CCPA - California Consumer Privacy Act
Updated
Print

Definitions

  • CCPA – applies to companies that do business in California.
  • Consumer – A natural person who is a California resident (no requirement for a business relationship).
  • Personal Information – Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. This also includes cookies and other browser data, even data without identifying information.
  • Sale of Personal Information – Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defences. They must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website home page.

Businesses must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out.

 

Consumers Need This Access for CCPA Compliance Policy

These policies should be accessible under Manage Account, across all platforms through kiosks, apps, and websites. Consumers should know:

  • If personal information is being sold or disclosed, and to whom. Currently 365 does not. If what we send to Advana changes, Privacy/Security must be notified.
  • What personal information is being collected from their account.

 

Consumer Processes

  • Say “no to the sale of personal information” – We have determined that we do not sell data, however if any change of data is provided to Advana, we must make these policy and process changes. Notify Privacy/Security of any changes.
  • Consumers can have access to their personal information that we collect.
  • Consumers can request deletion of their personal information. Email or automate the request to delete their data.
  • Consumers should not be discriminated against for exercising their rights (surcharges, service levels, etc).

 

Action Items for all Products, Websites and Applications

  • Consumer notifications – We must update existing privacy policies to meet CCPA requirements and provide written disclosures to current and future employees.
  • Consumer access/deletion rights – Conduct data mapping to determine what data we possess and where it is being stored. Create a complete inventory of the websites and mobile applications we manage. We are working to define internal processes for fulfilling consumer requests.
  • We expect both new and existing clients to impose contractual obligations related to CCPA.

 

Other notable requirements

  • There must be two methods of contact for consumer requests. One must be a toll-free phone number.
  • There must be a method of identity verification for consumer requests. We must confirm that the individual is making the request on their own behalf before releasing or deleting data.
  • We must respond to all consumer requests within 45 days, with the potential for one 45-day extension.
  • We must contractually bind our subcontractors to comply with CCPA.
  • The lookback period for CCPA is 12 months. Requests for access or deletion will apply to information collected or disclosed in the 12 months preceding the request.

 

Attachments
CCPA Internal Processes.pdf
- 60 KB