Does your business collect, maintain, and/or use customer’s personal data? Does your business operate in California? If you answered yes, you must be in compliance with the CCPA beginning on January 1, 2020.
Under this act, consumers have 5 specified rights. One of the rights is to opt-out of having their information kept or sold. Learn about the actions you need to take to help ensure you are in compliance.
Consumer Rights Under CCPA?
1. Right to Request Disclosure
The consumer can ask the business to disclose what PI the business collects. He/she can also ask to know about the sales practices associated with their PI. This includes:
- All PI you have collected
- Source of the information
- How you use the information
- If you disclosed or sold PI to a third party
- Categories of PI that's disclosed or sold to third parties
- Categories of third parties that received the information
Businesses need to put processes in place now to be able to answer these consumer questions.
2. Right to Request a Copy
Consumers may ask the company to provide a copy of the specific PI collected. The organization must provide this information for the previous 12 months from the time of the request.
3. Right to Deletion of PI
The consumer may request the deletion of their PI. There are some exceptions to this right.
4. Right to Request PI Not Be Sold
Consumers may ask the business to not sell their PI to third parties.
5. Right to Nondiscrimination
The consumer has the right to protection from discrimination. Thus if they ask for the deletion of their PI or not to have it sold, the business must still provide products and services to them.
What Is PI Under the CCPA?
The CCPA defines personal information as anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household.”
Many data elements meet PI definitions including:
- IP address or data that identifies a specific individual
- Electronic network information such as browsing histories, search histories, and consumer’s interaction with websites, applications, or advertisements
- Any information collected via audio, electronic, visual, thermal, or olfactory media
- Data that provides geolocation information
The CCPA also includes information that can be “inferred” from data elements. For example, creating a customer profile showing their preferences, characteristics, psychological trends, and behaviors. This law also includes inferences of consumer preference, predispositions, attitudes, intelligence, aptitudes, and abilities.
PI extends to name, addresses, social security, driver’s license, and passport numbers. Biologic data such as genetic markers are also considered identifiable information as well.
Can Consumers Opt-out?
The CCPA provides consumers with 5 rights. The third right allows customers “to say no to the sale of personal information.” This is also called the “Do Not Sell My Personal Information” or the right to opt-out.
This consumer right may have a significant impact on your company. Most often you must follow this request. You must have policies and procedures in place before you ever receive a request.
Your system must allow you to identify the location of every piece of PI. You must ensure that third-party partners have these systems in place as well. When you receive this request, you must track your actions and prove that you complied.
The CCPA defines “affirmative authorization” as an action showing the intentional request by a consumer to opt-in to the selling of their PI. If the consumer is under the age of 13, further rules apply. A parent or guardian may consent to the sale of a child’s PI but must follow the rules in section 999.330.
If the consumer is 13 years or older, he/she must first clearly request to opt-in and then separately confirm their opt-in choice.
Do All Companies Have to Comply with CCPA?
California businesses are not all subject to the CCPA law. This act only applies to organizations that earn at least $25 million each year or if 50% of revenue results from the sale of personal data.
CCPA also applies to businesses that buy or sell PI for more than 50,000 consumers or households.
All collected data is not treated the same under the CCPA law. Any information collected twelve months before 2018 is exempt from the provisions of the Act. Also, PI for children under the age of 16 can’t be sold to another party unless the parent or guardian consents to opt-in.
Organizations must increase cybersecurity to protect PI unauthorized release to a third party. This may occur through theft or access by an employee not cleared to access or transmit data.
Are You Worried About Meeting CCPA Compliance?
With the advent of data privacy rights laws, many businesses aren't equipped to meet all the regulations. Truyo helps companies to efficiently and securely manage regulatory compliance. We also ensure that your customer satisfaction isn’t affected.
Truyo makes sure that you and your customers receive your full data rights and manage consents. We will help you with consumer requests such as opt-out. Contact us today to schedule your demo.