Countdown to CCPA: Part 2
You’ve determined that your business is subject to the California Consumer Privacy Act (“CCPA”) and are engaged in your CCPA assessment and compliance efforts. January 1 is close. It’s time to measure your CCPA implementation progress.
This post is the second of three articles to help you assess your compliance progress and meet your CCPA obligations.
Privacy Disclosures and Opt-Out
What is the status of your disclosure and opt-out preparedness?
BEFORE you collect personal data or AT the point of collection, you must disclose to the consumer:
- the categories of personal data that you have collected about them in the preceding 12 months
- the categories of personal data about them that you have sold in the preceding 12 months (or a statement that you do not sell their data)
- the categories of personal data about them that you have shared in the preceding 12 months (or a statement that you do not share their data)
- the categories of sources of data
- the purposes for collecting or selling the data
- the categories of third parties with or to whom the data is shared or sold
- a description of a consumer's CCPA rights ([discussed in the first article](/countdown-to-ccpa-how-to-prepare-p1)) and two or more designated methods for submitting requests
SELLING DATA
- if you do sell personal data to third parties, the home page of your website must have a clear and conspicuous link entitled “Do Not Sell My Information,” which links to a form for opting out
- your privacy disclosures must describe the right to opt out of data selling with the “Do Not Sell My Information” link, your online privacy practices, and any California-specific privacy rights
- you must also have procedures in place to ensure that the consumer is not requested to opt back into selling for 12 months
Third-Party Management
The CCPA requires you to exercise control and oversight over third party use of personal data.
Your data inventory and mapping and selling assessment efforts should highlight your third-party management needs for CCPA purposes. Have you:
- IDENTIFIED third parties who access personal data and determined whether or not that access should be continued?
- Made sure that CONTRACTS with third parties include appropriate nondisclosure language and a mechanism for deletion of personal data and effectuating selling opt-outs and consumer deletion requests?
Information Security
The CCPA gives consumers the right to sue you if a data breach results from unreasonable security practices. Have you revisited your IS processes and technology and your data incident response and resiliency plan to make sure that they are up-to-date, reasonable, and address CCPA requirements, such as third-party access and verification of consumer requests?
Practice Pointers
As you prepare for CCPA compliance, look for an assessment solution that automates end-to-end security and data protection assessments and provides a way to manage and oversee third-party relationships.
By Paige Boshell, Privacy Counsel LLC (Please note that this article is not intended as legal advice and is a high-level overview of some of the more significant CCPA requirements. Please contact legal counsel for a thorough description of CCPA obligations and how they apply to you.) © CENTRL, Inc. 2019
