Share this Article
2019 is winding down, and with the new year comes a new era in privacy regulations. The California Consumer Privacy Act becomes operative on January 1, 2020, leading the way for other privacy regulation across the U.S.
The California Association of Collectors (CAC) spent considerable time this fall discussing the CCPA during a webinar paneled by attorneys Lauren Valenzuela, Performant, and June Coleman, Carlson & Messer. With their help, learn what disclosures will be required, how to handle consumer requests and how your business can prepare for the change.
Required Disclosures Under the CCPA
Any business that’s subject to the CCPA will need to inform consumers about the data it collects. The rule states this disclosure must “at or before the point of collection inform the consumer as to the categories of personal information to be collected and the purpose for which the categories of personal information is going to be used.” The categories of personal information within the CCPA are:
- Lists of the categories of personal information collected – Companies that fall under this regulation must tell consumers what types of personal information were collected in the preceding 12 months. This includes:
- Listing the categories of information the business has sold within the previous 12 months, or disclosing that the business has not sold any consumer information in that time frame, if that is the case.
- Listing what categories of personal information have been disclosed for business purposes within the previous 12 months or disclosing that the business hasn’t disclosed information in that time frame.
- Link – Your company must provide a link to “Do Not Sell My Personal Information” on your webpage if you sell consumer data.
Responding to Consumer’s Requests
One of the challenges of this new regulation will be creating policies and procedures regarding interactions with consumers about the personal information you are collecting. Your business should consider every step of the communication process from who receives and responds to consumers, to what information the responses must contain.
How Do We Authenticate a Person’s Identity as the “Consumer” When We Get a Request?
What Must You Do Upon Receipt of a Consumer’s Request?
Businesses are only required to respond to a consumer’s request regarding personal information if the consumer’s identity can be verified. This step is important, as personal information requests could possibly be submitted without a consumer’s knowledge for many reasons, including fraud and identity theft.
The proper way to authenticate identity may require further clarification from the California Attorney General in the coming months. Be aware that someone who has committed identity theft may know enough to convincingly authenticate this type of request. The result would then be a fraudulent party getting hold of even more personal information about a consumer. Speak to your attorneys and compliance and risk management team to address these concerns.
As soon as a request is received, you are responsible for determining the request is verifiable. If the request is verifiable, your office must:
- Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request. The time period may be extended once by an additional 45 days when reasonably necessary, provided the consumer is given notice of the extension within the first 45-day period.
- Within your disclosure, cover the 12-month period preceding the business’s receipt of the verifiable consumer request.
- Provide the disclosure in writing and deliver through the consumer’s account with the business (if the consumer maintains an account with the business) or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business. The disclosure must be accessible in a readily usable format that allows the consumer to transmit this information from one entity to another entity without hindrance.
What Should a Response to a Consumer’s Request Include?
There are five pieces of information your response to a consumer must contain.
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information the business has collected about that consumer.
Note, your business is not required to provide the same personal information to the same consumer more than twice in a 12-month period. Cal. Civ. Code §1798.130(b). However, a business has the burden of showing the request is excessive. Keep good records of not only the personal information you collect, but your responses to consumers who request this personal information.
Preparing for CCPA Compliance
You need to be prepared to comply with the CCPA at the beginning of the new year. You’ll need to understand what data you are collecting, and you must be ready to effectively communicate this information to consumers. To be sure you’ve done all you need to for CCPA compliance, consult this readiness checklist:
As with any new legislation, it’s important to speak to your attorney to ensure you’re ready for compliance. In the meantime, you can download a more extensive CCPA checklist — created with the help of the CAC’s webinar panelists — to help you prepare.