CCPA Train Individuals Responsible for Handling Opt-Out Requests (135.a.3)

Overview:
A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers: Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.

Action Items:
1) Review existing privacy notices and verify that they meet the new requirements of the CCPA.
2) Ensure websites include a "Do Not Sell My Personal Information" link.
3) If no methods exist, establish appropriate methods for submitting opt-out requests to your organization that comply with the CCPA.
4) Draft an appropriate policy for the authentication of individuals that make opt-out requests.
5) Draft a "play book" that provides standard communications that can be sent to individuals that make opt-out requests.
6) Train employees on how to handle opt-out requests.
7) Verify that the policies in place facilitate the fulfillment of opt-out requests for the period of time required by the CCPA.
8) Create and make available to Consumers the Submission Options noted below: The Business must make available to Consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the Business maintains a website, a website address.
9) Establish a means to establish a request is a proper Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected.
10) Create a process to readily access the specific Personal Information the Business has about each Consumer to satisfy this disclosure requirement.
11) Create a tracking system to ensure compliance with the Response Time and that the request complies with the Applicable Time Period. Business must respond to a VCR by mail or electronically within 45 days (which can be extended for an additional 45 days upon notice to the consumer). The Business needs to inform the Consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Note: In a different section, the CCPA states the response to any VCR can be extended for an additional 90 days. It is unclear whether this is in addition to the two 45 day periods noted here. There is no obligation to provide this information to a Consumer more than twice in a 12-month period, and the information provided need only cover the 12-month period prior to the VCR.
12) Create and post a list of the categories of Personal Information collected about Consumers in the preceding 12 months either within the Business' privacy policy or, if the Business does not have a privacy policy, on its website. Establish a process to update this information once every 12 months.
13) Create a tracking system of each disclosure request and how it was handled to be able to demonstrate compliance.
14) Create and post in the Business' privacy policy or on the Business' website if it does not have a privacy policy: (i) the categories of Consumers' Personal Information it has sold, or indicate it has not done so, and (ii) the categories of Consumers' Personal Information it has disclosed for a business purpose, or indicate it has not done so. This must be updated at least once every 12 months.
15) Develop a means of tagging, tracking and separately treating the Personal Information of Consumers who have exercised their opt-out rights.
16) Prominently display the opt-out button on the business website once requirements are released by the attorney general. The Business must provide, on its homepage, a clear link titled "Do Not Sell My Personal Information," which links to an opt-out page. A Business is permitted to create a separate homepage for California Consumers with this link (and omit it from the general homepage) if it takes reasonable steps to ensure California Consumers are directed to the California homepage. The foregoing link and a description of this right must also be disclosed in the Business' privacy policy and any California-specific description of Consumers' privacy rights.
17) Determine what Consumer information is necessary to effectuate an opt-out.
18) Where a Business has purchased Personal Information, develop a verification mechanism to confirm Consumer notification consent prior to further sale of such data.
19) Since a Business that willfully disregards the Consumers' age is deemed to have actual knowledge, Businesses may wish to develop a means of classifying a Consumer based on the Personal Information they have on them.
20) Develop a process allowing for a parent or guardian to opt in on behalf of a Consumer who falls within the age restrictions.
21) Identify whether your business is knowingly collecting information from children under the age of 16.
22) Identify whether your business may be unknowingly collecting information from children under the age of 16.
23) Institute a system for collecting parental consent prior to the collection of information from children.
24) Verify that the consent mechanism complies with the CCPA, COPPA, and/or the GDPR.
25) Train employees on how to handle inquiries relating to the information collected about a child.

Related Documents:
1) Privacy Notice
2) Evidence that all individuals responsible for handling consumer inquiries about the business' privacy practice and compliance have been trained
3) Training records for individuals responsible for handling consumer inquiries about the business' privacy practice and compliance

Additional Guidance:
Required Training
A Business is required to ensure that individuals responsible for handling Consumer inquiries about the Business' privacy practices or CCPA compliance are informed about the requirements below, and how to direct Consumers to exercise these rights. A Business should establish a documented training program to satisfy this requirement:
1) Ensure designated personnel understand how to instruct Consumers to exercise their rights under the CCPA related to: disclosure of Personal Information collected by the Business; disclosure of Personal Information sold by the Business; and opting out of the sale of their Personal Information.
2) Ensure designated personnel understand the general CCPA obligations of the business related to: nondiscrimination related to Consumers who exercise their CCPA rights
3) Ensure designated personnel understand the general CCPA obligations of the business related to: disclosure obligations of the business, including duties to make available two or more methods for Consumers to make requests, deliver the required information to a Consumer within 45 days (and when an extension exception may apply), confirm a Verifiable Consumer Request (defined on page 22), and identify by category the Personal Information collected, sold or disclosed about the Consumer for a business purpose in the preceding 12 months
4) Ensure designated personnel understand the general CCPA obligations of the business related to: General CCPA compliance obligations of the business, including duties to: provide a clear and conspicuous opt-out link; provide a description of Consumer opt-out rights; effectuate and comply with opt-out requests in business systems; respect opt-out requests for 12 months before requesting that the Consumer authorize a sale; and permit a designated person to opt out on the Consumer's behalf

Training Employees for Opt-Out Requests
Individuals responsible for handling Consumer privacy inquiries and CCPA compliance must be trained on the opt-out right and how to direct consumers to exercise that right.