CCPA Compliance Checklist: 6-Week Countdown
With the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020, we’ve put together a CCPA Countdown Checklist for organizations to follow.
Last week, we discussed #4 off of our checklist about offering an online form for visitors to access information.
This week, we’ll review #5 off the CCPA compliance checklist.
CCPA Compliance Checklist
- Understand what the CCPA is and if it applies to you
- Determine what data is collected from California consumers and for what purposes they are used
- Inform visitors what personal information is collected when visiting your website
- Offer an online form for consumers to access, request deletion, or opt out of sales of their personal information
- Create a toll-free number for consumers to make consumer rights’ requests over the phone
- Maintain detailed, ongoing consent records for compliance
- Develop a process to respond to consumer requests within 45 days from when the request was made
- Obtain opt-in consent from children between ages 13-16 to sell their information; a parent of legal guardian required to opt in on behalf of children under 13 years old
- Provide consumers who exercise their privacy rights the same products and service quality
What is the CCPA Do Not Sell Rule?
The CCPA “Do Not Sell My Personal Information” rule gives those based in California the right to tell businesses not to sell their personal data.
It includes several specific instructions:
- Websites must have a page called “Do Not Sell My Personal Information” that allows consumers to opt-out of the sale of personal information.
- They must link to this page on the homepage.
- Users must be able to make this request without having to create an account.
- The business must respect the consumer’s decision for at least 12 months. After this time the business can ask the consumer to allow the sale of personal information.
On the surface, this seems fairly straightforward. However, it brings many challenges. These include knowing what personal data your business collects and sells, knowing what data belongs to which user, and having a system in place to process do not sell requests.
How to Comply With CCPA Do Not Sell Rule
Businesses with websites face several challenges when it comes to complying with do not sell requirements. Some of these include:
- Knowing what data they are collecting and storing about each of their customers.
- Knowing what, if any, of this data is being sold to third parties. This can be particularly challenging if the business doesn’t know exactly what data its website collects about users.
- Providing a way for customers to request that the business does not sell the data it has collected about them. This can be done by implementing a do not sell button on the website’s cookie banner and homepage.
- Ensuring this request is fulfilled by providing a phone number and email address the user can contact if further action is needed to opt-out of other systems.
- Maintaining details of this process to show the governing bodies they are compliant.
CookiePro CCPA Do Not Sell WordPress Plugin
CookiePro recently launched a CCPA Do Not Sell WordPress Plugin. The CookiePro Do Not Sell Plugin enables website owners to customize and embed a floating Do Not Sell action button and modal on their website that gives visitors the ability to exercise their rights and opt-out of personalized advertisements. Learn more here.
CookiePro Consumer Request Management Solution
To meet full compliance, you’ll not only need to have a “Do Not Sell My Personal Information” link on your website, but will need to link it to a request form where consumers can exercise their rights. With this product, website owners are able to automate the intake and fulfillment of California consumers’ requests to access or delete their information.
- Display a “Do Not Sell My Personal Information” link on your company’s website
- Build a CCPA-specific request intake web form linked directly from your company’s website
- Customize forms to determine if a consumer resides in California and process through a California-specific workflow
- Centralize all requests into a single queue and define an automate triage workflow for fulfillment