Readers of this blog have been following our coverage of the California Consumer Privacy Act (“CCPA”) and related regulatory developments. In today’s blog, we detail some of the compliance measures that should be taken with respect to consumer data election rights and the associated CCPA forms through which consumers can make these elections. Among other measures, the CCPA has codified California consumers’ rights to: 1) opt-out of the sale of their personal information to third parties; 2) request to know what personal information businesses have collected about them and how businesses have sold or disclosed that information to third parties; and 3) request that businesses delete personal information that has been collected from/about them. With limited exceptions, businesses should provide consumers with CCPA forms to make elections by and through their websites.
What are CCPA forms and when should they be processed?
In order to comply with the CCPA, each business is required to “provide two or more methods for submitting requests to opt-out, including, an interactive form accessible via a clear and conspicuous link titled ‘Do Not Sell My Personal Information,’ or ‘Do Not Sell My Info,’ on the business’ website or mobile application.” Businesses do not need to provide an opt-out form if they do not sell personal information and explain this fact in their privacy policies. Opt-out forms should: 1) include a description of consumers’ rights to opt-out of the sale of their personal information; 2) use plain, straightforward language and avoid technical or legal jargon; 3) provide instructions on any other method by which consumers may submit their requests to opt-out; and 4) be reasonably accessible to consumers with disabilities. The modified CCPA regulations have removed the requirements that opt-out forms include proof when consumers are using authorized agents to exercise their rights to opt-out and that opt-out forms provide links to the URLs of businesses’ privacy policies.
The most recent proposed CCPA regulation revisions have eliminated the requirement that businesses operating exclusively online that have a direct relationship with their consumers provide a web-based CCPA form to submit right to know requests. These businesses are now only required to provide an email address. All other businesses must provide two (2) methods for submitting requests to know including, but not limited to, a toll-free telephone number and, a designated email address or a form that can be submitted by U.S. Mail. When supplying consumers with the ability to delete their personal information, businesses must provide two (2) or more methods for submitting these requests. Methods include, but are not limited to, a toll-free number, a link or form available online through a business’s website, or a designated email address. If businesses create CCPA forms to satisfy right to know and deletion election requirements, they too should use plain, straight forward language, which must be reasonably accessible to consumers with disabilities. Please note that the modified CCPA regulations no longer require a two-step process to effectuate online requests to delete.
Processing CCPA Forms
Businesses must comply with requests to opt-out no later than fifteen (15) business days from the date the requests are received. If a business sells a consumer’s personal information after the request to opt-out has been received, but before that business has complied with the request, it must notify third parties that have received consumer personal information from the company in this interim period that the consumer has elected to opt-out and that these third parties may no longer sell that consumer’s personal information. Businesses must confirm receipt of right to know and deletion requests within ten (10) business days of receiving such requests and respond to these requests within forty-five (45) calendar days from the date that the subject requests were received. If necessary, businesses that are unable to respond to requests within the forty-five (45) calendar day period may take an additional forty-five (45) calendar days to respond, provided that they provide consumers with notice and explanation that an extension is required.
CCPA forms are just one regulatory implementation measure that should be taken on the path to CCPA compliance.