1. Responding to Consumer Rights:
Companies must provide California residents with the ability to exercise rights related to the collection and use of their personal information. These rights may include the right to know what data is being collected, the right to access or request copies of personal information, the right to delete certain types of personal information, and the right to opt-out of the sale of personal information. Companies should have a process in place to respond to these requests and document any forms or processes used to do so.
2. Required Disclosures:
Companies must clearly disclose their privacy practices and data collection activities, including what types of personal information are collected, how it is being used, and with whom it is shared. This disclosure must include a “Do Not Sell My Personal Information” link on the company’s website homepage or mobile app.
3. Restrictions on Selling Personal Information:
The CCPA restricts companies from selling the personal information of California residents without their informed consent. Additionally, companies are prohibited from providing financial incentives for collecting and selling personal information.
4. Data Retention:
Companies must have a data retention policy that outlines how long certain types of personal information will be kept and for what purpose. This policy should include procedures for securely disposing of or anonymizing personal information once it is no longer necessary to retain it.
5. Reidentification of Personal Information:
Personal information collected by companies must be de-identified, encrypted, or otherwise rendered unreadable before being stored or shared with third parties. Companies are responsible for making sure the personal information they process cannot be re-identified and must put in place measures to prevent any unauthorized access to this data.
6. Permitted Financial Incentives for Collecting, Selling, and Deleting Personal Information:
Companies that offer incentives to consumers in exchange for their personal information must make sure these incentives are proportional to the value of the data. Companies should also document what types of incentives they offer and how they calculate the value of consumer personal information.
7. Employee Training Related to Consumer Rights:
Employees should understand their obligations under CCPA regulations and be able to answer any questions about customer rights related to data collection. Companies should provide training on customer rights and ensure employees are familiar with procedures for responding to consumer requests.
8. Third Party Oversight:
Third parties that companies work with must comply with CCPA regulations as well. Companies should review contracts with third parties and make sure the agreements are in compliance with CCPA standards.
9. Duty to Implement and Maintain Reasonable Security Measures:
Companies must take reasonable steps to protect personal information collected from unauthorized access or disclosure, including using encryption wherever possible. Companies should have a security policy that outlines these steps and documents any procedures related to data security.
10. Breach Response Readiness Plan:
In case of a breach, companies need to have a response plan in place and ensure employees understand their roles in responding to an incident. The plan should include steps for reporting the breach, notifying affected individuals and authorities, containing the breach, determining root causes, taking corrective action, and documenting all incidents.