The California Consumer Privacy Act (CCPA) entered force on January 1, 2020, which had immediate effects on the relationships between consumers, businesses, and personal data.
The toll-free number requirement was introduced to ensure that businesses are always reachable and transparent to their website users, giving them the option to call and use their rights around privacy and data protection.
The California Privacy Rights Act (CPRA), going into effect on Jan 1, 2023, follows up the CCPA with new and expanded consumer and employee privacy protections, retaining the toll-free number requirement as well.
An amendment to the law, confirmed in October 2019 by the Governor of California, modified a key provision. Referred to as the “toll-free number amendment”, it clearly defined which types of businesses must provide a toll-free phone number for consumers to exercise their privacy rights.
According to the amendment (AB-1564), businesses that operate primarily in-person but also have a web presence must be capable of processing consumer rights requests requests to know through a minimum of three channels. Such organizations must make at least the following methods readily available to consumers:
Businesses operating in-person without a website must also offer a minimum of two request methods to consumers:
AB-1564 changed the request method obligations for web-based businesses. If a company has direct relationships with consumers and operates exclusively online, it does not have to provide a toll-free phone number. Instead, the business must provide at least the following online contact methods to receive and process consumer rights requests:
Note that businesses also provide at least two methods to support the right to delete personal information. The channels listed above fulfill these requirements.
A toll-free phone number is always an acceptable option, regardless of where the business primarily operates, so long as the fundamental requirements are met.
If a company doesn’t meet the exemption enacted by AB-1564 for web-based businesses, it must provide at least two ways for consumers to submit requests for information and requests to delete. For many businesses, those methods will include a toll-free number and web form conspicuously linked on the company’s website.
When handling requests coming in through the toll-free channel, the following steps should ensure that these requests are processed efficiently.
Compliance with the CCPA’s toll-free requirement is easier with the OneTrust CCPA suite of automated privacy management and data governance tools.
The OneTrust CCPA Toll-Free Number feature enables businesses to integrate a phone-based workflow into an automated consumer rights process. Use it to generate a unique or shared phone number, greet callers with a customized message, and verify consumer identities to log requests effectively.
With OneTrust CCPA Toll-Free Number, you can: