CCPA - California Consumer Privacy Act


  • CCPA – applies to companies that do business in California.
  • Consumer – A natural person who is a California resident (no requirement for a business relationship).
  • Personal Information – Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. This also includes cookies and other browser data, even data without identifying information.
  • Sale of Personal Information – Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defences. They must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website home page.

Businesses must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out.


Consumers Need This Access for CCPA Compliance Policy

These policies should be accessible under Manage Account, across all platforms through kiosks, apps, and websites. Consumers should know:

  • If personal information is being sold or disclosed, and to whom. Currently 365 does not. If what we send to Advana changes, Privacy/Security must be notified.
  • What personal information is being collected from their account.


Consumer Processes

  • Say “no to the sale of personal information” – We have determined that we do not sell data, however if any change of data is provided to Advana, we must make these policy and process changes. Notify Privacy/Security of any changes.
  • Consumers can have access to their personal information that we collect.
  • Consumers can request deletion of their personal information. Email or automate the request to delete their data.
  • Consumers should not be discriminated against for exercising their rights (surcharges, service levels, etc).


Action Items for all Products, Websites and Applications

  • Consumer notifications – We must update existing privacy policies to meet CCPA requirements and provide written disclosures to current and future employees.
  • Consumer access/deletion rights – Conduct data mapping to determine what data we possess and where it is being stored. Create a complete inventory of the websites and mobile applications we manage. We are working to define internal processes for fulfilling consumer requests.
  • We expect both new and existing clients to impose contractual obligations related to CCPA.


Other notable requirements

  • There must be two methods of contact for consumer requests. One must be a toll-free phone number.
  • There must be a method of identity verification for consumer requests. We must confirm that the individual is making the request on their own behalf before releasing or deleting data.
  • We must respond to all consumer requests within 45 days, with the potential for one 45-day extension.
  • We must contractually bind our subcontractors to comply with CCPA.
  • The lookback period for CCPA is 12 months. Requests for access or deletion will apply to information collected or disclosed in the 12 months preceding the request.