Slide 1: CCPA Free Training Introduction

Hello, I’m Marc Mandel, a technology company general counsel and a co-founder of www.CCPAFreeTraining.com.  In this training course, we will cover the California Consumer Privacy Act, or CCPA, from the perspective of a manager or an employee of a business that is...

Slide 2: Who Should Be Here?

The CCPA requires training for everyone who either handles consumer inquiries or who is responsible for CCPA compliance within a business. That includes your customer care team, your store associates if you have brick and mortar stores, the teams who design your...

Slide 3: The Importance of Privacy

Before we continue, let’s take a moment to consider the importance of privacy laws like the CCPA. The fourth amendment to the American constitution protects our privacy, but only from actions by government and not private corporations.  In this era of big data,...

Slide 4: Course Agenda

The agenda for our course consists of six topics: Notifying consumers about your data collection practices and their CCPA rights What infrastructure you need to accept consumer requests How to verify requests before you respond to them  When and how to respond to...

Slide 5: Notifying Customers About Privacy Rights

The CCPA provides privacy rights to quote unquote “consumers,” meaning any resident of California. While businesses may deny CCPA rights to residents of other states, as of March 2020, a Nevada privacy statute provides an opt-out right similar to the CCPA, and about a...

Slide 6: What Personal Information is in Scope for CCPA?

When some people think about personal information, they think about bank account numbers, location history, and the contents of their chat messages with friends. All of that private information is part of the personal information protected by the CCPA, and the CCPA...

Slide 7: Consumer Notification

Now that we understand who has CCPA rights and what personal information means, let’s examine what you need to tell consumers about your use of their personal information and how to present that disclosure.  The CCPA requires businesses to notify consumers about...

Slide 8: What is Data Selling?

Note that CCPA’s definition of “sell” is broad and includes a variety of transactions not normally thought of as a sale. For example, many companies that assist with online marketing will use the data they collect from your consumers to enhance their own marketing...

Slide 9: Privacy Policy Content

Now that you’ve provided any applicable Do Not Sell My Info disclosure and linked consumers to your full privacy policy, let’s look at the requirements for that policy.  Your policy should explain what information you collect and why. That disclosure is a basic...

Slide 10: A Consumer’s Right to Know

What you need in your privacy policy that’s new for CCPA is an explanation of the four core consumer CCPA rights and how to access them:  First is the right to know about the information your business collects, discloses and sells.  The right to know includes the...

Slide 11: Requests to Delete

The second of the four core CCPA rights your privacy policy should explain is the right of consumers to request that you delete their personal data. This includes all of the data you would have disclosed to the consumer if they made a right to know request. However,...

Slide 12: Opting Out

The third core CCPA right is the right to opt out of data sales. We’ve already discussed the broad definition of sale underlying this right, and your privacy policy should explain this right to consumers. If a consumer chooses to “opt-out” of sales, you should stop...

Slide 13: Non-Discrimination

The fourth core CCPA right is the right to non-discriminatory treatment. Your privacy policy should explain that if a consumer exercises their privacy rights, you will not treat them any differently than other consumer, for example by charging them a higher price or...

Slide 14: More on Privacy

In addition to explaining each of the core CCPA rights, your privacy policy should explain how to access them, and we’ll cover that next, in part two of our agenda. Before we leave the topic what to include in your privacy policy, note that the CCPA allows consumers...

Slide 15: Accepting Requests

The third core CCPA right is the right to opt out of data sales. We’ve already discussed the broad definition of sale underlying this right, and your privacy policy should explain this right to consumers. If a consumer chooses to “opt-out” of sales, you should stop...

Slide 16: Web Form or Email

You need to offer at least two contact methods for consumers to exercise their privacy rights.   The first method is an interactive web form or an email address. If you don’t sell data within the meaning of the CCPA, an email address is acceptable as your first...

Slide 17: Toll Free Number

The second contact method you need to offer is a toll free number. This is a requirement for accepting right to know and delete requests. There is an exception for businesses that never interact with consumers offline, and who have a direct relationship with all of...

Slide 18: Other Contact Methods

Finally, if neither of your first two contact methods reflect the manner in which you primarily interact with consumers, you need to offer that method as a third method. For example, if consumers primarily interact with you by shopping in your brick and mortar stores,...

Slide 19: Verifying Requests

Finally, if neither of your first two contact methods reflect the manner in which you primarily interact with consumers, you need to offer that method as a third method. For example, if consumers primarily interact with you by shopping in your brick and mortar stores,...

Slide 20: Request Verification Steps

The CCPA provides detailed guidance about how to verify consumer requests: Make the verification process proportionate to the value of the data at issue–in other words, if a consumer requests a copy of more sensitive information such as location history, the...

Slide 21: Responding to Requests

In part 4 of our agenda, we’ll examine the CCPA deadlines for responding to requests and what information you need to include in your...

Slide 22: Response Timing

First, let’s talk about timing. When you receive a right to know or a delete request, you need to acknowledge it within 10 calendar days, informing consumers about your verification procedures and when to expect a substantive response. You need to fulfill the request...

Slide 23: Request Response Details

For all types of requests, respond free of charge and always comply to the extent possible. If there’s a reason you cannot comply, explain it and also explain your appeal procedures if you offer a right to appeal. For right to know requests, consumers can request...

Slide 24: Verification Issues

If you can’t verify a consumer making a right to know request, don’t release any information and direct them to your privacy policy instead. If you can’t verify a consumer making a delete request, respond by offering to treat it as an opt-out of sale request instead...

Slide 25: More Request Details

For delete requests, the CCPA gives you wide latitude to deny a request if you need the data to comply with laws, to identify errors, to maintain security, to provide services to the consumer, or for reasonably anticipated internal uses, such as financial reporting or...

Slide 26: Agents and Households

If a right to know or delete request comes from a consumer’s agent rather than directly from the consumer, you can require the consumer to demonstrate that they’ve authorized the agent in a signed document by asking them to provide you with a copy of it, and you can...

Slide 27: Documenting Compliance

Whenever you receive a request, whether you can verify it or not, and whether you ultimately respond to it or deny it, you need to maintain records about your CCPA...

Slide 28: Documentation Details

The CCPA requires businesses to maintain compliance records for 24 months, including the date of request, what rights were exercised, the contact method used to make the request, the date of your response, the nature of your response, and the basis for any denial if...

Slide 29: Special Circumstances

We’ll wrap up our training program by covering two separate topics: children’s privacy, and the CCPA’s rule prohibiting discrimination against consumers who exercise their privacy rights and the exception to that...

Slide 30: Children’s Privacy

The CCPA does not require you to know or to ask how old your consumers are, but if you have actual knowledge or a strong reason to know that a consumer is under age 16, you need to obtain an opt in before selling their personal information rather than providing an...

Slide 31: Non-Discrimination Details

For consumers of all ages who exercise their CCPA rights, it’s important not to treat them any differently as a result. The CCPA forbids discriminating against consumers who exercise their privacy rights, for example by charging them a different price, providing them...

Slide 32: Incentives for Data Use

However, the CCPA does allow businesses to maintain loyalty programs, freemium business models, and even to pay financial incentives to consumers for using their data if these programs adhere to certain parameters. The key consideration for these programs is that any...

Slide 33: Thanks, Credits, and 20% Off

Thank you for participating in our training program. Please leave any comments in our YouTube channel or email me at marc@ccpafreetraining.com if you have any questions or if you would like to see additional training modules that focus on topics such as product design...