Hello, I’m Marc Mandel, a technology company general counsel and a co-founder of www.CCPAFreeTraining.com. In this training course, we will cover the California Consumer Privacy Act, or CCPA, from the perspective of a manager or an employee of a business that is...
The CCPA requires training for everyone who either handles consumer inquiries or who is responsible for CCPA compliance within a business. That includes your customer care team, your store associates if you have brick and mortar stores, the teams who design your...
Before we continue, let’s take a moment to consider the importance of privacy laws like the CCPA. The fourth amendment to the American constitution protects our privacy, but only from actions by government and not private corporations. In this era of big data,...
The agenda for our course consists of six topics: Notifying consumers about your data collection practices and their CCPA rights What infrastructure you need to accept consumer requests How to verify requests before you respond to them When and how to respond to...
The CCPA provides privacy rights to quote unquote “consumers,” meaning any resident of California. While businesses may deny CCPA rights to residents of other states, as of March 2020, a Nevada privacy statute provides an opt-out right similar to the CCPA, and about a...
When some people think about personal information, they think about bank account numbers, location history, and the contents of their chat messages with friends. All of that private information is part of the personal information protected by the CCPA, and the CCPA...
Now that we understand who has CCPA rights and what personal information means, let’s examine what you need to tell consumers about your use of their personal information and how to present that disclosure. The CCPA requires businesses to notify consumers about...
Note that CCPA’s definition of “sell” is broad and includes a variety of transactions not normally thought of as a sale. For example, many companies that assist with online marketing will use the data they collect from your consumers to enhance their own marketing...
Now that you’ve provided any applicable Do Not Sell My Info disclosure and linked consumers to your full privacy policy, let’s look at the requirements for that policy. Your policy should explain what information you collect and why. That disclosure is a basic...
What you need in your privacy policy that’s new for CCPA is an explanation of the four core consumer CCPA rights and how to access them: First is the right to know about the information your business collects, discloses and sells. The right to know includes the...
The second of the four core CCPA rights your privacy policy should explain is the right of consumers to request that you delete their personal data. This includes all of the data you would have disclosed to the consumer if they made a right to know request. However,...
The third core CCPA right is the right to opt out of data sales. We’ve already discussed the broad definition of sale underlying this right, and your privacy policy should explain this right to consumers. If a consumer chooses to “opt-out” of sales, you should stop...
The fourth core CCPA right is the right to non-discriminatory treatment. Your privacy policy should explain that if a consumer exercises their privacy rights, you will not treat them any differently than other consumer, for example by charging them a higher price or...
In addition to explaining each of the core CCPA rights, your privacy policy should explain how to access them, and we’ll cover that next, in part two of our agenda. Before we leave the topic what to include in your privacy policy, note that the CCPA allows consumers...
The third core CCPA right is the right to opt out of data sales. We’ve already discussed the broad definition of sale underlying this right, and your privacy policy should explain this right to consumers. If a consumer chooses to “opt-out” of sales, you should stop...
You need to offer at least two contact methods for consumers to exercise their privacy rights. The first method is an interactive web form or an email address. If you don’t sell data within the meaning of the CCPA, an email address is acceptable as your first...
The second contact method you need to offer is a toll free number. This is a requirement for accepting right to know and delete requests. There is an exception for businesses that never interact with consumers offline, and who have a direct relationship with all of...
Finally, if neither of your first two contact methods reflect the manner in which you primarily interact with consumers, you need to offer that method as a third method. For example, if consumers primarily interact with you by shopping in your brick and mortar stores,...
Finally, if neither of your first two contact methods reflect the manner in which you primarily interact with consumers, you need to offer that method as a third method. For example, if consumers primarily interact with you by shopping in your brick and mortar stores,...
The CCPA provides detailed guidance about how to verify consumer requests: Make the verification process proportionate to the value of the data at issue–in other words, if a consumer requests a copy of more sensitive information such as location history, the...
First, let’s talk about timing. When you receive a right to know or a delete request, you need to acknowledge it within 10 calendar days, informing consumers about your verification procedures and when to expect a substantive response. You need to fulfill the request...
For all types of requests, respond free of charge and always comply to the extent possible. If there’s a reason you cannot comply, explain it and also explain your appeal procedures if you offer a right to appeal. For right to know requests, consumers can request...
If you can’t verify a consumer making a right to know request, don’t release any information and direct them to your privacy policy instead. If you can’t verify a consumer making a delete request, respond by offering to treat it as an opt-out of sale request instead...
For delete requests, the CCPA gives you wide latitude to deny a request if you need the data to comply with laws, to identify errors, to maintain security, to provide services to the consumer, or for reasonably anticipated internal uses, such as financial reporting or...
If a right to know or delete request comes from a consumer’s agent rather than directly from the consumer, you can require the consumer to demonstrate that they’ve authorized the agent in a signed document by asking them to provide you with a copy of it, and you can...
Whenever you receive a request, whether you can verify it or not, and whether you ultimately respond to it or deny it, you need to maintain records about your CCPA...
The CCPA requires businesses to maintain compliance records for 24 months, including the date of request, what rights were exercised, the contact method used to make the request, the date of your response, the nature of your response, and the basis for any denial if...
We’ll wrap up our training program by covering two separate topics: children’s privacy, and the CCPA’s rule prohibiting discrimination against consumers who exercise their privacy rights and the exception to that...
The CCPA does not require you to know or to ask how old your consumers are, but if you have actual knowledge or a strong reason to know that a consumer is under age 16, you need to obtain an opt in before selling their personal information rather than providing an...
For consumers of all ages who exercise their CCPA rights, it’s important not to treat them any differently as a result. The CCPA forbids discriminating against consumers who exercise their privacy rights, for example by charging them a different price, providing them...
However, the CCPA does allow businesses to maintain loyalty programs, freemium business models, and even to pay financial incentives to consumers for using their data if these programs adhere to certain parameters. The key consideration for these programs is that any...
Thank you for participating in our training program. Please leave any comments in our YouTube channel or email me at marc@ccpafreetraining.com if you have any questions or if you would like to see additional training modules that focus on topics such as product design...