Definitions
- CCPA – applies to companies that do business in California.
- Consumer – A natural person who is a California resident (no requirement for a business relationship).
- Personal Information – Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. This also includes cookies and other browser data, even data without identifying information.
- Sale of Personal Information – Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defences. They must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website home page.
Businesses must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out.
Consumers Need This Access for CCPA Compliance Policy
These policies should be accessible under Manage Account, across all platforms through kiosks, apps, and websites. Consumers should know:
- If personal information is being sold or disclosed, and to whom. Currently 365 does not. If what we send to Advana changes, Privacy/Security must be notified.
- What personal information is being collected from their account.
Consumer Processes
- Say “no to the sale of personal information” – We have determined that we do not sell data, however if any change of data is provided to Advana, we must make these policy and process changes. Notify Privacy/Security of any changes.
- Consumers can have access to their personal information that we collect.
- Consumers can request deletion of their personal information. Email or automate the request to delete their data.
- Consumers should not be discriminated against for exercising their rights (surcharges, service levels, etc).
Action Items for all Products, Websites and Applications
- Consumer notifications – We must update existing privacy policies to meet CCPA requirements and provide written disclosures to current and future employees.
- Consumer access/deletion rights – Conduct data mapping to determine what data we possess and where it is being stored. Create a complete inventory of the websites and mobile applications we manage. We are working to define internal processes for fulfilling consumer requests.
- We expect both new and existing clients to impose contractual obligations related to CCPA.
Other notable requirements
- There must be two methods of contact for consumer requests. One must be a toll-free phone number.
- There must be a method of identity verification for consumer requests. We must confirm that the individual is making the request on their own behalf before releasing or deleting data.
- We must respond to all consumer requests within 45 days, with the potential for one 45-day extension.
- We must contractually bind our subcontractors to comply with CCPA.
- The lookback period for CCPA is 12 months. Requests for access or deletion will apply to information collected or disclosed in the 12 months preceding the request.