For companies that already comply with GDPR, how to determine if the CCPA applies to a company, based on two requirements.
1. A company must do business in California and/or doing business with companies based in California.
2. Either a company must have annual revenue greater than $25 million, or possess data on more than 50,000 California residents or derive more than 50% of its revenue from selling Californian consumer data.
Five steps compliance process -
1. Bring California users into your GDPR protocols - Essentially, this means treating requests from these customers the same as you would for EU residents under the GDPR, with the added requirement that you must confirm receipt of Californian consumer requests within 10 days -- faster than the timeline for EU residents.
2. "Do Not Sell My Personal Information" link - There should be a link on your company's website that says "Do Not Sell My Personal Information." It should use that specific phrasing, and it must take the user to a web page where they can opt-out of the sale of their data. Once consumers opt-out, you can either create a process which excludes their data from sale, or delete the consumer's data entirely as you would when processing a deletion request under the GDPR. Both of these options meet the requirement, though the second one is technically safer and easier because it both already falls into the processes for GDPR, and also avoids the problem if a consumer's data is accidentally tagged incorrectly and sold despite them opting out.
3. Create a toll-free number for data sale opt-outs - Companies need to have a toll-free number consumers can call if they decide they want to opt-out of having their data sold -- which will then be handled in the same way as if they opted-out via your website. This number must connect them with an employee of your company that is trained to receive these requests, including informing consumers about their rights under the CCPA -- it's fine if this employee overlaps with the employee trained to respond to GDPR requests, too. The line can be staffed within your company's normal operating hours.
4. Update your Privacy Policy - You must add a statement regarding the rights of California residents to opt-out of the sale of their data to your Privacy Policy. This statement is required even if your response to opt-out requests is to fully delete the data as you would under GDPR. As a part of this, you also must revise the phrasing on your GDPR statement in your Privacy Policy to make it clear that the policy applies to Californians as well. You need to add a description to your Privacy Policy explaining how you will inform consumers of updates to said policy.
5. Update your Privacy Policy every 12 months - It's required under the CCPA that you review and update your Privacy Policy every 12 months, and to note in the Privacy Policy that you've done so. The easiest way for a California regulator to decide you're not in compliance with the CCPA is to look at your Privacy Policy and see that you haven't updated it in the last 12 months, or you haven't disclosed the last time you've updated it. The most important thing here is to change the date of your last review and update. That doesn't necessarily mean you have to change anything else if there's nothing that needs changing -- it can be as simple as reading the policy through and changing the date.
No comments:
Post a Comment