Overview:
A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers: Include a description of a consumer's rights pursuant to Section 1798.120, along with a separate link to the "Do Not Sell My Personal Information" Internet Web page in:
(A) It's online privacy policy or policies if the business has an online privacy policy or policies.
(B) Any California-specific description of consumers' privacy rights.
Action Items:
1) Review existing privacy notices and verify that they meet the new requirements of the CCPA.
2) Ensure websites include a "Do Not Sell My Personal Information" link.
3) If no methods exist, establish appropriate methods for submitting opt-out requests to your organization that comply with the CCPA.
4) Draft an appropriate policy for the authentication of individuals that make opt-out requests.
5) Draft a "play book" that provides standard communications that can be sent to individuals that make opt-out requests.
6) Train employees on how to handle opt-out requests.
7) Verify that the policies in place facilitate the fulfillment of opt-out requests for the period of time required by the CCPA.
8) Create and make available to Consumers the Submission Options noted below: The Business must make available to Consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the Business maintains a website, a website address.
9) Establish a means to establish a request is a proper Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected.
10) Create a process to readily access the specific Personal Information the Business has about each Consumer to satisfy this disclosure requirement.
11) Create a tracking system to ensure compliance with the Response Time and that the request complies with the Applicable Time Period. Business must respond to a VCR by mail or electronically within 45 days (which can be extended for an additional 45 days upon notice to the consumer). The Business needs to inform the Consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Note: In a different section, the CCPA states the response to any VCR can be extended for an additional 90 days. It is unclear whether this is in addition to the two 45 day periods noted here. There is no obligation to provide this information to a Consumer more than twice in a 12-month period, and the information provided need only cover the 12-month period prior to the VCR.
12) Create and post a list of the categories of Personal Information collected about Consumers in the preceding 12 months either within the Business' privacy policy or, if the Business does not have a privacy policy, on its website. Establish a process to update this information once every 12 months.
13) Create a tracking system of each disclosure request and how it was handled to be able to demonstrate compliance.
14) Create and post in the Business' privacy policy or on the Business' website if it does not have a privacy policy: (i) the categories of Consumers' Personal Information it has sold, or indicate it has not done so, and (ii) the categories of Consumers' Personal Information it has disclosed for a business purpose, or indicate it has not done so. This must be updated at least once every 12 months.
15) Develop a means of tagging, tracking and separately treating the Personal Information of Consumers who have exercised their opt-out rights.
16) Prominently display the opt-out button on the business website once requirements are released by the attorney general. The Business must provide, on its homepage, a clear link titled "Do Not Sell My Personal Information," which links to an opt-out page. A Business is permitted to create a separate homepage for California Consumers with this link (and omit it from the general homepage) if it takes reasonable steps to ensure California Consumers are directed to the California homepage. The foregoing link and a description of this right must also be disclosed in the Business' privacy policy and any California-specific description of Consumers' privacy rights.
17) Determine what Consumer information is necessary to effectuate an opt-out.
18) Where a Business has purchased Personal Information, develop a verification mechanism to confirm Consumer notification consent prior to further sale of such data.
19) Since a Business that willfully disregards the Consumers' age is deemed to have actual knowledge, Businesses may wish to develop a means of classifying a Consumer based on the Personal Information they have on them.
20) Develop a process allowing for a parent or guardian to opt in on behalf of a Consumer who falls within the age restrictions.
21) Identify whether your business is knowingly collecting information from children under the age of 16.
22) Identify whether your business may be unknowingly collecting information from children under the age of 16.
23) Institute a system for collecting parental consent prior to the collection of information from children.
24) Verify that the consent mechanism complies with the CCPA, COPPA, and/or the GDPR.
25) Train employees on how to handle inquiries relating to the information collected about a child.
Related Documents:
1) Privacy Notice
2) Evidence (e.g. screenshot) of the clear and conspicuous link on the business's Internet homepage, titled "Do Not Sell My Personal Information"
3) Evidence validating the business does not require the consumer to create an account on order to direct the business not to sell the consumer's personal information.
Additional Guidance:
Summary of Information to Be Included in Privacy Policies
Under the CCPA, certain information needs to be included in a Business' privacy policy and in any California-specific description of consumers' privacy rights. If a Business does not maintain such policies, this information needs to be included somewhere on its website. Note that this information must be updated at least once every 12 months. The following is required:
1) One or more designated methods for submitting requests permitted under the CCPA
2) A description of a Consumer's rights to: request disclosure of information collected; request disclosure of information sold; nondiscrimination relating to Consumers who exercise CCPA rights; and opt out, along with a separate link to the "Do Not Sell My Personal Information" opt-out page
3) A list of the categories (by reference to the CCPA enumerated category) of Personal Information the Business has collected about Consumers in the preceding 12 months
4) Two separate lists of categories (by reference to the CCPA enumerated category) of information the Business has (i) sold or (ii) disclosed for a business purpose, each within the preceding 12 months or, if the Business has not done so, disclosing that fact.
Notice to Consumers of Opt-Out Rights
The Business must provide, on its homepage, a clear link titled "Do Not Sell My Personal Information," which links to an opt-out page. A Business is permitted to create a separate homepage for California Consumers with this link (and omit it from the general homepage) if it takes reasonable steps to ensure California Consumers are directed to the California homepage. The foregoing link and a description of this right must also be disclosed in the Business' privacy policy and any California-specific description of Consumers' privacy rights.
Article ID: 72
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/ccpa-online-privacy-policy-and-internet-web-page-requirements-135-a-2-72.html