< BACK TO ALL BLOGS
CCPA Series 3: How does an Enterprise Implement CCPA Obligations?
Aug 2, 2023
On January 1, 2020, the California Consumer Privacy Act (CCPA) came into effect. After a six-month grace period for compliance, CCPA began to enter the enforcement stage on July 1 of that year, and the California Attorney General has the right to file lawsuits and impose fines on companies that do not comply. Government regulation is forcing companies to increase investment in privacy protection. On the other hand, as CCPA is gradually becoming familiar to the public, consumers' awareness of data protection is also being strengthened, and companies are receiving data requests from consumers one after another. According to the CCPA Trends 2021 Report released by DataGrail, since the implementation of CCPA, B2C companies have received an average of 11 data processing requests per million users per month in 2020, and January 2020 received the highest number of requests, reaching 33. January is the time when the CCPA is officially implemented, and many companies are also updating their privacy policies at this time, resulting in a sharp increase in user data requests. This data shows that users gradually understand the CCPA and their rights, and begin to take proactive actions to protect their personal information.
Under the dual pressure of government regulation and consumer data protection awareness, enterprises should actively understand the new obligations imposed by CCPA on enterprises, and make advance arrangements in three aspects: privacy policy, data management structure and internal processing procedures, so as to minimize compliance costs as much as possible.
1. Adjustment of Privacy Policy
CCPA empowers consumers with six rights. Enterprises should inform users of their data protection rights granted by the CCPA on their online privacy policies or websites, using wording and languages that ordinary users can easily understand, and should maintain an annual update frequency.
Right to Know
Enterprises should disclose in their privacy policies the categories of consumer information they collect, sell or share, information sources, purpose of use, specific content, and third-party processing agencies.
Right to Delete
Enterprises should provide consumers with the collected and processed personal information free of charge, and should use a simple and common format to ensure that consumers can use it again without any obstacles.
Access Right
Enterprises should disclose to consumers the "right to request deletion of personal information" in their privacy policies. When an enterprise receives a deletion request from a consumer, it should verify the identity of the requester and confirm that it is the person in question before deleting the relevant information.
At the same time, enterprises should notify other service providers, contractors, and other third parties to delete relevant information.
Choice (opt-out) Right
Businesses should provide a prominent "Do Not Sell My Personal Information" link on their website homepage, allowing consumers or their agents to opt out of the sale of their personal information.
In addition to adding the link above, businesses should inform consumers of their right to opt-out in their online general privacy policy or home page dedicated to California consumers.
Fair Trade Right
Businesses may not discriminate against consumers for exercising their rights under the CCPA. However, companies can provide financial incentives for the collection, sale or deletion of personal information, including payment of compensation to consumers.
It should be noted that enterprises should obtain the consent of consumers to provide economic incentives, and users should have the right to withdraw at any time. If the consumer declines, the business may not invite the consumer to join the incentive program again for the next 12 months.
Individual Right of Action
Businesses should inform consumers of their rights to individual lawsuits in their privacy policies.
2. Adjust the Data Management Structure
In addition to fulfilling the duty of disclosure in privacy clauses, companies should also adjust their data management structures to ensure that they can quickly respond to consumer requests. Under the new framework of privacy protection obligations, an enterprise's database is no longer a simple information storage carrier, but will become an intelligent warehouse capable of fine-grained management of massive data. From collection, classification, extraction to deletion and analysis, all these functions require an upgrade of the data management architecture to achieve flexible and convenient data management.
Taking a deletion request as an example, after receiving a consumer’s deletion request, the company must quickly locate the consumer’s personal information in its millions of user databases, clarify which information can be deleted and which information is necessary for providing services, and then delete all or part of the consumer’s personal information based on actual business needs and consumer requests.
Enterprises should also do a good job in data labeling and data classification, distinguishing sales data, shared data and marketing data, etc., to ensure that after receiving relevant data processing requests, they can quickly notify data service providers or third-party processing agencies to implement corresponding consumer data requests. In addition to the enterprise itself, its third-party processors, contractors, and data service providers should also have similar data management functions. As the public's awareness of data privacy protection continues to increase, consumers begin to demand better control over their personal information. It is foreseeable that companies will receive more and more consumer data requests in the future. Enterprises should optimize their data management structure as soon as possible, implement refined management of consumers' personal information, efficiently handle consumers' data requests, and reduce processing costs.
3. Formulate Data Request Processing Specifications
CCPA also stipulates the operational norms for companies to handle consumer data requests. request form
Businesses shall provide at least two designated means by which consumers may submit data requests, one of which shall be a toll-free telephone line.
In addition, if the enterprise only provides online services, it only needs to provide an email address; if the enterprise has a website, the website should allow consumers to submit requests for information disclosure, deletion or correction of information.
Individual Right of Action
Enterprises shall, within 45 days of receiving consumers' requests, disclose or provide consumers with the requested information free of charge, correct inaccurate personal information, or delete personal information. Under reasonable and necessary circumstances, the processing period can be extended for another 45 days, but consumers should be notified of the extension within the first 45-day period.
Individual Right of Action
After receiving a consumer data request, the business shall verify the consumer, but shall not require the consumer to create a new account for verification purposes.
Data Request Scope
Businesses should be able to provide consumer information for the 12 months prior to receiving the consumer's request, but consumers may also request that a business disclose information for more than 12 months, unless the business can demonstrate that this is not feasible or involves excessive work.
Employee Training
Businesses should ensure that employees handling data requests are aware of consumer rights under the CCPA and can guide consumers in exercising those rights.
Third Party Obligations
Enterprises should re-examine the contracts signed with third-party organizations on the disclosure, sale, and sharing of consumer information to ensure that third-party organizations comply with CCPA regulations when processing consumers' personal information.
In addition, third parties may not sell or share a consumer's personal information that has been sold or shared by a business unless the consumer has been expressly notified and has the right to object.
4. Compliance Recommendations
Due to regulatory pressure and consumers' increased awareness of data protection, companies must invest more in privacy protection. According to Gartner data, the average cost for a company to manually process a single request is US$1,406. Calculated on the basis of 11 data requests per million users per month, a platform with 10 million registered users will cost about US$1.85 million per year. The labor cost of the enterprise and operating costs have risen sharply. However, despite the high cost of privacy compliance, it has been proven to bring additional rewards. According to a Cisco survey, “Most organizations can reap good returns from investing in privacy protection, and more than 40% of enterprises can reap at least twice the return.” Although privacy compliance will bring operational pressure in the short term, But in the long run, actively improving the privacy compliance level of enterprises will help gain the trust of consumers and inject more value into the corporate brand. Faced with an unfamiliar geographical environment, culture, and language, it is more difficult for enterprises to gain user trust than local enterprises, and they should be fully prepared for privacy compliance. CCPA has made specific regulations on the information protection obligations of enterprises. Enterprises should make advance arrangements for privacy policies, data management structures and internal processing procedures, calmly respond to government supervision and data requests from consumers, and put privacy protection into transformation for new growth points.