Privacy rights requests challenge organizations to deliver an optimized process to help consumers take control of their information.
The California Consumer Privacy Act (CCPA) creates a similar privacy right to the General Data Protection Regulation (GDPR), requiring organizations to receive, review, fulfill, and respond to a request from a “consumer” as defined by the law. The CCPA also creates a few new consumer rights for organizations to manage.
In the final part of our CCPA blog series, we discuss consumer rights management, including the sale of personal information, the creation of and adherence to opt-out measures, and proper protocol following an opt-out period, among other imperative items.
Ultimately, an organization has to be able to respond to a consumer’s request, which can range from disclosing the consumer’s personal information, to deleting the personal information, to informing third parties they must delete a consumer’s personal information. In addition, if the organization sells the consumer’s personal information it may have to take certain steps to properly respond to a consumer’s request in accordance with the CCPA.
Unlike the GDPR, the CCPA requires an organization to “make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an internet web site, a web site address.”1
After the receipt of a consumer’s request, an organization has 45 days to verify the request and deliver the information or inform the consumer that it will not take action. An organization that delivers the requested information must provide it to the consumer free of charge, in a readily usable format, and to the account the consumer holds with the business. If the consumer does not hold an account, the organization can send the information by mail or electronically.
Organizations that were subject to GDPR compliance may be able to leverage GDPR efforts to satisfy CCPA obligations. As discussed in “How to conduct data inventory and data mapping,” Article 30 of the GDPR required businesses to keep a record of all activities that collect, use, store, or process personal information.2 This record allows companies to understand their personal information processes and where personal information can be located for consumer rights and deletion requests, so companies that created a data inventory for GDPR may be able to use it for CCPA compliance. Moreover, organizations that were not required to meet GDPR compliance may want to consider initiating a data inventory for CCPA compliance measures.
1California Consumer Privacy Act of 2018 (“CCPA”), Cal. Civ. Code § 1798.130(a)(1), 2018.
2Regulation (EU) 2016/679 of the European Parliament, April 2016, O.J. L 119.
Do not sell my personal information
If applicable, a business may have to create a “Do Not Sell My Information” link on its web page and implement procedures to comply with its corresponding requirements. “Do Not Sell My Personal Information” is one of several unique obligations the CCPA introduces. As a result, businesses should take care to review the CCPA as carefully as they did the GDPR.
Organizations can leverage additional GDPR work, not just the data inventory. For instance, organizations can use the online forms they used for the GDPR to allow consumers to input their initial requests. Because the CCPA seems to focus on making it easy for customers to exercise their rights, organizations can look to their GDPR choices for consent. By doing that, the organization can continue the goal of allowing the consumer to withdraw consent in as easy a manner as she/he gave consent. For example, if a consumer initiated their relationship with the business through text message, then they should be able to opt-out in a like-manner.
In addition, like the GDPR, the CCPA also allows for another individual to submit a request on a consumer’s behalf, e.g., power of attorney, proxy. This is especially important for the CCPA compliance as organizations must have consent from a consumer’s parent or guardian to sell the consumer’s personal information if he/she is under 13.
Overall, businesses can leverage many of the workflows created for GDPR readiness. Below is a sample of the CCPA consumer rights request workflow, inclusive of deletion.
A requirement of the CCPA is ability to delete customer data at the customer’s request. In order to comply, organizations will need the processes and technology to support the request. Below is an example of a sample workflow.
CCPA workflow considerations
When consumers exercise their CCPA right to opt-out of the sale of their personal information, organizations must refrain from selling personal information collected by the business about the consumer for a 12-month period. Afterwards, an organization can reengage the consumer with an offer to update their opt-out status. Under CCPA, organizations can consider incentives to welcome consumers back and build mechanisms in place to provide assistance.
As mentioned, organizations also have third party responsibilities. They must identify the vendors with whom they shared personal information and then verify these service providers use it in a way that complies with opt-out requests under the CCPA. Organizations also must ensure the vendor can support data access and deletion requests and receive a confirmation from the service provider of their ability to do so. These additional measures should be added to an organization’s workflow in order to comply with the 45-day requirement. Also, any personal information collected from the consumer in connection with the submission of the opt-out request can only be used for the purposes of complying with the opt-out request.
Comply and thrive with data protection strategies
Despite the possibility for delayed enforcement until July 2020, the CCPA will go into effect on January 1, 2020. The time to prepare for California’s new privacy law is now. KPMG can help you integrate data privacy in both practice and strategy. With the right CCPA approach, an organization will not only comply with consumer requests but also thrive by safeguarding their consumer’s personal information in this age of digital disruption.
Learn more about CCPA
Explore the many areas of overlap and exclusions between GDPR and CCPA in “Driving change.”
In the first part of our CCPA blog series, “Accelerate CCPA readiness through GDPR capabilities,” we discuss how the CCPA defines personal information and how the explanation differs from GDPR’s personal data, along with fundamental synergies and alignment of the two laws.
“How to conduct data inventory and data,” the second part of our CCPA blog series, provides vital insight into the practicalities of personal information collection and the challenges of informal records.
Watch KPMG’s privacy video series on GDPR to get an overview of privacy rights with key lessons and important legal efforts you can leverage for CCPA compliance.