BLOG

California Consumer Privacy Act ("CCPA") - At A Glance

CCPA Compliance

What is required to gain CCPA compliance?

  1. Businesses must have two, or more, ways to request the following: (i) what personal information is being collected about you and your children; and (ii) what personal information is being sold or disclosed about you and your children including who the third parties are.
    • The act requires, at a minimum, a toll-free number and a website, assuming the company maintains a website.
  2. Businesses must send the personal information to the consumer free of charge within 45 days of a verified request.
    • The act does not extend the company’s 45 day deadline because of the verification process it chooses to use
    • The personal information sent must include all data from 12 months prior to the request
    • Delivery must come through one of the following methods: (i) the consumers account with the business, if there is already one (the company cannot require the consumer create one); (ii) through mail; or (iii) if the consumer requests, electronic delivery
  3. Businesses must send both the personal information and the categories associated with the personal information
  4. Businesses must send two different lists: (i) each third party’s name and contact information the company sold the consumer’s personal information, including both the information and categories; and (ii) each third party’s name and contact information the company shared for business purposes the consumer’s personal information, including both the information and categories
  5. Businesses must disclose the following in an online privacy policy or policy and in any California-specific description of consumers’ privacy rights. If the business does not maintain the above policies, the company must maintain the following on its website, which must be updated every 12 months:
    • California consumer rights
    • List of data collection categories for the prior 12 months
    • Two separate lists for categories sold and categories shared for a business purpose
  6. Businesses must implement controls for training responsible employees on handling inquiries and how consumers are to exercise their California rights
  7. Businesses must only use the personal information collected for verification for verification only
  8. The act does not require Businesses to make the disclosures to a verified consumer more than once every 12 months

How can a business achieve CCPA Compliance?

  1. Businesses must include a link on a homepage titled “Do Not Sell My Personal Information” to allow a California consumer to opt-out of the sale of his/her personal information
    • Link must appear in online privacy policies or policies and any California description of consumers’ privacy rights
    • If the business makes the homepage available to the public generally and maintains a separate and additional homepage dedicated to California consumers, the link does not have to be on the homepage that is available to the public generally
    • If a consumer opts-out, businesses must refrain from selling any personal information and cannot ask again for 12 months 

You can read the entire California Consumer Privacy Act here.

Photo – Wikimedia Commons

The Grenier Law Firm believes that education is an important part of top-quality legal services.  The excerpts and posts on this site are for educational purposes only.  We want to keep educational materials available here for you. However, you must understand that providing these excerpts and posts should not be construed as legal advice or creating an attorney-client relationship between you as the reader and our authors.  Because these excerpts and posts are intended as informational, you should always seek out the appropriate legal advice before acting or not acting based on what you read here.

About the author