Coming into effect on January 1st, the California Consumer Privacy Act (CCPA) is the latest U.S. state-based regulation on legal and compliance officers’ radars. It is designed to prevent big and/or profitable businesses that earn a significant portion of their income collecting and selling consumer data from doing so without the consumer’s express consent.
Our last blog on the CCPA outlined what businesses need to know to prepare for the latest privacy act.
In addition to giving users the ability to opt-out of having their data sold, there are other mandates that businesses must meet and follow in order to remain compliant and avoid the hefty penalties of the CCPA. Because we know how overwhelming it can be to get accustomed to new privacy laws and ensure that your business is set up for success, PactSafe has compiled a list of best practices for CCPA and ways that we can help.
Quick facts about CCPA
At a high level, to ensure compliance with CCPA, businesses need to do the following:
- Update privacy policies to include the CCPA-mandated disclosures and track consent of updates as they occur over time;
- Track and capture acceptance of terms and conditions (or other online agreements) as they change over time;
- Provide two methods for users to request the personal information the business has collected, shared, or sold about the consumer;
- Afford consumers the opportunity to generally opt in and opt out of data disclosure and track when consumers opt in and out over time;
- Minors’ parents must opt in to the sale of the minor’s data for minors under the age of 13; for minors age 13-16, the minor must opt in to the sale of their data, so have a means of capturing and tracking minor opt ins if the business deals with minors.
- Provide a link (leading to a form) for consumers to specifically opt out of the sale of their personal information, which should be labeled “Do Not Sell My Personal Information”;
- Allow users to request that the business disclose and/or delete their information, track such requests, and ensure third-party compliance with the requests;
- Revise third-party agreements (e.g., Data Processing Agreements), and track acceptance of the updated agreements to ensure third-party compliance.
Best Practices for CCPA Compliance
Here are 5 key best practices to keep in mind when preparing your business for CCPA compliance:
- Use single purpose buttons for opt-ins and opt-outs. A single purpose button is a box or button that completes one action (e.g. agreeing to terms). A dual-purpose button, on the other hand, completes two actions with one click (e.g. agree to terms AND sign up for service). The CCPA requires a business have a separate button or link for consumers to opt out of the sale of their personal information that is labeled, “Do Not Sell My Personal Information.” This should direct users to a form they must fill out to complete the request and should be tracked. More generally, it is better to use single-purpose rather than dual purpose buttons as they are better for collecting affirmative and unambiguous assent.
- Provide an electronic trail of record acceptance: The electronic trail should include the user, the version of the contract, the date and time the contract was agreed to, what operating system and browser the user used, and what the screen looked like on that browser at the time of signing.
- Allow consumers to easily review privacy policies and provide updates as the policies change: Provide the user with their own copy of the contract, either by allowing them to download at the time or sending it via email after acceptance. Also, as policies change and are updated over time, the consumer needs to have a way to review these changes before they take effect. Push updates out and require acceptance of updated terms.
- Use language that is consistent with the CCPA when labeling opt in, opt out buttons or checkboxes: For example, the link users click to opt out of the business selling their information should be labeled “Do Not Sell My Personal Information.”
How can PactSafe help?
While there are businesses that can build in-house solutions, PactSafe already has a comprehensive platform that can help you be compliant with CCPA requirements.
Tracking and updating privacy policies
PactSafe can help businesses track consent to updated privacy policies, terms and conditions, and CCPA-mandated disclosures. Additionally, PactSafe can help businesses track opt ins and opt outs of data disclosures.
Providing “Do Not Sell My Information” Link
PactSafe can help businesses manage consumers opting out of the business selling their personal information by providing a link, “Do Not Sell My Personal Information,” that will direct users to a form to be filled out to ensure complete requests. By tracking who opts out of the sale of their information and when, companies can ensure compliance with such requests across the organization as well as with third parties who have access to consumer data.
Quickly pushing out updates
PactSafe can be used to quickly push out updated privacy policies, terms and conditions, and third-party agreements (e.g., Data Processing Agreements) for consumers or vendors to acknowledge or accept with a simple click of a button.
Ensure maximum CCPA readiness
To avoid the heavy fines of non-compliance, download our readiness cheat sheet to learn what you need to have done by January 1st. Or just request a demo of the PactSafe solution.