CCPA Regulations: Top 31 Rules for Compliance

The new draft CCPA regulation were published by California AG on October 10, 2019. These regulations cover three main areas:

• Notices to consumers
• Submision of privacy requests by consumers
• Verification of privacy requests by consumers

In the following sections we detail out each of these regulations in a way that your IT or legal team can consider this to be a checklist for CCPA compliance.

1. Notice of personal information collection – Inform
2. Notice of personal information collection – categories
3. Notice of personal information collection – purposes
4. Notice of personal information collection – the link
5. Notice of indirect personal informatoin collection
6. Right to opt-out of sale – notice
7. Financial incentive – notice
8. Verification process – notice
9. Privacy policy – combined notice
10. Privacy requests – definitions
11. Privacy requests – methods
12. Privacy requests indirect consumers – methods
13. Privacy requests – acknowledgement
14. Privacy reqeusts – response
15. Response – right to know categories
16. Response – right to know purposes
17. Response – right to know sources
18. Response – right to know categories of 3rd parties
19. Response – right to access personal information
20. Response – right to access information sold/disclosed to 3rd parties
21. Response – right to delete personal information
22. Response – right to opt-out of sale (Do Not Sell My Personal Information)
23. Response – secure transmission
24. Response – Password-pretected accounts
25. Service provider – privacy request submission
26. Privacy request – household-information
27. Verification process – generic
28. Verification – consumers with no accounts
29. Verification – consumers with password protected accounts
30. Request processors – training
31. Audit information

Notice of personal information collection – Inform

You must inform consumers that you are collecting personal information. On your website this means a clear notice in simple English. We recommend this notice.

“We collect your personal information. Click here for more(link to privacy page).”

If you can track returning consumers on your website, then you do not have to display this notice for returning consumers. Do you publish your website in multiple languages? You need to have this notice in all the languages you support.

Are you are a b2b business? Consumers apply to you as well. It is any California resident.

Notice of personal information collection – categories

Do you have a list of all categories of personal information you collect? Get your list together. Publish this list on your website. See below on how to provide a notice of categories of data collection.

Notice of personal information collection – purpose

Do you have a list of reasons for collecting personal information? Get your list together. List reasons per each category of personal information collected. See below on how to provide a notice of such purpose by category.

Notice of personal information collection – the link

In one of the regulations above, you provided a link. This link needs to display in simple English the following sections:

• List of categories
• List of reasons per category
• Link to the privacy policy
• Link to the privacy request form
  • Specifically create a link for ‘Do Not Sell My Info’
• Or, include all of these in privacy policy

Notice of indirect personal information collection – sell/share data

If you not in the business of selling or licensing personal information, then this CCPA regulation is not meant for you.

If this is meant for you, contact the source of your data and get attestation that the source provided the notice of collection of personal information. Service providers storing data on behalf of their customers are treated differently. See sections that address the CCPA regulations for service providers.

Right to opt-out of the sale of personal information – Notice

Do you sell or have plans to sell personal information collected?

If the answer is No, then state this clearly in your privacy policy. Skip the rest of this section and move on to the next. And, if the answer is Yes, then state it clearly in your privacy policy.

“We sell (or plan to sell) some or all of the personal information we collect. To opt-out of this please click the link below.Do Not Sell My Info.”

And, you must publish this all the languages you use on you website. You may add a logo to the above link.

Financial incentive – Notice

Some businesses collect and sell personal information. It is their business model. Often they offer a free service for such information collection and/or sale.

CCPA regulations clarify how a business can provide a financial incentive for collection and/or sale. You need to make this clear in your privacy notice. This privacy notice must include:

• Clear statement that consumer can withdraw anytime
• Process for consumer to change their choice

Verification process – notice

Verification process is a means to verify the consumer who submits a privacy request. A verification process is required to address the privacy requests from consumers. For CCPA compliance, you need to clearly state the verification process and methods used.

For example, if your verification process requires an email verification, you need to state what the process is and why you need email verification. More on verification is detailed in sections below.

Privacy policy – combined notice

You are likely to have a privacy policy on you website. Else, create one. For CCPA compliance we recommend to create two versions of privacy policy.

• First version is a simplified version
• Second version is a more legal version (that is directly in line with the simplified version)

If your website is published in multiple languages, your privacy policy needs to support this. In addition, we recommend publishing audio of the simplified version. It is better to provide a download file for both versions.

Bookmark this page. Or sign up to get updates. We will publish these two versions for your use under the Creative Commons (Attribution alone) license.

Privacy requests – definitions

CCPA affords right to privacy to a consumer. A privacy request is a method to submit a request to exercise this right to privacy.

Consumer has the right to several types of privacy requests. These specific requests are:

• Right to know categories of information collected
• Right to know purpose(s) of information collection for each category
• Right to know source(s) of information collection for each category
• Right to know categories of 3^rd parties information is sold/disclosed for each category
• Right to access information
• Right to access information sold/disclosed to 3^rd party
• Right to delete personal information
• Right to opt-out of sale of personal information

Privacy requests – methods

A privacy request is a method for a consumer to submit a request to know or request to delete.

A webform is a first choice for privacy request submission. It is an easy method to provide for all privacy requests. This reduces submission errors. It simplifies requester verification.

A second method is also required for CCPA compliance. We recommend a 1-800 or other toll free number. This should be fully automated in order to reduce submission errors. Automation also helps to improve requester verification. Other methods could include:

• An email address (ex: privacy-requests@companydomain.com )
• Downloadable form to submission through mail (USPS or other)
• Form available at your retail service centers or shopping location(s)

Privacy requests by indirect consumers – methods

You must have at least one method for the indirect consumer to submit privacy requests. A web form is the recommended method. And, this is consistent with direct consumer requests.

Privacy requests – Receipt

CCPA regulations require that you acknowledge receiving the privacy request promptly. In 10 days. As part of this receipt you may include:

• Email verification link
• Any additional verification steps or process
• Timeline to expect a response
• Multiple requests, if any

Privacy requests – Timeline

The California AG’s CCPA regulations require a response in 45 days from the date of the privacy request submittal. This is different from an earlier interpretation of 45 days from the date of verification of the request.

You may respond with an extension of an extra 45 days. Please note, earlier interpretation of extension was for 70 days. An extension response must include a reason for extension.

What happens if the verification is incomplete? If the verification of the consumer request is not complete, you have two choices:

• Deny the request indicating the incomplete verification as the reason for denial
• Send an extension of another 45 days to complete with request with incomplete verification as the reason for extension

Response – Right to know categories

The right to know requests are a bit tricky. But the CCPA regulations provided specific clarification on how the responses need to be addressed.

CCPA regulations imply that data categories are the basis for structuring the data collection. This is unlikely to be the case in your business. So we recommend separating the right to know in the way we detailed out.

As per the CCPA regulations the response to a request for right to know categories shall include:

• Reasons
• Sources
• 3^rd party categories to which business sold/disclosed data
• Reasons for sale/disclosure to 3^rd parties

We recommend treating these as individual privacy requests which will also imply CCPA compliance.

To the extent reasonable, you are required to provide an individualized response to each consumer. While this sounds a bit of a stretch. As a business practice it is best for you to document categories based on the type of consumer. This practice will ensure rapid response to these privacy requests.

If the privacy request cannot be verified, then a response still needs to be sent with general information for the right to know requests.

Response – Right to know purposes

See response to right to know categories above. As a business practice it is best to collect purposes under each category. We also recommend separating the purposes by requester type. This will ensure individualized response to each consumer.

Response – Right to know sources

See response to right to know categories above. And, follow practices that provide individualized response to each privacy request.

Response – Right to know categories of 3^rd parties

See response to right to know categories above.

If your business does not sell/disclose personal information to other 3^rd parties, you still have to respond accordingly. Be aware of sending stock responses. Consider the following:

• A consumer asks for a right to know categories of 3^rd parties
• After getting a response, the same consumer submits a opt-out of sale request
• And you respond
• A consumer then asks again for the right to know categories of 3^rd parties

If the last request is sent with a stock response, this would imply that the opt-out has been unsuccessful. This may imply violation of the CCPA regulations.

Response – Right to access information

CCPA regulations discuss about disclosure of specific pieces of information about the consumer. CCPA does not provide for specific information. It states all information. This area of the regulation is still unclear. However, we recommend to the extent applicable to provide all information. Also as stated in the following section, disclose information sold/disclosed to 3^rd party(s).

CCPA compliance with the act requires disclosure of all information, metadata, etc. CCPA regulations are unclear on what to include as part of the disclosure. However, CCPA regulations provide some good guidance on what not to include. As part of the response, you are not to disclose any information that meets these criteria:

• Personally identifiable data such as
  • Social security number
  • Driver license number
  • Government issued identifications
  • Financial account numbers (ex: credit card numbers)
  • Health care numbers or medical ids
  • Account passwords or numbers
  • Account security questions or answers
• Conflict with other federal or state law
  • State clearly which law and type of information withheld
• Creates a risk to the security of (we infer this as cyber risk)
  • The information disclosed
  • Consumer’s account
  • Your business systems
  • Your network

You need to be very diligent with your verification process. If any step of the verification process fails, you may respond with rejection of the request.

2-step or multi-step verification process? In some situations, CCPA regulations cannot be considered as a rule. For the purpose of responding to right to access information, we recommend caution. A confirmation of the request is important before responding with the data. This is specifically be the case for non-account based requests. Two step could mean:

• Typical verification that you will do for all requests
  • Email
  • Phone calls
  • Account based portal
• A second step could be in the form of requesting a confirmation of the specific request
  • A confirm your request email verification
  • A phone to confirm the request and email address to respond to request
  • For account based requests… this could in the form of user re-entering credentials.

Response – Right to access information sold/disclosed to 3^rd party

Similar to the above right to access information. We recommend having this privacy request as well. This is clear and addresses a core premise of information collection. If your business in involved in the sale/disclosure of data to 3^rd parties, then consumer would like to know what information has been disclosed. This is likely to address the specific information requests included in the CCPA regulations.

The response to this request is similar to the response to the right to access information request discussed above. We recommend a 2-step verification or another method of caution before sending a response to non-account based requests.

Response – Right to delete personal information

You must verify this request. No verification can default to denial of the request. We recommend a 2-step verification, see above sections for details.

We recommend that you provide an all or nothing choice for deletion. CCPA regulations offer your business to retain certain categories of data. You could do this by providing the consumer an option to delete specific categories of personal information. This could be taxing on your business systems, and process. This will likely increase the cost of your compliance.

CCPA regulations require you to process a response with :

• Permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems;
• De-identifying the personal information;
• Aggregating the personal information;
• Retain a copy of the data only as part of an audit to this privacy request (or other state of federal laws);
• Include the way in which the data is deleted

You may reject the deletion of all data or specific data and must include all of the information in your response to the request. A response with rejections or denials must include:

• Reason for not deleting the specific data under regulation or statutory exception
• Must confirm that all other data is deleted
• Cannot use the data outside of the regulatory exception

Response – Right to opt-out of sale (Do Not Sell My Personal Information)

This privacy request receives a special mention in CCPA regulations. For CCPA compliance for this type of privacy request, your business must:

1. Provide a web form with the words ‘Do Not Sell My Personal Information’ or ‘Do Not Sell My Info’. The intent is to remove ambiguity and provide consistency to consumers.
2. Provide a second method. We recommend an automated 1-800-Service.
3. Honor their opt-out of tracking cookies settings on the browsers

You have 15 days to comply with this request. A verification of the consumer is not mandated for this type of privacy request. You must notify the consumer that the request is processed within 15 days.

Did you sell/share this data with a 3^rd party? You must notify all such 3^rd parties. You have 90 days to complete notification. This implies you need to modify your agreements with 3^rd parties to ensure their CCPA compliance. You must notify the requester that all 3^rd parties have been notified of their opt-out request.

If you believe you received a fraudulent request, then you may not comply. But you must document why you perceive that your received a fraudulent request.

Response – secure transmission

Your business must take reasonable security precautions while responding to the requests. This could be one of several items:

• If the response is by email, ensure that the email is verified
• If the response is in the form of a letter, ensure that the address is verified
• If the response using a portal:
  • Ensure that the portal using appropriate security (HTTPS, firewall, etc.)
  • Ensure that the account to access the portal is authenticated

Response – Password protected user account

Does your business maintains user accounts and the requester is an account holder? Then these privacy request response mechanisms apply:

• Privacy requests for account holders can be inside a secure portal
• Privacy request submittals shall not require account access
• You may ask for additional verification
• You may not restrict access to personal information within the portal
  • A way to download the information should be provided

Service provider – privacy requests

Is your business delivering services to other businesses? Such as a SaaS company or a digital marketing company? Then, you must provide consumers methods to submit privacy requests.

Service provider as a business:

It is likely that you collect personal information of your own customers, and partners. Or collect personal information of potential customers and partners. CCPA compliance is necessary for such service provider. Please review this article in detail on how to implement the new CCPA regulations.

Service provider’s customers:

Do you collect information on behalf of your customers? For example, Google Analytics, CRM systems, digital marketing agencies, all collect this information. In these situations you are likely to receive privacy requests. Such requests must have a response. If the response is a denial, you must clearly state the reason for denial.

As a service provider you will be required to collect, store, update, and present privacy policy terms and contact information of each of your customers. If a consumer submits a privacy request, you are required to provide the contact information for your customer to which the request belongs.

This is a bit tricky. You will be required to collect privacy request contact information from each of your customers. You may be required to either provide a webpage link to all of that information. Often as a service provider you do not have access to the personal information collected by each of your tenants. This implies you cannot respond to the privacy request submitted. Additionally, you may not know to which tenant the privacy request is meant for. As a result, you may be required to provide a link that lists all your tenant’s privacy request contact information or web page links. We recommend providing a list of link to all customers’ privacy terms on their webpages.

If the consumer submitting the privacy request is an account holder, the situation will be different. In this situation, we recommend that you ensure privacy APIs that each of your tenants could use. This is similar to providing a CCPA compliance module as part of your service.

Privacy requests – Household information

Does your business jointly process household information? For example, a cable operator, or a internet access provider, is likely to have household information.

Any household-related privacy request should be processed similar to an individual consumer privacy request. However, the business has the option to verify each member of the household. More on verification is detailed below.

Verification process

All requests, except opt-out requests, must be verified. Opt-out requests must be processed without verification, unless you consider them fraudulent. This is indeed a high bar for opt-out requests. You may have to implement or deploy security measures to detect fraud.

For the purposes of verification you may ask the following personal information:

• Name
• Email
• Phone
• Physical address

However, we recommend that you do not ask for the following (combination of) personal information:

• Name +
  • Social security number
  • Driver license number or ID card
  • Account number (credit card etc.)
  • Medical information
  • Health insurance information
• Email (or account name) + password

You may use a 3^rd party KYC type service for verification process that cater to the above requirements.

Verification – consumers without password-protected accounts

CCPA compliance requires verification of consumers that do not hold accounts in two ways:

• Reasonable degree of certainty (match at least 2 pieces of data)
• High degree of certainty (match 3 or more pieces of data)

Privacy requests to delete, or access information require verification with high degree of certainty. All other privacy requests require only a reasonable degree of certainty.

Verification – password-protected accounts

Does your business have account holders with password protected accounts? Then the best approach is to provide the privacy request form once the user logs in into the account. However, if a consumer submits a privacy request, and that consumer is an account holder, you may respond to the consumer to submit the request by logging into the account. This authentication ensures verification of the privacy request.

Privacy request to delete information may require re-authentication by the account holder to ensure CCPA compliance.

Request processors – training

All people processing the privacy requests must undergo training. They are informed on

1. CCPA compliance requirements
2. How to address privacy requests
3. How to inform consumer about their privacy rights
4. Keep a record of all training provided

Audit information

You must keep a record of all privacy requests, their processing, and their response. Any consumer data retained as part of the privacy request must be stored for a minimum of 24 months. This data must be reasonably secured from data breaches. The purpose of this data is CCPA audit. You may not use this data for any other purpose.

Does your business store more than 4 million consumer records? Then you have to disclose information on privacy request processing on your website. This disclosure is an annual disclosure and must include the following information:

1. Number of right to know requests received
2. Number of right to know requests processed
3. Number of right to know requests denied
4. Average number of days taken to process right to know requests
5. Number of delete requests received
6. Number of delete requests processed
7. Number of delete requests denied
8. Average number of days taken to process delete requests
9. Number of opt-out requests received
10. Number of opt-out requests processed
11. Number of opt-out requests denied
12. Average number of days taken to process opt-out requests

Check a few of our other writings on CCPA compliance and regulations

1. CCPA Privacy request management
2. Simple steps to CCPA compliance
3. Prevent data breaches and avoid CCPA private action