The COVID-19 brought many non-essential businesses to a shutter, limit, or digitize most operations. MPAA, News Media Alliance, Association of National Advertisers, and 60 other Hollywood and newspaper industry groups joined together. They called on California Attorney General Xavier to delay enforcement of the CCPA (the new privacy law) by six months towards the end of 2020 due to the COVID-19 pandemic.

The landmark California Consumer Privacy Act (CCPA) gives consumers the right to learn what personal information about them is held by businesses, request deletion of that information, and opt out of its sale. The law took effect on January 1 2020, but enforcement is not scheduled to begin until July 1, 2020.

The 60 business groups argue that current shelter-in-place requirements have left key personnel unable to build and test new systems on-site. Additionally, the regulations implementing the law are still being modified and have not been finalized.

In this live webinar, you will gain insight into CCPA Compliance during COVID-19 restrictions from trusted CCPA experts, including:

  • Will the California AG being enforcement on July 1, 2020?
  • How to develop simple, easy to deploy business process to comply with CCPA during the shelter-in-place restrictions
  • Plus, a quick CCPA Compliance demo and $20 Amazon Giveaway!

* Register to enter our gift card giveaway*

DV Subramanyam Dronamraju
Host: DV Dronamraju
Author – The CCPA Compliance, Founder – InfoSecEnforcer
Brad Hammer
Panelist: Bradley Hammer
Privacy Expert & Attorney
  1. What is CCPA?

    CCPA is California Consumer Privacy Act. It is bill AB 375 enacted into law on June 28, 2018. CCPA grants California residents new privacy rights. These rights impact how a business collects, stores, processes, and secures personal information.

  2. What are CCPA Regulations?

    CCPA regulations are written to govern compliance with the CCPA. California Attorney General (AG) published a new draft of CCPA regulations on Oct 10, 2019. These draft regulations establish procedures and guidance to businesses for compliance. What does this mean for your business?

    Your business can start to create an implementation plan for CCPA compliance. Can you expect changes? Yes. However, the basic structure is not likely to change.

    So… let’s discuss these rules and procedures your business needs for CCPA compliance.

  3. What is the cost of CCPA Compliance?

    Are you a small business? Your initial cost of CCPA compliance is estimated at $25,000. Your annual cost is estimated at $1,500.

    Other businesses can estimate their initial cost at $75,000. And, an annual cost estimate of $2,500. Depending on how you collect personal information, and its use, these costs could vary.

    It is cheaper to follow the proposed CCPA regulations vs. pay the penalties. The cost of CCPA compliance is mainly for IT and legal services.

  4. What is the CCPA compliance date?

    January 1, 2020. The effective date for CCPA (California Consumer Privacy Act) is January 1, 2020. Businesses that need to have CCPA compliance must be able to process privacy requests. They also must be able to implement adequate security measures to prevent data breaches of personal information.

    July 1, 2020. The start date of enforcement by the California Attorney General (AG) is likely to begin no later than July 1, 2020. The California Attorney General issued draft CCPA regulations on Oct 10, 2019. If these regulations are finalized by Dec 15, 2019, then enforcement action by the AG is likely to begin on June 15, 2020. We believe that enforcement starts on July 1, 2020.

    So, does my business have time till July 1, 2020 for CCPA compliance?

  5. Does my business have time till July 1, 2020 for CCPA compliance?

    NO. The effective date of CCPA is January 1, 2020. So your business needs to implement CCPA compliance by January 1, 2020. However, you business is unlikely to receive any notices for non-compliance from the AG till July 1, 2020. And the AG is likely to consider any CCPA compliance violations retroactive January 1, 2020.

    And, you need to consider adequate security by January 1, 2020. Such adequate security is need to prevent data breahes. Because, when you report a data breach starting January 1, 2020, your business could face private action by effected individuals.

  6. Notice of collection of personal information – Inform ?

    You must inform consumers that you are collecting personal information. On your website this means a clear notice in simple English. We recommend this notice.
    “We collect your personal information. Click here for more(link to privacy page).”

    If you can track returning consumers on your website, then you do not have to display this notice for returning consumers. Do you publish your website in multiple languages? You need to have this notice in all the languages you support.

    Are you are a b2b business? Consumers apply to you as well. It is any California resident.

The new draft CCPA regulation were published by California AG on October 10, 2019. These regulations cover three main areas:

  • Notices to consumers
  • Submision of privacy requests by consumers
  • Verification of privacy requests by consumers

In the following sections we detail out each of these regulations in a way that your IT or legal team can consider this to be a checklist for CCPA compliance.

  1. Notice of personal information collection – Inform
  2. Notice of personal information collection – categories
  3. Notice of personal information collection – purposes
  4. Notice of personal information collection – the link
  5. Notice of indirect personal informatoin collection
  6. Right to opt-out of sale – notice
  7. Financial incentive – notice
  8. Verification process – notice
  9. Privacy policy – combined notice
  10. Privacy requests – definitions
  11. Privacy requests – methods
  12. Privacy requests indirect consumers – methods
  13. Privacy requests – acknowledgement
  14. Privacy reqeusts – response
  15. Response – right to know categories
  16. Response – right to know purposes
  17. Response – right to know sources
  18. Response – right to know categories of 3rd parties
  19. Response – right to access personal information
  20. Response – right to access information sold/disclosed to 3rd parties
  21. Response – right to delete personal information
  22. Response – right to opt-out of sale (Do Not Sell My Personal Information)
  23. Response – secure transmission
  24. Response – Password-pretected accounts
  25. Service provider – privacy request submission
  26. Privacy request – household-information
  27. Verification process – generic
  28. Verification – consumers with no accounts
  29. Verification – consumers with password protected accounts
  30. Request processors – training
  31. Audit information

Notice of personal information collection – Inform

You must inform consumers that you are collecting personal information. On your website this means a clear notice in simple English. We recommend this notice.

“We collect your personal information. Click here for more(link to privacy page).”

If you can track returning consumers on your website, then you do not have to display this notice for returning consumers. Do you publish your website in multiple languages? You need to have this notice in all the languages you support.

Are you are a b2b business? Consumers apply to you as well. It is any California resident.

Notice of personal information collection – categories

Do you have a list of all categories of personal information you collect? Get your list together. Publish this list on your website. See below on how to provide a notice of categories of data collection.

Notice of personal information collection – purpose

Do you have a list of reasons for collecting personal information? Get your list together. List reasons per each category of personal information collected. See below on how to provide a notice of such purpose by category.

Notice of personal information collection – the link

In one of the regulations above, you provided a link. This link needs to display in simple English the following sections:

  • List of categories
  • List of reasons per category
  • Link to the privacy policy
  • Link to the privacy request form
    • Specifically create a link for ‘Do Not Sell My Info’
  • Or, include all of these in privacy policy

Notice of indirect personal information collection – sell/share data

If you not in the business of selling or licensing personal information, then this CCPA regulation is not meant for you.

If this is meant for you, contact the source of your data and get attestation that the source provided the notice of collection of personal information. Service providers storing data on behalf of their customers are treated differently. See sections that address the CCPA regulations for service providers.

Right to opt-out of the sale of personal information – Notice

Do you sell or have plans to sell personal information collected?

If the answer is No, then state this clearly in your privacy policy. Skip the rest of this section and move on to the next. And, if the answer is Yes, then state it clearly in your privacy policy.

“We sell (or plan to sell) some or all of the personal information we collect. To opt-out of this please click the link below.Do Not Sell My Info.”

And, you must publish this all the languages you use on you website. You may add a logo to the above link.

Financial incentive – Notice

Some businesses collect and sell personal information. It is their business model. Often they offer a free service for such information collection and/or sale.

CCPA regulations clarify how a business can provide a financial incentive for collection and/or sale. You need to make this clear in your privacy notice. This privacy notice must include:

  • Clear statement that consumer can withdraw anytime
  • Process for consumer to change their choice

Verification process – notice

Verification process is a means to verify the consumer who submits a privacy request. A verification process is required to address the privacy requests from consumers. For CCPA compliance, you need to clearly state the verification process and methods used.

For example, if your verification process requires an email verification, you need to state what the process is and why you need email verification. More on verification is detailed in sections below.

Privacy policy – combined notice

You are likely to have a privacy policy on you website. Else, create one. For CCPA compliance we recommend to create two versions of privacy policy.

  • First version is a simplified version
  • Second version is a more legal version (that is directly in line with the simplified version)

If your website is published in multiple languages, your privacy policy needs to support this. In addition, we recommend publishing audio of the simplified version. It is better to provide a download file for both versions.

Bookmark this page. Or sign up to get updates. We will publish these two versions for your use under the Creative Commons (Attribution alone) license.

Privacy requests – definitions

CCPA affords right to privacy to a consumer. A privacy request is a method to submit a request to exercise this right to privacy.

Consumer has the right to several types of privacy requests. These specific requests are:

  • Right to know categories of information collected
  • Right to know purpose(s) of information collection for each category
  • Right to know source(s) of information collection for each category
  • Right to know categories of 3rd parties information is sold/disclosed for each category
  • Right to access information
  • Right to access information sold/disclosed to 3rd party
  • Right to delete personal information
  • Right to opt-out of sale of personal information

Privacy requests – methods

A privacy request is a method for a consumer to submit a request to know or request to delete.

A webform is a first choice for privacy request submission. It is an easy method to provide for all privacy requests. This reduces submission errors. It simplifies requester verification.

A second method is also required for CCPA compliance. We recommend a 1-800 or other toll free number. This should be fully automated in order to reduce submission errors. Automation also helps to improve requester verification. Other methods could include:

  • An email address (ex: [email protected] )
  • Downloadable form to submission through mail (USPS or other)
  • Form available at your retail service centers or shopping location(s)

Privacy requests by indirect consumers – methods

You must have at least one method for the indirect consumer to submit privacy requests. A web form is the recommended method. And, this is consistent with direct consumer requests.

Privacy requests – Receipt

CCPA regulations require that you acknowledge receiving the privacy request promptly. In 10 days. As part of this receipt you may include:

  • Email verification link
  • Any additional verification steps or process
  • Timeline to expect a response
  • Multiple requests, if any

Privacy requests – Timeline

The California AG’s CCPA regulations require a response in 45 days from the date of the privacy request submittal. This is different from an earlier interpretation of 45 days from the date of verification of the request.

You may respond with an extension of an extra 45 days. Please note, earlier interpretation of extension was for 70 days. An extension response must include a reason for extension.

What happens if the verification is incomplete? If the verification of the consumer request is not complete, you have two choices:

  • Deny the request indicating the incomplete verification as the reason for denial
  • Send an extension of another 45 days to complete with request with incomplete verification as the reason for extension

Response – Right to know categories

The right to know requests are a bit tricky. But the CCPA regulations provided specific clarification on how the responses need to be addressed.

CCPA regulations imply that data categories are the basis for structuring the data collection. This is unlikely to be the case in your business. So we recommend separating the right to know in the way we detailed out.

As per the CCPA regulations the response to a request for right to know categories shall include:

  • Reasons
  • Sources
  • 3rd party categories to which business sold/disclosed data
  • Reasons for sale/disclosure to 3rd parties

We recommend treating these as individual privacy requests which will also imply CCPA compliance.

To the extent reasonable, you are required to provide an individualized response to each consumer. While this sounds a bit of a stretch. As a business practice it is best for you to document categories based on the type of consumer. This practice will ensure rapid response to these privacy requests.

If the privacy request cannot be verified, then a response still needs to be sent with general information for the right to know requests.

Response – Right to know purposes

See response to right to know categories above. As a business practice it is best to collect purposes under each category. We also recommend separating the purposes by requester type. This will ensure individualized response to each consumer.

Response – Right to know sources

See response to right to know categories above. And, follow practices that provide individualized response to each privacy request.

Response – Right to know categories of 3rd parties

See response to right to know categories above.

If your business does not sell/disclose personal information to other 3rd parties, you still have to respond accordingly. Be aware of sending stock responses. Consider the following:

  • A consumer asks for a right to know categories of 3rd parties
  • After getting a response, the same consumer submits a opt-out of sale request
  • And you respond
  • A consumer then asks again for the right to know categories of 3rd parties

If the last request is sent with a stock response, this would imply that the opt-out has been unsuccessful. This may imply violation of the CCPA regulations.

Response – Right to access information

CCPA regulations discuss about disclosure of specific pieces of information about the consumer. CCPA does not provide for specific information. It states all information. This area of the regulation is still unclear. However, we recommend to the extent applicable to provide all information. Also as stated in the following section, disclose information sold/disclosed to 3rd party(s).

CCPA compliance with the act requires disclosure of all information, metadata, etc. CCPA regulations are unclear on what to include as part of the disclosure. However, CCPA regulations provide some good guidance on what not to include. As part of the response, you are not to disclose any information that meets these criteria:

  • Personally identifiable data such as
    • Social security number
    • Driver license number
    • Government issued identifications
    • Financial account numbers (ex: credit card numbers)
    • Health care numbers or medical ids
    • Account passwords or numbers
    • Account security questions or answers
  • Conflict with other federal or state law
    • State clearly which law and type of information withheld
  • Creates a risk to the security of (we infer this as cyber risk)
    • The information disclosed
    • Consumer’s account
    • Your business systems
    • Your network

You need to be very diligent with your verification process. If any step of the verification process fails, you may respond with rejection of the request.

2-step or multi-step verification process? In some situations, CCPA regulations cannot be considered as a rule. For the purpose of responding to right to access information, we recommend caution. A confirmation of the request is important before responding with the data. This is specifically be the case for non-account based requests. Two step could mean:

  • Typical verification that you will do for all requests
    • Email
    • Phone calls
    • Account based portal
  • A second step could be in the form of requesting a confirmation of the specific request
    • A confirm your request email verification
    • A phone to confirm the request and email address to respond to request
    • For account based requests… this could in the form of user re-entering credentials.

Response – Right to access information sold/disclosed to 3rd party

Similar to the above right to access information. We recommend having this privacy request as well. This is clear and addresses a core premise of information collection. If your business in involved in the sale/disclosure of data to 3rd parties, then consumer would like to know what information has been disclosed. This is likely to address the specific information requests included in the CCPA regulations.

The response to this request is similar to the response to the right to access information request discussed above. We recommend a 2-step verification or another method of caution before sending a response to non-account based requests.

Response – Right to delete personal information

You must verify this request. No verification can default to denial of the request. We recommend a 2-step verification, see above sections for details.

We recommend that you provide an all or nothing choice for deletion. CCPA regulations offer your business to retain certain categories of data. You could do this by providing the consumer an option to delete specific categories of personal information. This could be taxing on your business systems, and process. This will likely increase the cost of your compliance.

CCPA regulations require you to process a response with :

  • Permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems;
  • De-identifying the personal information;
  • Aggregating the personal information;
  • Retain a copy of the data only as part of an audit to this privacy request (or other state of federal laws);
  • Include the way in which the data is deleted

You may reject the deletion of all data or specific data and must include all of the information in your response to the request. A response with rejections or denials must include:

  • Reason for not deleting the specific data under regulation or statutory exception
  • Must confirm that all other data is deleted
  • Cannot use the data outside of the regulatory exception

Response – Right to opt-out of sale (Do Not Sell My Personal Information)

This privacy request receives a special mention in CCPA regulations. For CCPA compliance for this type of privacy request, your business must:

  1. Provide a web form with the words ‘Do Not Sell My Personal Information’ or ‘Do Not Sell My Info’. The intent is to remove ambiguity and provide consistency to consumers.
  2. Provide a second method. We recommend an automated 1-800-Service.
  3. Honor their opt-out of tracking cookies settings on the browsers

You have 15 days to comply with this request. A verification of the consumer is not mandated for this type of privacy request. You must notify the consumer that the request is processed within 15 days.

Did you sell/share this data with a 3rd party? You must notify all such 3rd parties. You have 90 days to complete notification. This implies you need to modify your agreements with 3rd parties to ensure their CCPA compliance. You must notify the requester that all 3rd parties have been notified of their opt-out request.

If you believe you received a fraudulent request, then you may not comply. But you must document why you perceive that your received a fraudulent request.

Response – secure transmission

Your business must take reasonable security precautions while responding to the requests. This could be one of several items:

  • If the response is by email, ensure that the email is verified
  • If the response is in the form of a letter, ensure that the address is verified
  • If the response using a portal:
    • Ensure that the portal using appropriate security (HTTPS, firewall, etc.)
    • Ensure that the account to access the portal is authenticated

Response – Password protected user account

Does your business maintains user accounts and the requester is an account holder? Then these privacy request response mechanisms apply:

  • Privacy requests for account holders can be inside a secure portal
  • Privacy request submittals shall not require account access
  • You may ask for additional verification
  • You may not restrict access to personal information within the portal
    • A way to download the information should be provided

Service provider – privacy requests

Is your business delivering services to other businesses? Such as a SaaS company or a digital marketing company? Then, you must provide consumers methods to submit privacy requests.

Service provider as a business:

It is likely that you collect personal information of your own customers, and partners. Or collect personal information of potential customers and partners. CCPA compliance is necessary for such service provider. Please review this article in detail on how to implement the new CCPA regulations.

Service provider’s customers:

Do you collect information on behalf of your customers? For example, Google Analytics, CRM systems, digital marketing agencies, all collect this information. In these situations you are likely to receive privacy requests. Such requests must have a response. If the response is a denial, you must clearly state the reason for denial.

As a service provider you will be required to collect, store, update, and present privacy policy terms and contact information of each of your customers. If a consumer submits a privacy request, you are required to provide the contact information for your customer to which the request belongs.

This is a bit tricky. You will be required to collect privacy request contact information from each of your customers. You may be required to either provide a webpage link to all of that information. Often as a service provider you do not have access to the personal information collected by each of your tenants. This implies you cannot respond to the privacy request submitted. Additionally, you may not know to which tenant the privacy request is meant for. As a result, you may be required to provide a link that lists all your tenant’s privacy request contact information or web page links. We recommend providing a list of link to all customers’ privacy terms on their webpages.

If the consumer submitting the privacy request is an account holder, the situation will be different. In this situation, we recommend that you ensure privacy APIs that each of your tenants could use. This is similar to providing a CCPA compliance module as part of your service.

Privacy requests – Household information

Does your business jointly process household information? For example, a cable operator, or a internet access provider, is likely to have household information.

Any household-related privacy request should be processed similar to an individual consumer privacy request. However, the business has the option to verify each member of the household. More on verification is detailed below.

Verification process

All requests, except opt-out requests, must be verified. Opt-out requests must be processed without verification, unless you consider them fraudulent. This is indeed a high bar for opt-out requests. You may have to implement or deploy security measures to detect fraud.

For the purposes of verification you may ask the following personal information:

  • Name
  • Email
  • Phone
  • Physical address

However, we recommend that you do not ask for the following (combination of) personal information:

  • Name +
    • Social security number
    • Driver license number or ID card
    • Account number (credit card etc.)
    • Medical information
    • Health insurance information
  • Email (or account name) + password

You may use a 3rd party KYC type service for verification process that cater to the above requirements.

Verification – consumers without password-protected accounts

CCPA compliance requires verification of consumers that do not hold accounts in two ways:

  • Reasonable degree of certainty (match at least 2 pieces of data)
  • High degree of certainty (match 3 or more pieces of data)

Privacy requests to delete, or access information require verification with high degree of certainty. All other privacy requests require only a reasonable degree of certainty.

Verification – password-protected accounts

Does your business have account holders with password protected accounts? Then the best approach is to provide the privacy request form once the user logs in into the account. However, if a consumer submits a privacy request, and that consumer is an account holder, you may respond to the consumer to submit the request by logging into the account. This authentication ensures verification of the privacy request.

Privacy request to delete information may require re-authentication by the account holder to ensure CCPA compliance.

Request processors – training

All people processing the privacy requests must undergo training. They are informed on

  1. CCPA compliance requirements
  2. How to address privacy requests
  3. How to inform consumer about their privacy rights
  4. Keep a record of all training provided

Audit information

You must keep a record of all privacy requests, their processing, and their response. Any consumer data retained as part of the privacy request must be stored for a minimum of 24 months. This data must be reasonably secured from data breaches. The purpose of this data is CCPA audit. You may not use this data for any other purpose.

Does your business store more than 4 million consumer records? Then you have to disclose information on privacy request processing on your website. This disclosure is an annual disclosure and must include the following information:

  1. Number of right to know requests received
  2. Number of right to know requests processed
  3. Number of right to know requests denied
  4. Average number of days taken to process right to know requests
  5. Number of delete requests received
  6. Number of delete requests processed
  7. Number of delete requests denied
  8. Average number of days taken to process delete requests
  9. Number of opt-out requests received
  10. Number of opt-out requests processed
  11. Number of opt-out requests denied
  12. Average number of days taken to process opt-out requests

Check a few of our other writings on CCPA compliance and regulations

  1. CCPA Privacy request management
  2. Simple steps to CCPA compliance
  3. Prevent data breaches and avoid CCPA private action

Imagine getting ready for CCPA compliance by Jan 1, 2020. GDPR compliance took you a lot of time and money. Now, CCPA – California Consumer Privacy Act is going into effect on Jan 1, 2020. You do not have much time. You have several other priorities as well. What if you could follow a simple step-by-step process to get ready for CCPA in one week?

Or even better..

What if there are 17 steps for CCPA compliance?

… and each of these 17 steps are easy to follow and implement. Nearly all of these 17 steps cost you no additional money. You are probably eager to read and follow these steps.

This is exactly what I am going to share with you in this post. 17 practical and actionable steps that you could use for CCPA Compliance in One Week or Less.

…and once you are done, please share and comment how long it took you to get ready for CCPA compliance using these 17 actionable steps.


1. Does CCPA compliance apply to your business?

Look, there is a lot of blogs out there that outline the law. They detail out how CCPA applies to your business. For example, you are a business in California, and have a revenue or $25 Million or more, or have information about 50,000 California consumers. This is exhaustive.

Let’s make this as simple an easy button:

Are you a non-profit company?

If you answer is Yes, and if you parent company is also a non-profit company, then save time and skip reading this entire blog, and go watch Netflix.

Is your business in any way related to California?

If your answer is No, then what are you still doing here? Go and play a round of golf.

Let me explain my usage of the word related. It means your business is registered in California. Or, you have revenue from California consumers. Or, you pay any taxes in California. Or, you own any property in California.

Now, the next questions get a bit tricky….

Is your annual revenue in the next twelve months more than $25 Million?

If your answer to this is Yes, then skip this section and move to step 2. I simply ask you to start taking action. You will have one less urgent project this Christmas Holidays.

This question is tricky because it may not be California based revenue. Rule making from California AG could shed more light. But it is fair to assume $25 Million total revenue.

Based on your current projections if your annual revenues are likely to exceed $25 Million, then you must have CCPA compliance. My recommendation is to start taking action if your revenues are likely to exceed $20 Million.

Do you have more than 961 visitors on your website from California in the last 7 days?

This is easy to check.

  1. Login into your Google Analytics
  2. Navigate to Geo -> Location and Click on California
  3. Select last 7 days timeline for the report
  4. Check the number of users when you move your cursor to California
  5. Is this number more than 961?
does you need CCPA compliance?
Does your company need CCPA compliance. Determine that by number of users on Google Analytics

If you answer is Yes, then skip this section and move to step 2. Start taking action. You will spend your upcoming thanksgiving with your family and friends.

If you do not use Google Analytics, then check for this with your web marketing team.

Do you have more than 50,000 customers in California? Check your CRM.

If you have access to your CRM system such as Salesforce.com, then login to your Salesforce.com system. Create a report. For your query, include contacts, leads, last 12 months. Filter for California. Get a total count. If the count exceeds 50,000.

If the answer is Yes, then you know what to do. Skip this section and move to step 2. And, start taking action.

Or alternately check your email marketing system like MailChimp.

Do you market and send your newsletter or emails? Do you send emails to 50,000 email addresses that are likely located in California?

If the answer is Yes, then start taking action.

Are you are still reading this section?

Are you a software company dealing in data as the new oil? Boy-o-boy. We can send you a pdf version of this blog. Get a cup of coffee. Start taking action.

2. Deploy CCPA privacy request intake on your website

Privacy requests are new. Your business is required to provide this on your website. Either a web form, phone number, email address, or a mailing address. You could do a combination of one or two of these mechanisms. Check out our detailed blog on CCPA Privacy Request Management.

No business can estimate the number of requests. Plan for 5-10% of your users to send privacy requests. We stay optimistic and expect a much lower request intake in 2020.

Option 1: Create a web form similar to this and deploy it on your website.

Do you have a WordPress website? Simply deploy a forms plugin – WPForms or Ninja Forms.

Create a form for CCPA privacy intake and manage your requests using WordPress. Include basic email verification. Here is an example form:

CCPA Compliance Privacy Request Intake Form
CCPA Compliance Privacy Request Intake Form

Option 2: Sign up to App.InfoSecEnforcer.com

The app is easy to setup. It scales your workflow. InfoSecEnforcer provides 13 pre-built email templates. And, it is free to use.

Option 3: Sign up to OneTrust.com

One of the first vendors to provide DSAR (data subject access rights). OneTrust is focused on GDPR. Support for CCPA is being added recently.

CCPA Compliance: Privacy Requests Management
One Trust Provides a 14 day free trial. InfoSecEnforcer.com delivers a free app.

Option 4: Sign up to Wirewheel.io

WireWheel provides SRR (subject rights requests). Privacy requests are often called DSAR – Data Subject Access Rights, or SRR – Subject Rights Requests.

(C) WireWheel.io

Option 5: Review this blog and create your own privacy request management system

Enough said. Need more information on how to manage the intake of privacy requests? Check our blog.

Time to move to the next section.

3. CCPA Compliance needs categories of data you collect

CCPA (California Consumer Privacy Act) provides the requester a right to know categories of data you collect.

Reach out to your digital marketing team for any help. List all the categories of data you collect. Let’s get started.

Here is a sample list of categories that you could use:

  • Internet or network activities
  • Device specific information
  • Commercial information (ex: orders, history, credit card data, etc.)
  • Identifying information (ex: email, phone, etc.)
  • Health information
  • Biometric information
  • Fitness information
  • Professional or employment related information
  • Educational information
  • Geolocation information
  • Audio/Video information
  • Automotive information
  • Information users share
  • Information to process privacy requests

Now create your own list of categories. Next step is to create an email template that includes your list of personal information categories that your business collects.

Create an email template with categories of information collection

Here is a sample email template….

Subject:  Privacy Request – Categories of Information Collected 
Message:
Hi {Name},
We received a privacy request from you regarding the categories of personal information we collect. We collect the following categories of information:
- Internet or network activities
- Device type information
- Commercial information (ex: orders, history, credit card data, etc.)
- Identifying information (ex: email, phone number), and
- Information to process the privacy requests

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

You may have to create multiple email templates for each requester type. Each of these templates may differ on categories of information collected.

4. List reasons for collecting data by category

CCPA provides the requester a right to know why your business is collecting data. A few businesses collect data to sell as data brokers.

Get started. Let’s make it a simple one-time process. You may need help from your digital marketing team. Here is a simple list all the reasons for collecting data. Get started.

Please use this list to get started with your own list.

  • To Enforce Policies, Terms, and Conditions
  • To Track and Monitor Website Usage
  • To Analyze Website Visitor Behavior
  • To Improve Website Performance
  • To Improve Visitor Engagement
  • To Service Customers
  • To Provide Sales and Support
  • To Answer Questions or Address Requests
  • To Evaluate Suitable Candidates for Jobs
  • To Create User Accounts
  • To Communicate Marketing and Sales Promotions
  • To Communicate Company Policy Information
  • To Fill and Manage Sales Orders and Support Requests
  • To Write Testimonials
  • To Deliver Advertisements
  • To Get Customer Feedback
  • To Share Data With Data Brokers
  • To Aid in Research
  • To Aid in Behavioral Analysis
  • To Process Privacy Requests

Create an email template to communicate with the requester

Here is an example. You may have to create multiple email templates.

Subject: Privacy Request - Collection Purpose
Message:
Hi {Name},
We received a privacy request from you regarding the purpose of collecting personal information. Our purpose of collecting your personal information is as follows:
- To Communicate Marketing and Sales Promotions
- To Communicate Company Policy Information
- To Fill and Manage Sales Orders and Support Requests
- To Write Testimonials
- To Deliver Advertisements
- To Get Customer Feedback
- To Enforce Policies, Terms, and Conditions
- To Share Data with Data Brokers

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

5. List all sources of data collection

CCPA provides the requester a right to know sources of data you collect. Reach out to your digital marketing team and list all data sources. Let’s get started.

This is a sample list to get started.

  • Laptops and Desktops
  • Websites
  • Desktop Apps
  • Web Apps
  • Mobile Apps
  • Shopping Carts
  • Phone Calls
  • Fitness Devices
  • Mobile Devices
  • Video Streaming Devices
  • Medical Devices
  • Smart Speakers
  • Smart Toys
  • Security Cameras
  • Wifi Routers
  • Automotive Sensors
  • Smart Sensors & Scanners
  • Tablets
  • Data Services
  • 3rd Party Data Brokers
  • Social Media Platforms
  • Advertising Platforms

Create an email template

Use this example email template.

Subject: Privacy Request - Soruces of information collection
Message:
Hi {Name},
We received a privacy request from you regarding the sources of collecting personal information. Our sources of collecting your personal information are as follows:
- Laptops and desktops
- Websites
- Desktop apps
- Web Apps
- Shopping cart
- Phone calls

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

6. Scan your website and list all the cookies used

Do you have cookies on your website? Nearly all those cookies collect personal information. CCPA compliance requires you to know all your cookies. Why?

  1. Provide a detailed notice of data collection
  2. Service Opt-Out, privacy request
  3. Service Delete My Personal Information, privacy request
  4. Provide personal information stored in these cookies

Note: CCPA does not require you to create an opt-in for cookie tracker similar to GDPR. COPPA and opt-in apply for children.

With the cookie list, you can start an inventory to map the data. Use one of these free tools to know your cookie data stores. Discover all your cookies your website is generating. Scanners generate reports to identify and classify cookies discovered in this process. Next step click one of these tools and get a detailed report.

You may create your own cookie scanner using this open source project.

Read more about CCPA cookie consent management here.

7. List all Cloud and internal apps that store personal information

Data mapping is a secret ingredient to achieve CCPA compliance. CCPA compliance requires:

  1. Where you store data (personal information)
  2. How you process this data
  3. Who you share this data

Step 1 kicks off your data mapping process for the purpose of CCPA compliance. From the previous sections you have the list of cookies on your website. Use this table to document where your cookie data is stored. Nearly all cookies capture personal information.

Cookie Name Where Stored Name of Admin 3rd Party (Y/N)
Google Analytics Analytics.Google.com John Doe Y
Automattic Inc. WordPress.com Jane Doe Y
comScore Inc. ComScore.com John Doe Y
Fusio S4m.io Jane Doe Y

To get all these template and the entire blog as a word document CONTACT US.

Next up, list all cloud applications your business uses. The following table helps you document all your cloud applications.

Cloud App Name Name of Admin Personal Information?
Salesforce.com John Doe Y
WorkDay.com Jane Doe Y
Office365.com John Doe Y
DropBox.com Jane Doe Unsure
Slack.com John Doe Unsure

Your business has many internal applications. These maybe developed internally or 3rd party licensed software. These may be in your own data center or in your private cloud instance. The following table helps you document your internal applications.

Internal App Name Name of Admin Personal Information? 3rd Party?
Microsoft Exchange John Doe Y Y
Quicken Jane Doe Y Y
Kronos John Doe Y Y
WordPress Jane Doe Unsure N
InventoryMS John Doe Unsure N
CoupaSoftware John Doe Y Y

All done? Hooray!! For CCPA compliance listing the apps is yet another critical step, and that helps with data mapping.

  1. List all stores of personal information
  2. Data discovery
  3. Starting point to address privacy requests for data, delete data, etc.
  4. Review 3rd party vendor agreements (see below)

8. Review privacy clauses in your service provider or partner agreements

Why? CCPA holds you responsible for all the personal information you store. It does not matter where and which 3rd party touches your personal information. For CCPA compliance it is now necessary to enforce 3rd party CCPA compliance. Third party CCPA compliance implies answer to the following simple questions:

  1. List all stores of data we share with you
  2. How do you encrypt personal information or anonymize it?
  3. Do you have a process to detect and communicate data breaches?
  4. Do you have tools to identify, monitor, and delete personal information?

This may look like a lot of work with each 3rd party. Doing this will ensure protection from liability.

Can one single step solve this?

Yes. Execute an amendment to your current agreement with each of the 3rd parties. Include the following clause in such your amendment. (Please consult your attorney.)

Covenant to SafeGuard Digital Information and CCPA compliance.

(a)         Covenant. Company (3rd party vendor) and any affiliate of the Company each covenant to safeguard of Personal Information (as defined in CCPA California Consumer Privacy Act – AB 375), and to institute a procedure, practice, or technology that safeguards Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b)         Data breach or attempt to steal by a person(s) or machines or bot(s). This covenant shall include data breach prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report data breaches, attempts. The Company shall provide a periodic report(s), no longer than each six (6) months of the data breach incident, or an attempt to steal any or all Digital Information. The incident report of a data breach or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any data breach or attempt to steal highly confidential information shall be reported immediately.

(d)         Privacy APIs and CCPA Compliance. The Company shall institute a procedure, practice, or technology that addresses privacy requests. These include but not limited to access to all personal information (a minimum of two times a year), acknowledgement to delete specific personal information, acknowledgement to stop sale (or license) of specific personal information to other 3rd parties.

Execute this amendment with each of your 3rd parties for CCPA compliance.

9. Review privacy clauses in your customer agreements

Uh!! What? Why should we amend our agreements with our customers?

This is specifically important for software vendors or (digital) marketing companies. Your customers need to be ready for CCPA compliance. And they are seeking answers to these questions:

  1. Where do you store personal information?
  2. How do you encrypt personal information or anonymize it?
  3. Do you have a process to detect and communicate data breaches?
  4. Do you have APIs to identify, and delete personal information?

Be proactive.

How? Execute an amendment to your current agreement(s) with each of your customers. Include the following clause in such your amendment. (Please consult your attorney.)

Covenant to SafeGuard Digital Information and CCPA compliance.

(a)         Covenant. Company (“Your Company”) and any affiliate of the Company each covenant to safeguard of Personal Information (as defined in CCPA California Consumer Privacy Act – AB 375), and to institute a procedure, practice, or technology that safeguards Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b)         Data breach or attempt to steal by a person(s) or machines or bot(s). This covenant shall include data breach prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report data breaches, attempts. The Company shall provide a periodic report(s), no longer than each six (6) months of the data breach incident, or an attempt to steal any or all Digital Information. The incident report of a data breach or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any data breach or attempt to steal highly confidential information shall be reported immediately.

(d)         Privacy APIs and CCPA Compliance. The Company shall institute a procedure, practice, or technology that addresses privacy requests. These include but not limited to access to all personal information (a minimum of two times a year), acknowledgement to delete specific personal information, acknowledgement to stop sale (or license) of specific personal information to other 3rd parties.

Execute this amendment with each of your customers for CCPA compliance. You will have an enhanced strategic relationship with your customers. The following sections detail out steps your business needs to do to address these. The result is CCPA compliance and avoiding both civil suits and regulatory penalties.

10. Review the privacy policy on your website

Your website or mobile app privacy policy review for CCPA must include the following:

  1. Information collect on your website
  2. Information on cookies that collect information
  3. Usage of information collected on your website
  4. Category of 3rd parties used to collection information
  5. Do you share information collected with other 3rd parties?
  6. How you store, and safeguard the data

Of course, contact your attorney. Also, several web services generate privacy policies relevant to you. Please review these services:

  1. Termly
  2. Free Privacy Policy
  3. Terms Feed
  4. Privacy Policy Generator
  5. FirebaseApp Policy Generator
  6. Iubenda

While most of the above are for GDPR, you could modify these for CCPA. The key element in reviewing your privacy policies is to ensure that you have two versions of the privacy policy

  • Legal version, and
  • Simple version in plain English

All done? The next step is to send notices with your updated privacy policy.

11. Send notices to partners with the updated privacy policy

Why? We just amended agreements with partners to include – ‘Covenant to Safe Guard Digital Information and CCPA compliance’. What is this new privacy poloicy update notice? A notice should be sent in two forms:

  1. A letter
  2. An email

Create a notification letter, and use the same content in your email as well. Ensure consistency in both the notices. Provide URL links to both the simple version and the legal version.

Step 1: Get a list of addresses (both postal addresses and email addresses)

Step 2: Send out the postal letter typically address to the legal counsel or the President of the company

Step 3: Send out an email (use mail merge)

12. Send notices to customers with the updated privacy policy

Now that you sent out notices to all your partners it is time to repeat this process with your customers. It is likely that you have more than a few thousand customers.

For a large number of customers, it is indeed expensive to send letter notification. Each letter notification is likely to cost you anywhere in the range of $2.00 to $0.50. This could get expensive fairly quickly.

We recommend that you start only with email notification for customers. Please have a way to track number of opens. Send weekly notifications only to those who have not opened the email. Repeat these weekly notification till you reach atleast 30-50% opens. This would likely take about 10-15 weeks. Ensure that you keep a record of this process.

13. Vendor risk assessment

Let’s review step 8 above. In step 8, you created CCPA compliance amendment for execution by each vendor. It is likely that you are able to get 80% of your vendors to sign this amendment. However, this is not enough. There is still a risk of penalties or class-action law suits. It is an operational risk.

The vendor has likely executed the amendment. Is there a way to check their CCPA compliance? This is the tough part. So, you need vendor risk assessment. There are two areas of vendor risk assessment for CCPA.

Area 1: Vendor security risk assessment. How vulnerable is the vendor for data breaches? Making this assessment on a vendor is a difficult operational problem.

Area 2: Vendor privacy request compliance assessment. How well does the vendor comply with the request for personal information? How well does the vendor comply with the request for deletion of data? How well does the vendor comply with the request to not sell personal information?

Several companies offer services to make a 3rd party vendor security assessment for GDPR compliance. The market is still evolving. The following resources provide vendor risk assessment for GDPR compliance. This could be easily extended to CCPA compliance.

  1. ProcessUnity
  2. OneTrust
  3. WireWheel
  4. SecurityScoreCard
  5. IAPP.org

This step is unlikely to be fully automated. Get started and you could make improvements over time.

14. Privacy APIs to access data for Privacy Requests

What are privacy APIs? Privacy APIs is an API framework to address privacy requests. Privacy APIs are new. They are often untested. Three types of privacy requests require privacy APIs. These requests require personal information of the requester:

  1. Request to access all my personal (requester’s) information
  2. Request to delete all my personal (requester’s) information
  3. Request to not sell my personal (requester’s) information

Privacy APIs enable easy and automated access to data in cloud applications. This framework could easily be extended to your business’ own data. (For more information on how to get started with Privacy APIs, please contact us.)

Now you got through 14 steps. It is time to address security

Security is not equal to privacy; and privacy or CCPA compliance does not equal security. Security is one part of privacy.

One key area of CCPA compliance is preventing data breaches. CCPA or AB 375 states

“Any consumer whose nonencrypted or nonredacted personal information … is subject to unauthorized access, theft, or disclosure … result of the business’ violation of the duty to implement and maintain adequate and reasonable security procedures and practices … may institute a civil action…. recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater…” There are several security procedures and practices. DLP, data loss prevention, is a key tool. Data Loss Prevention includes end point protection and network protection.

California Consumer Privacy Act – AB 375

15. Prevent data breaches from your endpoints

Why do you need endpoint Data Loss Prevention ? As part of CCPA compliance, you need to maintain adequate security to prevent loss or theft of personal information. End points – desktops, laptops, and mobile devices, are vulnerable for data theft or exfiltration. End point DLP provides reasonable security to prevent such data breach.

Do you deploy anti-virus protection on all your end points? End point Data Loss Prevention is similar in deployment. Here is a sample list of vendors that provide end point DLP.

Contact us to deploy end point DLP for CCPA compliance.

16. Prevent data breaches from within your network

Have you secured the endpoints? Awesome. It is time to pay attention to rest of your network. Your business needs the ability to proxy, classify, and prevent any unauthorized exfiltration. Benefits of network Data Loss Prevention include:

  • Control traffic on email, HTTP(S), (s)FTP, webmail, web apps, and more
  • Control clear as well as SSL based applications
  • Enforce policies
  • Reduce false positive
  • Prevent insider threats as well as threats from bots
  • Provide forensics where required

Here is a small list of network Data Loss Prevention solutions:

  1. InfoSecEnforcer
  2. Symantec
  3. Digital Guardian
  4. Force Point
  5. McAfee

Deploying one of these above solutions implies CCPA compliance. You will also have the ability to fend off any civil suits resulting from potential data breaches.

17. Office 365 DLP to prevents breaches from O365

Office 365 is one of the most widely used applications. Deploying end point DLP and network DLP is not sufficient to prevent exfiltration from Office 365.

Why? Because, Office 365 is a cloud application and can be accessed using uncontrolled end points. @ $2 per user per month, this is an easy deployment and can be completed in less than a week. Depending on your budget you may just deploy Office 365 DLP and phase in end point DLP and network DLP.

Read more about Office 365 DLP here.

Mobile apps such as FaceApp must address user concerns on privacy and securty. FaceApp has gone viral and is now used by nearly 150 million users. That is nearly twice the number of users impacted by Cambridge Analytica. This should be a major privacy concern for users. US presidential campaigns are likely to ban the use of FaceApp or similar apps.

So, the press is really hot about FaceApp because of the Russia connection. Like most entreprenuers the founder Yaroslav Goncharov wants the virality but not the privacy questions. He likely did not pay much attention to the privacy policy, until now. See the complete statement from him at the bottom of this article.

Often naysayers say the following:

  • Scaremongering privacy freaks
  • Users trade some privacy for vanity features
  • It is upto Apple, Google, and Facebook to remove apps that violate their policies
  • GDPR / CCPA are over-regulation
  • Press and journalists crush innovation
  • Nearly all mobile apps have similar privacy policy

Lets get into this in detail and review the privacy policy of FaceApp. In my opinion, FaceApp privacy policy has severe security and privacy risks.

Information collected

FaceApp, like most apps, collects user information provided by the user. They usually keep this information for a extended period of time. I believe the photos collected by FaceApp are valuable data for AI and machine learning, it is likely that the company stores this information. The original uploaded picture is usually considered owned by the user. Any transformation may be considered derivative works and likely owned by FaceApp.

Images and derivative works are highly valuable for AI-based facial recognition, and training the algorithms for facial recognition or other purposes.

The history of edits, modifications, transformations, and other actions provided by FaceApp will also be stored. These are likely considered owned by the company as it is an action done as part of the app. It is very likely that each user is making several modifications to be pictures before they share the final picture with their friends or on social media. Resulting intermediate images are likely considered derivative works owned by FaceApp.

Third-party analytics such as Google Analytics, CloudFlare, and other tracking cookies are used by FaceApp. These analytics may not directly relate the web visit history to the specific user. However, with addtional cookies, device identifiers, the company can easily sell/share detailed user information to advertisers. Learn more about tracking cookies and user consent here.

Device identifier information is easy to obtain in mobile apps. It is simply a few lines of code when the app fires up. Any app could create own device identifiers when first installed. The result is detailed history of app usage, duration of time spent in the app, what done, when, and how. This information combined with the user metadata collected is a treasure for advertisers.

To all the naysayers who say – this is typical of any mobile or web app. They are correct. This information collection is similar to other mobile or web apps.

Use of information collected

The main stated purpose of information collection by FaceApp is product enhancements. This is common to other mobile and web apps. Often mobile and web apps collect information to improve the service, enhance features, add new features, highlight useful features, test new features, or fix problems while they occur.

Marketing and advertising: Unlike several popular mobile and web apps, FaceApp expressly states that “provide personalized content and information to you and others, which could include online ads or other forms of marketing”. The others could imply anyone, including nation-state actors such as Russia, China, and others.

To all the naysayers who say – why will the company share the data with Russia? See my additional commentary below in jurisdiction.

Automated updates: The information is used for automated updates. While this may look benign, just image that FaceApp is constantly connecting to its servers in the background even when it is not being used. The information shared by FaceApp in the background is not visible. This may not directly include location data, but tracking cookies can easily provide proximity data. In my opinion, mobile apps must by default ask for user permission to check for updates and to perform updates.

Sharing of information

We will not rent or sell your information to third parties outside the group of companies which FaceApp is part of, without your consent, except with whom we share it.

FaceApp privacy policy

FaceApp creates an exception with the following :

  • Affiliates of the group of companies they belong to (there is no listing of these companies or the group)
  • Affiliates have similar rights as FaceApp
  • Marketers and advertisers
  • 3rd party advertising partners
  • Ad networks
  • Service providers (usually most mobile and web apps store information with service provider and do not actively share information with service providers)
  • And, if we get acquired, the acquiring company will have all the information

This can be read in two ways. One, that says this is a responsible company and will responsibly share information. Two, if this is not a responsible company or the company gets pushed around they may sell / share / license or otherwise make money whichever way they see possible including licensing the information to nation-state actors (see jurisdiction below).

Data sovereignty and jurisdiction

Why sovereignty and jurisdiction matter? This is indeed the right question to ask. Let’s compare a viral mobile app from a company in California with this viral mobile FaceApp. Let’s assume they have similar information collection, use, and sharing terms. So, a level field.

For the mobile app in California, existing privacy laws and CCPA come into effect. A side note: current privacy laws could not do much about Cambridge Analytica scandal, and Facebook got slapped a small $5 Billion fine for lax compliance. CCPA similar to GDPR provides better control to the consumer:

  • Ask for details on how the information is used
  • Ask for details on 3rd party companies information is shared with
  • Ask to be forgotten
  • Ask to not sell information
  • Penalties on data breach or data loss
  • Penalties on non-compliance (upto $7500 per violation)

FaceApp does not have any of the above compliance requirements. Today, FaceApp does not state compliance with any of the privacy laws. To be considered a responsible company with user information, FaceApp must voluntarily incorporate these policies. It must provide an easy way for its users to exercise their privacy rights. Today, FaceApp asks the users to send them an email to exercise the right to be forgotten. This is not sufficient.

We may share informatoin in response to legal requests from jurisdictions outside the United States.

FaceApp privacy policy

Let’s assume the Russian government serves a warrant for user information. Will FaceApp founder(s) risk going to jail vs. fighting for the users privacy? For the viral mobile app in California, there is precedence that the company does fight for the privacy rights of users. The state and federal courts do provide protections.

So what’s next

Stop using FaceApp or other apps with similar terms or jurisdictional issues. Use web or mobile apps that have a clear and responsible privacy policy. One that includes a user provision for privacy requests.

Here is a full statement from FaceApp regarding their privacy policy:

We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:

1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.

2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.

3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.

4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.

5. We don’t sell or share any user data with any third parties.

6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.

Additionally, we’d like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696).  We don’t do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.

Source: FaceApp

More useful links:

What is CCPA Compliance?

California Consumer Privacy Act or CCPA protects the right to privacy of California residents in accordance with the AB 375 starting Jan 1, 2020. CCPA compliance implies companies, websites, and web & mobile apps taking the following steps:

  • Respond to privacy requests of California residents
    • Provide a privacy request form similar to contact us form
    • Verify privacy requests & automate verification
    • Automate request processing workflow
    • Get approvals for specific requests
    • Provide a way to opt-out of website cookie tracking
  • Secure and safeguard personal information
  • Provide clear, readable privacy notice
  • Provide privacy APIs to (applies to b2b web & mobile apps):
    • Access personal information
    • Delete personal information
  • Modify vendor agreements to include privacy provisions
  • Modify data licensing agreements to include privacy provisions
  • Identify all sources of personal information (past 12 months)
  • Identify all parties with whom you shared personal data (past 12 months)

Does CCPA compliance apply to my business?

The underlying question is does my business have to spend the money and resources for CCPA compliance? You have to answer – yes, to one of the following questions:

  1. Do you own a website that attracts 4200+ unique California residents per month?
  2. Do you own a CRM or email list or other system that has 50,000+ California residents combined?
  3. Do your annual gross revenues exceed $25 Million?
  4. Do atleast 1/2 of annual revenues generated from licensing or selling personal data?

If you answer to any of the above questions is yes, then your business needs CCPA compliance. There is no specific, one approach to for CCPA compliance. Like any law, you need to do the minimum required to ensure that you reduce the risk of penalties and lawsuits. There are exceptions. Despite exceptions we recommend CCPA compliance because these exceptions have not been tested. For example a health care provider is likely exempt from CCPA compliance because of HIPAA rules. However, website visitors are not covered under HIPAA (not personally identifiable), but covered under CCPA. Disclaimer: We are not attorneys and we strongly recommend that you consult your attorney for specific nuances in the law and its compliance.

What are the risks under CCPA?

Lack of CCPA compliance has two drawbacks or risks. One of the risks is from California Attorney General (AG). Calfornia AG may impose a fine of upto $7,500 per violation. Is it likely that your business attracts these fines? Starting July 2020, the AG is expected to initiate action. CA legislature has not provided any additional funds to the AG for action. These fines are pooled into a privacy fund, to initiate future actions by authorized prosecutors across California.

The second risk is private right of action by California consumers. In plain english, class action lawsuits. These are highly likely to be triggered because of a data breach. Data breaches are up 54% in the first half of 2019. When your company experiences a data breach, you have to notify your state. It is now publicly available information. The likelihood of a subsequent class action in a California court is very high.

It is a good business practice to protect your business from a data breach. This should be a part of your IT and security budget today. The additional budget you need is for privacy request management. It is clear that automating privacy request processing is the right approach. The first and most inexpensive step is to put up a privacy request form on your website, likely cost you less than a few hundred dollars a month. Your business will have nearly 100 days to respond to any advanced privacy requests.

In this guide, you understand the details of privacy request processing, and workflow. Additionally, you 1) Find a list of CCPA privacy request management vendors; 2) Evaluate the pros and cons of building own or using a vendor; 3) Find tips and recommendations for workflow automation; and 4) Calculate your risk vs. budget for processing privacy requests. After reading this guide, you will be ready to start implementing CCPA compliance.

  • What is CCPA compliance?
  • Do you need to implement CCPA compliance?
  • How to budget for CCPA compliance?
  • How do choose the vendor?
  • Should you outsource CCPA compliance processing?
  • How much does it cost?
  • Should you extend your security resources for CCPA?
  • Who takes ownership of CCPA compliance – marketing, legal, or IT?
  • What are the steps beyond privacy requests to be fully CCPA compliant?
  • And, learn some tips on data breach prevention…

First a few simple definitions. A privacy request is a request to execute the right to privacy as defined in the CCPA. Another term being used is DSAR – data subject access request. Privacy request is a better term because the request is about privacy including a request for access to data. DSAR is more specific to request for access to personal information. Under CCPA, a requestor is a person who is a California resident. Types of privacy requests and types of requestors are defined in sections below.

CCPA compliance - Privacy requests
CCPA Privacy Request Processing

Step 1: Deploy a Privacy Request Form on Your Website

The first step to addressing privacy requests is to create a privacy request form on your website. This form must have the following fields:

  • Name (required field)
  • Email (required field)
  • Phone number (optional)
  • Type of privacy request (select one from list)
    • Collection purpose (default)
    • Data categories
    • Data sources
    • Access to data
    • Data sold/shared
    • Do not sell
    • Delete data
    • Notice of action
  • Type of requestors (select one from list)
    • Website visitor (default)
    • Customer
    • Partner
    • Job candidate
    • Employee (likely not required, look out for an amendment from CA Legislature)
    • Other
  • Comment (optional)
  • Captcha (to ensure that no bot is sending requests)

We recommend including the request types such as collection purpose, data categories, and data sources. Some companies may provide this information on their web content as default for all visitors. The reason we make this recommendation would be to better understand your website visitors. Your Chief Marketing Office will be able to understand better the trust levels if they understand if the requests are for information only or something more. It is likely that most of your requesters are seeking for assurance of the use of their personal information. A more advanced privacy program could call these requesters and engage them to improve brand value and trust in your brand. We also recommend including the notice of action request. However, you must consult with your legal team and understand the consequences of this inclusion.

Webform design and deployment is simple. Check this resource to help you create your privacy request form own design.

Step 2: Privacy Request Verification Mechanism

The second step of processing a privacy request is verification. The requestor and the request need to be verified. There are several ways to verify a requestor and the request. In the request form when you use a captcha or recaptcha, this will ensure that no bots are used to provide the privacy request.

The first method of verification is email verification. This is one of the most widely used and automated process. Email verification is about ensuring that the email address is valid. This improves the odds that the email address belong to a real person. The intent of using email verification is to ensure that a real person receives the email sent as part of the privacy request processing.

As part of email verification process, the privacy request processing system sends a verification email. Another option is to use an email verification service to check on the authenticity of the email address. This ensures that is the email is sent and there are no issues to send the email. Also, this means that there are no spelling mistakes by the requestor at the time of request. Additionally, the domain name is verified. Next up, the requestor reads the verification email, and is prompted to click on the link to verify the validity of the email address of the request.

The email verification does not specifically verify the authenticity of the name, phone number or the message of the requestor. But, it is the first and an essential step of the process of verifying the privacy request.

The second step of verification is to use SMS verification. This requires that your privacy request form asks for the user’s mobile phone number. The phone number can easily be verified by sending a text message with a verification code. The privacy request system will then ask for the verification code there-in ensuring that the mobile phone number used by the requestor to present the privacy request is accurate. The SMS verification is a widely used process. However, your requestor may not provide their mobile number for the same privacy reasons.

A third step of verification is location verification. Your website visitor’s IP address is easily avaiable in your website analytics tool. You may find ways to identify the IP address. There are several tools or API services that could be used to find the geo location based on IP address. A more accurate approach would be to include a request for one-time location tracking when the user submits the privacy request. This may be an inaccurate method of location verification. But, this is one way to eliminate requests from outside of California. Your company may have a policy to address all requests without regard to location.

Other verification mechanism could include one or more of these methods:

  • Ask for a credit card number (do a quick $1 balance authorization on the card and revert it)
  • Piggyback off of a social network site’s verification process
  • Ask the user for their social security number and do auto verification of the number
  • Call the user on the phone number provided by the user and check if they provided the request
  • Ask the user for a copy of their utility bill (with their address)

Your verification system may employ one or many of these methods. It is highly recommend to start simple – email verification. You may follow up with a phone call to the user in case of delete data, access data, or notice of action requests. Ensure that you have the following rules for request verification:

  1. CCPA privacy request once received cannot be modified
  2. Any privacy request received (data & time) must be verified for requestor identity prior to processing
  3. Email verification is MUST; SMS phone number verification ; verification by phone call; geolocation verification are good to have
  4. ONE verification confirmation is sufficient, while the system or user may request several verifications
  5. Requestor verification status and process applies to all types of requests and all types of requestors
  6. You may assign a request to a request processor before or after request verification
  7. Request processor may start work on a request only after request verification is completed
  8. Do not send any email notification until the email verification is received

Step 3: Email Notification Templates

Email notification templates are required for privacy request management. This makes your process consistent, and scale your reqeust processing. The following table provide a detailed list of templates you require for CCPA compliance privacy request processing.

#Type of email notificationWhen to use the notificationOne or many
1 Email verification notification Upon receipt of privacy request One
2Privacy Request acknowledgementUpon completion of verificcationOne
3Privacy request legal review completed/rejected…Send to the request processor upon this statusOne (internal)
4Privacy request processing extensionSent to the requestor by the request processorOne
5Purpose of collecting personal informationSent to the requestor by the request processorOne
6Categories of personal data collectedSent to the requestor by the request processorMany (atleast one)
7Sources of personal data collectedSent to the requestor by the request processorMany (at least one)
8Personal data access requestSent to the requestor by the request processor (Attach the data file)Many (at least one)
9Request access to data sold/sharedSent to the requestor by the request processor (Attach the data file)Many (at least one)
10Request – Do Not Sell My Personal InfoSent to the requestor by the request processorMany (at least one)
11Request – Delete My personal infoSent to the requestor by the request processor Many (at least one)
12Privacy request is rejectedSent to the requestor by the request processor Many (at least one)

Step 4: Privacy Request Work Flow Status

A part of processing the CCPA privacy requests, you need to discuss and decide on the work flow and maintaining the status of the workflow. This is a simple process setup. Let’s make a simple assumption. Your company may receive less than 500 privacy requests a month. This could imply you need 1-3 person team to process these requests. We recommend the following states for your privacy requests workflow:

  1. Under verification – Implies the request was received and pending verification of the requester
  2. To be assigned – Implies the privacy reqeust process manager is yet to assign the request for processing
  3. Under review – default state once request is verified and assigned
  4. Under legal review – implies that request is sent to legal approver for review with data or files attached (required only for a few requests)
  5. Legal rejected – implies that legal has not approved based on the request and data attached
  6. Legal more information – implies that legal does not have sufficient data to approve the request
  7. Legal approved – implies that request is received from legal as approved
  8. Completed – implies that the requester received an email completing the processing of the request
  9. Rejected – implies that the requester received an email with explanation of rejection of the request

You must esnure that your privacy and legal teams clearly understood and accepted these statuses. It is recommened that you review the entire request processing with your privacy and legal team in detail. This ensure that your privacy request pipeline is processed smoothly and in a timely manner.

Step 5: Establish Process for Each Type of Request

As part of this step, it is important to establish a few common elements of processing any of the CCPA privacy requests. A few common process elements include:

  1. Extend the time needed for processing
  2. Send email notification to requester (based on templates)
  3. Preparation of data – collect and collate the personal information of requester

Disclaimer: Please consult your legal team for specific implementation details.

Extension Processing: CCPA requires that a request received must be processed within 30 days. Let’s consider the clock starts upon email verification. (Please consult your legal team on the start of the clock.) This guide helps you process most of the privacy requests within 5 days of receiving a request. CCPA provides you a way to extend your request processing by an additional 70 days. You need to send the process extension notification to the requester before the expiration of the 30 days of initial processing. We receommend you send this process extension email using a standard email template. CCPA allows for one extension only. We recommend to use the process extension for 4 requests. These include reqeusts for access to personal data, access to data sold or shared, do not sell, and delete data. Depending on your data and your ability to rapidly query this data, you may need to seek extension to process these 4 specific privacy requests.

Sending Emails: The final objective of CCPA privacy request processing sending one or more messages to the requester. Sending emails is the easiest. The key part of request processing is requester verification. The requester email must be verified using an email verification process. Additionally, sending email is inherent to the work flow process. Sending personal data to the wrong person will be considered a data breach. Such data breach is subject to a action by the requester.

Data Preparation: Nearly all CCPA privacy requests require personal data of the requester to be available. It is important to ensure that you have the ability to query, collect, and collate all the data associated with the requester. We shall cover data collection and collation in another guide. For setting up CCPA privacy request processing, you need the data file for the requester. You may use email address, phone number, name, or other search criteria for querying.

Processing Privacy Requests for Collection Purpose, Data Categories, & Data Sources

These three privacy requests are similar in processing. Each of these three CCPA privacy requests can be completed in a few steps or actions:

  1. Requester verification is completed
  2. Send email acknowledgement to the requester – request received
  3. Call the requestor (optional) to confirm the request received
  4. Get requester data for the past 12 months and attach it to the request
  5. Review requester data for collection purpose/data categories/data sources (action)
  6. Email requester the appropriate email template for collection purpose/data categories/data sources (action)
  7. Close the request as completed

Your company may have several email templates depending on the type of requestor or type of data sources/data categories/data sources. Or, you may also have one generic email template for each of the privacy request type. It is better for the company to have different templates for different types of requesters (purpose/categories/sources may change for each type of requester). Another alternative is to provide generic collection purpose / data sources / data categories information on your website. We strongly recommend specific request processing. This approach provides a way to engage your request stakeholders.

Processing Privacy Request for Access to Data

The CCPA privacy request for access to personal information can be completed in several steps and actions:

  1. Requester verification is completed
  2. Send email acknowledgement to the requester – request received
  3. Call the requestor (optional) to confirm the request received
  4. Check if this is a valid request
  5. Check if a similar request was received from the same requester in the past 12 months
    • You are required to process a request every 6 months. This could imply that you could process 2 requests each year. We recommend that your company keep track of number of requests received from a specific requester. And it is recommended to track several requests including request for access to data, request to delete data, request to access data shared/sold, or request not to sell data.
    • If a delete data request was received in the past 12 months, the company may send a notification to the requester that delete data request was processed in the past 12 months.
    • If number of requests are in order, then continue with the next steps.
  6. Get requester data for the past 12 months and attach it to the request
  7. Review requester data and note any abnormal patterns (action)
  8. Send the request including the data and the notes for legal review (action)
  9. Get an approval from the legal reviewer
  10. Email requester the appropriate email template for access to personal data and attach the data approved by legal reviewer
  11. Close the request as completed

Your company may have several email templates depending on the type of requestor for personal information access. Or, you may also have one generic email template for each of the privacy request type. It is better for the company to have different templates for different types of requesters. You should have the ability to collate and collect the personal information of the requester.

Personal information access is a very tricky area. CCPA has expanded the definition beyond personally identifiable informatoin. For example, if a visitor to your company website requests data, then it is imperative that you collate all the website statistics for this specific visitor. Web site statistics collected by most companies do not have any personally identifiable information. However, under CCPA it is personal information associated with a cookie id of the visitor.

Processing Privacy Request for Data Sold/Shared

The CCPA privacy request for access to personal information that is sold or shared is simlar to the privacy request for personal information access discussed in the section above. The only difference is in the collation of data from multiple data stores of the company. Your company must have a way to quickly identify if this data is licensed to a third party. CCPA does not require you to share who the data is licensed/sold/shared with. It is unclear if data hosted with a third party service provider is considered to be part of data shared/licensed. We recommend that hosting data with third party service provider need not be considered as part of this privacy request. Disclaimer: we are not your legal team, please seek appropriate legal advice.

Processing Privacy Request for Do Not Sell

The CCPA privacy request for do not sell my personal information is simlar to the privacy request for personal information access discussed in the section above. There are several major differences:

  1. Do not attach the data collated as part of the response to the requester.
  2. Identify a way to mark the data for the specific requester and the date of the request.
  3. What if the data was already sold?
    • There is no need for the company to retroactively inform the licensors
    • The request is for any future sale/sharing of the data of this specific requester
  4. At the end of 12 months from the date of this type of request you may sell/share this data. CCPA does not specify any limitations. Disclaimer: Please consult your legal team.

Processing Privacy Request for Delete Data

The CCPA privacy request for delete my personal information is simlar to the privacy request for personal information access discussed in the section above. There are several major differences:

  1. Controversial: Delete data does not imply not new data collection. We are of the view that a request to delete data does not imply that your company needs to stop data collection. You may continue data collection from various sources. CCPA has specific provision about opt-out of data collection. This is a topic for cookie management. As part of cookie management and cookie opt-out, you may still do some essential data collection.
  2. You may not delete data that is necessary to service any future requester requests. For example, if the requester is a customer, invoice or payment information may not be deleted. You may need that customer information for returns processing, or as part of other compliance.
  3. Do not attach the data collated as part of the response to the requester.
  4. Identify a way to mark the request for data deletion.
  5. We are of the view that data collated as part of request processing may be retained. This is required for audit and compliance purposes.
  6. What if the data was already sold?
    • There is no need for the company to retroactively inform the licensors about data deletion
    • The request is for any data with the company
  7. Starting immediately after processing the request, you may collect new data for this requester. Disclaimer: Please consult your legal team.

Processing Privacy Request for Notice of Action

The CCPA privacy request for notice of action is not a necessary type of request under CCPA. We recommend this request type. This is useful because this is a way for you and your legal team to be prepared for any inconsistencies in request processing or potential future compliance actions. Processing this request is quite simple:

  1. Requester verification is completed
    • We do not perceive email verification of the requester is an acknowledgement of the request
    • Please ensure that your email verification notification to requester does not indicate acknowledgement of any requests
  2. Do NOT send email acknowledgement to the requester
  3. Collate all the data of the specific requester
  4. Collate all requests received from the specific requester
  5. Consolidate all this information and the request and send it to your legal reviewer
  6. If you receive legal approval, you may then send an acknowledgement to the requester
    • Your company may have legal policies on notice acknowledgements

List of Vendors that Provide Privacy Request Processing

Here is a list of vendors that provide software and systems for CCPA privacy request management:

  1. InfoSecEnforcer.com
  2. OneTrust.com
  3. TrustArc.com
  4. Clarip.com
  5. Privaci.ai
  6. Truyo.com
  7. Wirewheel.io
  8. Sourcepoint.com

Cost to Build Your Own Privacy Request Processing

It is expensive to build your own privacy request processing tool. It may be inexpensive to build it once. However, we expect CCPA to change over the next several years. This would imply that you need to have your team make these changes constantly. These continued long-term changes will prove to be expensive.

Most of the above listed vendors provide low-cost tools. We recommend InfoSecEnforer a free tool for privacy request processing.

A common and mis-understood aspect of CCPA is about website cookies. CCPA requires you to ensure that you manage the data collected using website cookies. This data is to be considered as personal information. As such your company must be able to identify this data with the visitor and respond to privacy requests from the consumer. Nearly all such requests need access to the data, and your 3rd party cookie vendor should include that ability. Engage your vendor for CCPA compliance.

Cookies and consumers

Companies and websites use cookies. Cookies are placed on the website to recognize your browser and remember information specific to the your browsing habits. Cookies are specific to the website. When you visit that website again the cookie will track your browsing habits and the company is aware of your history of visits on their website(s). A company could use their own created cookie also called first-party cookie, or alternately a company could use a third-party cookie service.

Technically there are only two types of cookies. First is a session cookie. Session cookies live a short life and die when you close the browser. When a website uses a session cookie each visit is treated as a new visit. Second is a persistent cookie. Persistent cookies are stored on your computer and their life is set by the website. Websites use persistent cookies for different purposes:

  1. Essential cookies – these type of cookies are used for basic features to work on the website. Example of basic features include signin, signup, loading images, enabling selection of preferences, and so.
  2. Functional cookies – these type of cookies are used so the website can do analysis of website usage. Example of functional use include performance improvements, better user experience, optimizing image load or video performance, and so.
  3. Advertising cookies – these types of cookies are mainly used for advertising purpose. This enables the website to display ads that are relevant to the specific visitor. Example of advertising functions include data sharing with advertisers, social sharing, return visit tracking, and so.

In this article:

Personal information tracked with cookies

Cookies are simply identifiers with a expiration date. A cookie do not contain any personal information when created. It does not have any personally identifiable data. It does not scan your computer, browser data, or browser history. Most websites collect personal information only when you provide them on a form. Any information a cookie stores is usually encrypted. The website server is aware of the information coded in the cookie. The server is aware of any information you provide. As a result of the how the internet works, the server is also aware of your potential location, time of visit, your IP address, your service provider, length of your visit, web pages you visited, clicks, frequency of clicks, your search terms, and so. All this information may not be considered personally identifiable information. This is personal information under CCPA (California Consumer Privacy Act).

Web server can use third party tools to profile you. Marketers could collate data from multiple websites and create your unique profile. This is often called web profiling. This helps marketers target specific ads. For example, when you search for running shoes on a website and moments later you visit an ecommerce site, it is likely that you will be served an advertisement for running shoes. Another example would be when you visit a website called xyz.com, and you start browser other sites, you may be served ads for xyz.com.

Profiling with cookies and consumer privacy

Profiling using cookies is an essential tool for marketers. It is powerful and helps them spend advertising dollars effectively. Marketers can specifically target users based on the products they are likey to purchase. However, profiling can be malicious, could be used by trolls. Cookies can help in many other ways.

As a consumer you cannot prevent profiling. You could take precautions to protect your privacy. For example, you may use free browser extensions or 3rd party applications such as Ghostery to identify companies using cookies. And, you may also install CCleaner that helps in session and cookie cleaning. A simpler approach is to configure your browser to prevent cookies from untrusted sites. Chrome browser provides several advanced privacy settings. We recommend that you explore these settings.

Chrome has several options that you could explore in site settings. This option allows you to set permissions for specific site without changing default settings. You may use this to browse trusted sites and untrusted sites in a different way.

You may explore cookie settings options in your Chrome or other browsers. This may help you prevent profiling. Additionally most browsers also provide a list of cookies by website and the estimated amount of data stored in relation to that cookie.

State of cookies prior to CCPA

A study by advertising firms in 2018 examied 5 billion page impressions. This study states that users on web browsers block over 60% of cookies. And, users on mobile devices reject over 70% of cookies. They use tools and buil-in browser settings to actively block cookies. Consumer awareness of the privacy risks of cookie tracking is at an all time high. A substantial improvement over the past 2 decades.

The General Data Protection Regulation (GDPR) came into effect in 2018. This meant that websites have to change their privacy policies, cookie management policies, and more. GDPR and EU ePrivacy directive require that your website visitors must provide consent before the website deploys tracking cookies. Additionally, this consent must be saved. As a result, many website deployed cookie consent managemet on their sites. Today, a website visitor seeks a familiar cookie consent banner. GDPR regulation of cookies implies:

  • Transpareny of cookie policy – A visitor to the website must be given a clear view of the use of cookies in a clean and understandable language. Implies, websites cannot hide behind a legal privacy policy statment, which the visitors or users often overlook.
  • Personally identifiable information – A visitor may or may not provide directly identifiable information. However, an individual may be singled out by a combination of data collected for the regulation to apply
  • Accountability for cookies on the site – A website is accountable to all the data collected. The company is accountable for the safety, processing, and storage of collected data. This is more difficult to manage. Websites often apply 3rd party cookies and data processing by 3rd parties should be more carefully managed.
  • Opt-in cookie consent – A visitor must be provided a clear choice to opt-in or reject tracking using cookies. This choice must be obtained before any cookies can start collecting data.
  • Manage consent – A visitor must have the ability to change (reject or accept) their consent. Additionally, a website must ask the visitor to update consent every 12 months. And, each such consent must be recorded for future reference.

GDPR set the stage on how cookies should be managed on websites. Several large companies that operate in EU have taken steps to apply these cookie management settings globally. This GDPR did not apply to millions of California websites. EU barely has resources to regulate within its own juridiction. Awareness had built-up for change in California. Result – CCPA (California Consumer Privacy Act).

Right to privacy in Califonia

California state Constitution give each citizen a right to pursue and obtain privacy – Article 1, Section 1. Several other state and federal laws protect the privacy of individuals. You may review a list of privacy laws that apply in California here.

Why the CCPA – California Consumer Privacy Act?

Officially AB-375 the California Consumer Privacy Act is intended to hold companies accountable for the use of consumer data. Beyond privacy, consumers have the right to control their data and its use. CCPA (California Consumer Privacy Act) is intended to provide the consumer the right to control what happens to their personal information. Consumer are now expected to have certain enforceable rights about their personal information:

  • Right to know what information is collected
  • Right to know if their data is sold or shared
  • Right to know 3rd parties that have access to their data
  • Right to say no to the sale of their data
  • Right to be forgotten
  • Right to have access to data
  • No discrimination upon exercise of rights
  • and more…

State of cookies after CCPA

California Consumer Privacy Act (CCPA) introduces stricter provisions for companies processing personal information of individuals. For example, any data collected by cookies can be seen as personal information and therefore fall under the CCPA (California Consumer Privacy Act). For those already compliant with the GDPR this may be an easy change to adapt. The European regulation requires similar changes for the cookie policy.

  • Clear disclosure of cookie policy – A visitor to the website must be given a clear view of the use of cookies in a clean and understandable language. Under CCPA (California Consumer Privacy Act), websites cannot hide behind a legal statment, which visitors often overlook.
  • Personal information – A visitor may not provide directly identifiable information. However, any information collected using cookies shall be considered personal information under CCPA (California Consumer Privacy Act).
  • Cookies on the site – A website is accountable to all the data collected. The company is accountable for the safety, management, and storage of collected data. Websites that use 3rd party cookies must be able to manage the data collected.
  • Know your 3rd party vendors: Cookies on website are mostly from 3rd party vendors. It is critical to ensure that your vendor agreement clearly have data protection and CCPA compliance clauses.
  • Opt-out of sale of personal information – A visitor must be provided a clear choice to opt-out of sale of personal information. The opt-out choice should be clear and easy to find. This opt out of sale refer to all data.
  • Manage opt-out and opt-in of sale of personal information – A visitor must have the ability to change (reject or accept) their consent. And, each such consent must be recorded for reference.

Cookie policy changes

As part of CCPA (California Consumer Privacy Act), websites and companies need to be transparent in their use of cookies. They must have a clear disclosure of the use of cookies. Such disclosure may include data collected as part of the cookies. CCPA does not require prior consent for the use of cookies. However, there is a requirement of clear disclosure. Additionally, there is a requirement to provide the visitor an ability to opt-out of cookie usage. Websites and companies need to modify their cookie policy to reflect these changes.

Under CCPA (California Consumer Privacy Act) different types of cookies have separate treatment. Essential cookies are requied for the proper operation of the website. Websites are not required to provide the ability to opt-out of essential cookies. It is advisable to disclose their use, but not required to allow visitors or users to disable essential cookies.

Functional cookies are used for multiple functions and potentially for web tracking. Some of these cookies may be required for the performance of the website. While other functional cookies may be optional. Under CCPA (California Consumer Privacy Act), websites are required to provide the visitor an ability to opt-out of some functional cookies. Websites should place a clear description of each type of cookies used, how many cookies are used for each type, and the option to opt-out of anything that isn’t mandatory for the website to function. These cookies may be first party or 3rd party cookies. While the letter of the CCPA act is not specific, the provisions of the act imply clear disclosure. Disclosure must include how cookies collect, and use data, and the ability to opt-out of non-essential cookies.

Clearly advertising cookies are under the preview of non-essential cookies. These may be first party or 3rd party cookies. Under CCPA, data collected must be protected and you must be able to provide access to this data to consumers upon request.

Consent management (A good practice and not necessary under CCPA)

Website must start to implement clear consent management. We recommend consent management for all websites. Such consent management should have the ability to opt-out. Opt-out consent management does not adversely impact the way websites do business today. Typically most companies that use email marketing have already incorporated consent management. Websites need to extend this to their website visitors.

Companies now need to manage consent across all functions. Website need to track visitor cookie preferences. CCPA is clear about opt-out consent for adults. It is also clear about opt-in consent for children and young adults. However, it is still unclear on how to implement both types of consent for different types of visitors. We expect to provide an update when this clarity emerges. Finally, websites need an integrated consent management system that also includes the ability to share consent with 3rd party partners.

Consent management system must also have another additional capability. They should be able to recognize the visitor across multiple devices that the visitor uses and be able to track consent across devices. This implies deploying advanced cookie tracking capabilities across multiple devices including mobile, tablets, and computers.

Cookie banner

CCPA does not have a requirement on cookie banners and their usage. However, it does have a clear requirement of ‘Do not sell my personal information’ link on the home page. There is a need to provide clear consent management. We recommend that website do not use a cookie banner. We also recommend that website place a clear link on their home pages to manage cookie preferences. This differs from how GDPR compliance uses cookie banner. For technical reasons or reasons of consistency, you may use a cookie banner for both. 

In conclusion, CCPA has several requirements about cookies and consent management:

  • Clear and easy to understand cookie policy
  • Detail of each cookie used and its purpose
  • Collect, manage, store, and secure personal information collected using cookies
  • Manage 3rd party vendors for CCPA compliance and data protection
  • Track consent across multiple devices (see household requirement under CCPA)
  • No requirement for cookie banner
  • Recommend placing a link on home page for consent management (a good practice, not a CCPA requirement)

Some useful links