consumers’ personal information except as needed to provide their service, that vendor is not a service provider. This means businesses must go over each vendor contract with a fine-tooth comb to see if it meets the CCPA’s requirements.
If the vendor does not qualify as a service provider, the business then has to make a determination as to whether any transfer of personal information needs to be considered a sale.
Making the necessary disclosures to consumers is only one half of CCPA compliance; businesses must also respond to privacy requests, and do so in a timely manner. To respond to these consumer requests, businesses must have a comprehensive understanding of their own data privacy practices.
There are currently four types of requests in the CCPA:
The California Privacy Rights Act (CPRA) adds two more:
All of these requests have their own rules and exceptions that businesses should understand and have policies for before receiving an actual request. For example, opt-out requests don’t apply to disclosures of personal information to service providers, and requests to delete can be fulfilled by deidentifying or aggregating the data. Furthermore, different types of requests have different verification requirements that must be met.
Because of these complexities, privacy requests should not be handled on an ad hoc basis. Preparing in advance by creating an accurate data map and clear policies for staff to follow makes it easier for businesses to fully comply with their obligations without making mistakes such as deleting information unnecessarily.
Becoming CCPA compliant is a major project that requires more than simply posting a privacy notice. Each solution must be custom-tailored to the individual business and its data practices. Skipping over important steps like data mapping is likely to result in non-compliance, and possibly expensive penalties.
That doesn’t mean that CCPA compliance has to be a major expense. TrueVault Polaris software automates time-consuming tasks, guiding businesses step-by-step to full compliance at a fraction of the cost of hiring a law firm or consultant. Contact our team today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.