The California Consumer Privacy Act (\u201cCCPA\u201d) applies to all \u201cbusinesses\u201d that collect \u201cpersonal information\u201d from California residents, if the business meets at least one of the following criteria:<\/p>\n\n\n\n
\u201cPersonal information\u201d is defined broadly as \u201cinformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.\u201d That includes a vast array of data like:<\/p>\n\n\n\n
Consumer Rights & Covered Business Obligations Under CCPA<\/strong><\/p>\n\n\n\n The CCPA provides consumers with a variety of new rights relating to the collection, use and disclosure of their personal information, as well as the right to opt-out of the sale of their personal information, the deletion of their personal information, and protection from discrimination in the event that a consumer exercises any rights under the CCPA. The statute also imposes new obligations on businesses in relation to consumer rights created by the statute. The rights and obligations may be summarized as follows:<\/p>\n\n\n\n The Right to Know.<\/span> Consumers have a right to know, specifically, what personal information is collected from them; the categories of information collected; the categories of sources from which the information is collected; what information of theirs has been sold, as well as the business purpose for selling the information; and what information has been disclosed to third parties.<\/p>\n\n\n\n Covered businesses must make available to consumers two or more designated methods for submitting requests for information including, at a minimum, a toll-free telephone number, unless the business operates exclusively online and has a direct relationship with the consumer, in which case it is required to provide only an email address for submitting requests. If the business maintains an Internet website it must provide a form on the site that consumers can use to submit requests for information.<\/p>\n\n\n\n Covered businesses must comply with \u201cverifiable consumer requests\u201d from consumers about the collection, sale, and disclosure of their personal information. A \u201cverifiable consumer request\u201d is a request (i) made by a consumer, (ii) a consumer on behalf of a minor child or (iii) an authorized agent of the consumer, that allows a business to reasonably verify the consumer\u2019s identity. Businesses must comply with verifiable requests within 45 days of receipt of the request, and the disclosure must cover the 12- The Right to Delete.<\/span> Consumers have a right to require businesses to delete all personal information that has been collected from them, except in certain circumstances where the information is needed to complete a transaction or provide a good or service; fulfill a warranty or product recall; detect fraudulent or illegal activity; exercise free speech; and comply with legal obligations, among other exceptions. Upon the receipt of a request to delete the business must also notify its service providers that maintain the consumer\u2019s data and instruct those service providers to delete the consumer\u2019s data. <\/p>\n\n\n\n If a consumer exercises the right to delete his or her information, the business is prohibited from discriminating against the consumer and must offer to such a consumer the same quality of goods and services at the same prices offered to consumers who do not request that their data be deleted.<\/p>\n\n\n\n Opt-Out; Right to Prohibit Sale of Information.<\/span> The CCPA grants consumers the right to prohibit the sale of their personal information to third parties. <\/p>\n\n\n\n Covered Businesses must provide notice of the opt-out right by posting a clear and conspicuous link entitled \u201cDo Not Sell My Personal Information\u201d on their websites. Covered Businesses must honor consumer opt-outs and must wait at least 12 months before seeking re-authorization to sell their personal information. <\/p>\n\n\n\n If a consumer exercises the right to opt out, the business is prohibited from discriminating against the consumer and must offer to such a consumer the same quality of goods and services at the same prices offered to consumers who do not opt out.<\/p>\n\n\n\n Consumer Opt-In for the Sale of Personal Information of Minors:<\/span> The personal information of minors under the age of 13 may be sold only if the consumer\u2019s parent or guardian has authorized (opted-in to) the sale. For minors aged 13-16, affirmative authorization is also required, but the minor consumer may provide the authorization.<\/p>\n\n\n\n NOTE:<\/strong> The CCPA does not restrict a covered businesses\u2019 right or ability to (i) comply with federal, state, or local laws, (ii) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (iii) cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law; (iv) exercise or defend legal claims or (v) collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.<\/p>\n\n\n\n Steps to Compliance<\/strong><\/p>\n\n\n\n Post a CCPA-Compliant Privacy Policy.<\/span> The CCPA requires covered businesses to post a notice to consumers \u201cat or before the point of collection\u201d that identifies the categories of personal information collected by the business and describes purposes for which personal information is used. In other words, the business must post a CCPA compliant privacy policy on its website or mobile app or other location where personal information is collected.<\/p>\n\n\n\n Post Toll Free Number, Opt-Out Link and Request Form.<\/span> Post a toll free telephone number (if required) that consumers may call to request information, and post a clear and conspicuous link on the businesses\u2019 site entitled \u201cDo Not Sell My Personal Information\u201d that links to a page on the site where consumers may submit a form to (i) opt-out of having their information sold to third parties, (iii) delete their personal information, (iv) exercise the right to access their personal information and (iv) opt-in to the sale of Data Mapping for California Residents.<\/span> Businesses should create a data mapping strategy and methodology for California residents that identifies the type of information collected, categories of information collected, sources from which information is collected, reasons the information is collected, where the information is stored, categories of information that is disclosed to third parties, the identities of third parties to whom data is disclosed, the means by which the data is transferred to third parties, and the identities of products and devices with which a consumer\u2019s information is associated. Unless there is a need to interact with minor consumers, the best practice when collecting information is to utilize software that prevents a person under the age of 18 from creating an account, making a purchase or otherwise interacting with the businesses\u2019 site.<\/p>\n\n\n\n Implement Protocols to Protect Consumer Rights.<\/span> Covered businesses must implement means to accept, track and respond to customer requests seeking knowledge of, access to or deletion of consumer data, as well as a process that allows a business to reasonably verify the consumer\u2019s identity (the \u201cverifiable request\u201d) prior to responding to the request. Businesses should also have in place a process to identify whether any use of data constitutes a \u201csale\u201d of data (e.g., transfer of the data in exchange for consideration). Processes should be implemented to determine whether personal information is covered by HIPAA or other applicable law that would exempt the data from the scope of the CCPA.<\/p>\n\n\n\n Security Updates.<\/span> Covered businesses are required protect personal information with \u201creasonable\u201d security. All databases and other places where personal information is collected and stored should utilize industry standard encryption and other security features.<\/p>\n\n\n\n Training.<\/span> Covered businesses must provide CCPA compliance training for their employees. Another option is to use a third party to assist with compliance.<\/p>\n","protected":false},"excerpt":{"rendered":" The California Consumer Privacy Act (\u201cCCPA\u201d) applies to all \u201cbusinesses\u201d that collect \u201cpersonal information\u201d from California residents, if the business meets at least one of the following criteria: \u201cPersonal information\u201d is defined broadly as \u201cinformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with […]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-templates\/full-width.php","meta":{"footnotes":""},"class_list":["post-4114","page","type-page","status-publish","hentry"],"yoast_head":"\n
month period preceding the business\u2019s receipt of the request. If the consumer maintains an account with the business, the business must provide responsive information through the consumer\u2019s account. If the consumer does not maintain an account, the business must provide the response via regular mail or electronically at the consumer\u2019s option. All responsive information must be in a readily useable format that enables the consumer to transmit it from one place to another without the data losing its readability. A business is required to comply with verifiable requests no more than twice in any 12-month period. All responses must be provided to the consumer free of charge.<\/p>\n\n\n\n
information for certain minors. The telephone and website forms must have a means to properly verify that the person submitting the request is who he or she claims to be.<\/p>\n\n\n\n