Complete CCPA Compliance Guide to Privacy Requests’ Management

What is CCPA Compliance or CPRA Compliance?

California Consumer Privacy Act or CCPA protects the right to privacy of California residents in accordance with the AB 375 starting Jan 1, 2020. CCPA compliance implies companies, websites, and web & mobile apps taking the following steps:

• Respond to privacy requests of California residents
  • Provide a privacy request form similar to contact us form
  • Verify privacy requests & automate verification
  • Automate request processing workflow
  • Get approvals for specific requests
  • Provide a way to opt-out of website cookie tracking
• Secure and safeguard personal information
• Provide clear, readable privacy notice
• Provide privacy APIs to (applies to b2b web & mobile apps):
  • Access personal information
  • Delete personal information
• Modify vendor agreements to include privacy provisions
• Modify data licensing agreements to include privacy provisions
• Identify all sources of personal information (past 12 months)
• Identify all parties with whom you shared personal data (past 12 months)

* For the sake of this compliance guide CPRA and CCPA are often used to mean the same thing 

Does CPRA/ CCPA compliance apply to my business?

The underlying question is does my business have to spend the money and resources for CCPA compliance? You have to answer – yes, to one of the following questions:

1. Do you own a website that attracts 4200+ unique California residents per month?
2. Do you own a CRM or email list or other systems that has 50,000+ California residents combined?
3. Do your annual gross revenues exceed $25 Million?
4. Do at least 1/2 of annual revenues generated from licensing or selling personal data?

If your answer to any of the above questions is yes, then your business needs this CCPA compliance guide. There is no specific, one approach to for CCPA compliance. Like any law, you need to do the minimum required to ensure that you reduce the risk of penalties and lawsuits. There are exceptions. Despite exceptions, we recommend CCPA compliance guide because these exceptions have not been tested. For example, a health care provider is likely to exempt from CCPA compliance because of HIPAA rules. However, website visitors are not covered under HIPAA (not personally identifiable) but covered under CCPA. Disclaimer: We are not attorneys and we strongly recommend that you consult your attorney for specific nuances in the law and its compliance.

What are the risks under CCPA / CPRA?

Lack of CCPA compliance has two drawbacks or risks. One of the risks is from the California Attorney General (AG). Calfornia AG may impose a fine of upto $7,500 per violation. Is it likely that your business attracts these fines? Starting July 2020, the AG is expected to initiate action. CA legislature has not provided any additional funds to the AG for action. These fines are pooled into a privacy fund, to initiate future actions by authorized prosecutors across California.

The second risk is the private right of action by California consumers. In plain English, class action lawsuits. These are highly likely to be triggered because of a data breach. Data breaches are up 54% in the first half of 2019. When your company experiences a data breach, you have to notify your state. It is now publicly available information. The likelihood of a subsequent class action in a California court is very high.

It is a good business practice to protect your business from a data breach. This should be a part of your IT and security budget today. The additional budget you need is for privacy request management. It is clear that automating privacy request processing is the right approach. The first and most inexpensive step is to put up a privacy request form on your website, likely cost you less than a few hundred dollars a month. Your business will have nearly 100 days to respond to any advanced privacy requests.

In this CCPA compliance guide, you understand the details of privacy request processing, and workflow. Additionally, you 1) Find a list of CCPA privacy request management vendors; 2) Evaluate the pros and cons of building own or using a vendor; 3) Find tips and recommendations for workflow automation; and 4) Calculate your risk vs. budget for processing privacy requests. After reading this CCPA compliance guide, you will be ready to start implementing CCPA compliance.

• What is CCPA compliance?
• Do you need to implement CCPA compliance?
• How to budget for CCPA compliance?
• How do choose the vendor?
• Should you outsource CCPA compliance processing?
• How much does it cost?
• Should you extend your security resources for CCPA?
• Who takes ownership of CCPA compliance – marketing, legal, or IT?
• What are the steps beyond privacy requests to be fully CCPA compliant?
• And, learn some tips on data breach prevention…

First a few simple definitions. A privacy request is a request to execute the right to privacy as defined in the CCPA. Another term being used is DSAR – data subject access request. Privacy request is a better term because the request is about privacy including a request for access to data. DSAR is more specific to request for access to personal information. Under CCPA, a requestor is a person who is a California resident. Types of privacy requests and types of requestors are defined in sections below.

Step 1: Deploy a Privacy Request Form on Your Website

The first step to addressing privacy requests is to create a privacy request form on your website. This form must have the following fields:

• Name (required field)
• Email (required field)
• Phone number (optional)
• Type of privacy request (select one from list)
  • Collection purpose (default)
  • Data categories
  • Data sources
  • Access to data
  • Data sold/shared
  • Do not sell
  • Delete data
  • Notice of action
• Type of requestors (select one from list)
  • Website visitor (default)
  • Customer
  • Partner
  • Job candidate
  • Employee (likely not required, look out for an amendment from CA Legislature)
  • Other
• Comment (optional)
• Captcha (to ensure that no bot is sending requests)

We recommend including the request types such as collection purpose, data categories, and data sources. Some companies may provide this information on their web content as default for all visitors. The reason we make this recommendation would be to better understand your website visitors. Your Chief Marketing Office will be able to understand better the trust levels if they understand if the requests are for information only or something more. It is likely that most of your requesters are seeking for assurance of the use of their personal information. A more advanced privacy program could call these requesters and engage them to improve brand value and trust in your brand. We also recommend including the notice of action request. However, you must consult with your legal team and understand the consequences of this inclusion.

Webform design and deployment is simple. Check this resource to help you create your privacy request form own design.

Step 2: Privacy Request Verification Mechanism

The second step of processing a privacy request is verification. The requestor and the request need to be verified. There are several ways to verify a requestor and the request. In the request form when you use a captcha or recaptcha, this will ensure that no bots are used to provide the privacy request.

The first method of verification is email verification. This is one of the most widely used and automated process. Email verification is about ensuring that the email address is valid. This improves the odds that the email address belong to a real person. The intent of using email verification is to ensure that a real person receives the email sent as part of the privacy request processing.

As part of email verification process, the privacy request processing system sends a verification email. Another option is to use an email verification service to check on the authenticity of the email address. This ensures that is the email is sent and there are no issues to send the email. Also, this means that there are no spelling mistakes by the requestor at the time of request. Additionally, the domain name is verified. Next up, the requestor reads the verification email, and is prompted to click on the link to verify the validity of the email address of the request.

The email verification does not specifically verify the authenticity of the name, phone number or the message of the requestor. But, it is the first and an essential step of the process of verifying the privacy request.

The second step of verification is to use SMS verification. This requires that your privacy request form asks for the user’s mobile phone number. The phone number can easily be verified by sending a text message with a verification code. The privacy request system will then ask for the verification code there-in ensuring that the mobile phone number used by the requestor to present the privacy request is accurate. The SMS verification is a widely used process. However, your requestor may not provide their mobile number for the same privacy reasons.

A third step of verification is location verification. Your website visitor’s IP address is easily avaiable in your website analytics tool. You may find ways to identify the IP address. There are several tools or API services that could be used to find the geo location based on IP address. A more accurate approach would be to include a request for one-time location tracking when the user submits the privacy request. This may be an inaccurate method of location verification. But, this is one way to eliminate requests from outside of California. Your company may have a policy to address all requests without regard to location.

Other verification mechanism could include one or more of these methods:

• Ask for a credit card number (do a quick $1 balance authorization on the card and revert it)
• Piggyback off of a social network site’s verification process
• Ask the user for their social security number and do auto verification of the number
• Call the user on the phone number provided by the user and check if they provided the request
• Ask the user for a copy of their utility bill (with their address)

Your verification system may employ one or many of these methods. It is highly recommend to start simple – email verification. You may follow up with a phone call to the user in case of delete data, access data, or notice of action requests. Ensure that you have the following rules for request verification:

1. CCPA privacy request once received cannot be modified
2. Any privacy request received (data & time) must be verified for requestor identity prior to processing
3. Email verification is MUST; SMS phone number verification ; verification by phone call; geolocation verification are good to have
4. ONE verification confirmation is sufficient, while the system or user may request several verifications
5. Requestor verification status and process applies to all types of requests and all types of requestors
6. You may assign a request to a request processor before or after request verification
7. Request processor may start work on a request only after request verification is completed
8. Do not send any email notification until the email verification is received

Step 3: Email Notification Templates

Email notification templates are required for privacy request management. This makes your process consistent, and scale your reqeust processing. The following table provide a detailed list of templates you require for CCPA compliance privacy request processing.

Step 4: Privacy Request Work Flow Status

A part of processing the CCPA privacy requests, you need to discuss and decide on the work flow and maintaining the status of the workflow. This is a simple process setup. Let’s make a simple assumption. Your company may receive less than 500 privacy requests a month. This could imply you need 1-3 person team to process these requests. We recommend the following states for your privacy requests workflow:

1. Under verification – Implies the request was received and pending verification of the requester
2. To be assigned – Implies the privacy reqeust process manager is yet to assign the request for processing
3. Under review – default state once request is verified and assigned
4. Under legal review – implies that request is sent to legal approver for review with data or files attached (required only for a few requests)
5. Legal rejected – implies that legal has not approved based on the request and data attached
6. Legal more information – implies that legal does not have sufficient data to approve the request
7. Legal approved – implies that request is received from legal as approved
8. Completed – implies that the requester received an email completing the processing of the request
9. Rejected – implies that the requester received an email with explanation of rejection of the request

You must esnure that your privacy and legal teams clearly understood and accepted these statuses. It is recommened that you review the entire request processing with your privacy and legal team in detail. This ensure that your privacy request pipeline is processed smoothly and in a timely manner.

Step 5: Establish Process for Each Type of Request

As part of this step, it is important to establish a few common elements of processing any of the CCPA privacy requests. A few common process elements include:

1. Extend the time needed for processing
2. Send email notification to requester (based on templates)
3. Preparation of data – collect and collate the personal information of requester

Disclaimer: Please consult your legal team for specific implementation details.

Extension Processing: CCPA requires that a request received must be processed within 30 days. Let’s consider the clock starts upon email verification. (Please consult your legal team on the start of the clock.) This CCPA compliance guide helps you process most of the privacy requests within 5 days of receiving a request. CCPA provides you a way to extend your request processing by an additional 70 days. You need to send the process extension notification to the requester before the expiration of the 30 days of initial processing. We receommend you send this process extension email using a standard email template. CCPA allows for one extension only. We recommend to use the process extension for 4 requests. These include reqeusts for access to personal data, access to data sold or shared, do not sell, and delete data. Depending on your data and your ability to rapidly query this data, you may need to seek extension to process these 4 specific privacy requests.

Sending Emails: The final objective of CCPA privacy request processing sending one or more messages to the requester. Sending emails is the easiest. The key part of request processing is requester verification. The requester email must be verified using an email verification process. Additionally, sending email is inherent to the work flow process. Sending personal data to the wrong person will be considered a data breach. Such data breach is subject to a action by the requester.

Data Preparation: Nearly all CCPA privacy requests require personal data of the requester to be available. It is important to ensure that you have the ability to query, collect, and collate all the data associated with the requester. We shall cover data collection and collation in another guide. For setting up CCPA privacy request processing, you need the data file for the requester. You may use email address, phone number, name, or other search criteria for querying.

Processing Privacy Requests for Collection Purpose, Data Categories, & Data Sources

These three privacy requests are similar in processing. Each of these three CCPA privacy requests can be completed in a few steps or actions:

1. Requester verification is completed
2. Send email acknowledgement to the requester – request received
3. Call the requestor (optional) to confirm the request received
4. Get requester data for the past 12 months and attach it to the request
5. Review requester data for collection purpose/data categories/data sources (action)
6. Email requester the appropriate email template for collection purpose/data categories/data sources (action)
7. Close the request as completed

Your company may have several email templates depending on the type of requestor or type of data sources/data categories/data sources. Or, you may also have one generic email template for each of the privacy request type. It is better for the company to have different templates for different types of requesters (purpose/categories/sources may change for each type of requester). Another alternative is to provide generic collection purpose / data sources / data categories information on your website. We strongly recommend specific request processing. This approach provides a way to engage your request stakeholders.

Processing Privacy Request for Access to Data

The CCPA privacy request for access to personal information can be completed in several steps and actions:

1. Requester verification is completed
2. Send email acknowledgement to the requester – request received
3. Call the requestor (optional) to confirm the request received
4. Check if this is a valid request
5. Check if a similar request was received from the same requester in the past 12 months
   • You are required to process a request every 6 months. This could imply that you could process 2 requests each year. We recommend that your company keep track of number of requests received from a specific requester. And it is recommended to track several requests including request for access to data, request to delete data, request to access data shared/sold, or request not to sell data.
   • If a delete data request was received in the past 12 months, the company may send a notification to the requester that delete data request was processed in the past 12 months.
   • If number of requests are in order, then continue with the next steps.
6. Get requester data for the past 12 months and attach it to the request
7. Review requester data and note any abnormal patterns (action)
8. Send the request including the data and the notes for legal review (action)
9. Get an approval from the legal reviewer
10. Email requester the appropriate email template for access to personal data and attach the data approved by legal reviewer
11. Close the request as completed

Your company may have several email templates depending on the type of requestor for personal information access. Or, you may also have one generic email template for each of the privacy request type. It is better for the company to have different templates for different types of requesters. You should have the ability to collate and collect the personal information of the requester.

Personal information access is a very tricky area. CCPA has expanded the definition beyond personally identifiable informatoin. For example, if a visitor to your company website requests data, then it is imperative that you collate all the website statistics for this specific visitor. Web site statistics collected by most companies do not have any personally identifiable information. However, under CCPA it is personal information associated with a cookie id of the visitor.

Processing Privacy Request for Data Sold/Shared

The CCPA privacy request for access to personal information that is sold or shared is simlar to the privacy request for personal information access discussed in the section above. The only difference is in the collation of data from multiple data stores of the company. Your company must have a way to quickly identify if this data is licensed to a third party. CCPA does not require you to share who the data is licensed/sold/shared with. It is unclear if data hosted with a third party service provider is considered to be part of data shared/licensed. We recommend that hosting data with third party service provider need not be considered as part of this privacy request. Disclaimer: we are not your legal team, please seek appropriate legal advice.

Processing Privacy Request for Do Not Sell

The CCPA privacy request for do not sell my personal information is simlar to the privacy request for personal information access discussed in the section above. There are several major differences:

1. Do not attach the data collated as part of the response to the requester.
2. Identify a way to mark the data for the specific requester and the date of the request.
3. What if the data was already sold?
   • There is no need for the company to retroactively inform the licensors
   • The request is for any future sale/sharing of the data of this specific requester
4. At the end of 12 months from the date of this type of request you may sell/share this data. CCPA does not specify any limitations. Disclaimer: Please consult your legal team.

Processing Privacy Request for Delete Data

The CCPA privacy request for delete my personal information is simlar to the privacy request for personal information access discussed in the section above. There are several major differences:

1. Controversial: Delete data does not imply not new data collection. We are of the view that a request to delete data does not imply that your company needs to stop data collection. You may continue data collection from various sources. CCPA has specific provision about opt-out of data collection. This is a topic for cookie management. As part of cookie management and cookie opt-out, you may still do some essential data collection.
2. You may not delete data that is necessary to service any future requester requests. For example, if the requester is a customer, invoice or payment information may not be deleted. You may need that customer information for returns processing, or as part of other compliance.
3. Do not attach the data collated as part of the response to the requester.
4. Identify a way to mark the request for data deletion.
5. We are of the view that data collated as part of request processing may be retained. This is required for audit and compliance purposes.
6. What if the data was already sold?
   • There is no need for the company to retroactively inform the licensors about data deletion
   • The request is for any data with the company
7. Starting immediately after processing the request, you may collect new data for this requester. Disclaimer: Please consult your legal team.

Processing Privacy Request for Notice of Action

The CCPA privacy request for notice of action is not a necessary type of request under CCPA. We recommend this request type. This is useful because this is a way for you and your legal team to be prepared for any inconsistencies in request processing or potential future compliance actions. Processing this request is quite simple:

1. Requester verification is completed
   • We do not perceive email verification of the requester is an acknowledgement of the request
   • Please ensure that your email verification notification to requester does not indicate acknowledgement of any requests
2. Do NOT send email acknowledgement to the requester
3. Collate all the data of the specific requester
4. Collate all requests received from the specific requester
5. Consolidate all this information and the request and send it to your legal reviewer
6. If you receive legal approval, you may then send an acknowledgement to the requester
   • Your company may have legal policies on notice acknowledgements

List of Vendors that Provide Privacy Request Processing

Here is a list of vendors that provide software and systems for CCPA privacy request management:

1. InfoSecEnforcer.com
2. OneTrust.com
3. TrustArc.com
4. Clarip.com
5. Privaci.ai
6. Truyo.com
7. Wirewheel.io
8. Sourcepoint.com

Cost to Build Your Own Privacy Request Processing

It is expensive to build your own privacy request processing tool. It may be inexpensive to build it once. However, we expect CCPA to change over the next several years. This would imply that you need to have your team make these changes constantly. These continued long-term changes will prove to be expensive.

Most of the above listed vendors provide low-cost tools. We recommend InfoSecEnforer a free tool for privacy request processing.