December 15, 2022
CCPA toll-free number requirement
4 Min Read
The California Consumer Privacy Act (CCPA) entered force on January 1, 2020, which had immediate effects on the relationships between consumers, businesses, and personal data.
The toll-free number requirement was introduced to ensure that businesses are always reachable and transparent to their website users, giving them the option to call and use their rights around privacy and data protection.
The California Privacy Rights Act (CPRA), going into effect on Jan 1, 2023, follows up the CCPA with new and expanded consumer and employee privacy protections, retaining the toll-free number requirement as well.
What businesses are required to provide a toll-free number?
An amendment to the law, confirmed in October 2019 by the Governor of California, modified a key provision. Referred to as the “toll-free number amendment”, it clearly defined which types of businesses must provide a toll-free phone number for consumers to exercise their privacy rights.
According to the amendment (AB-1564), businesses that operate primarily in-person but also have a web presence must be capable of processing consumer rights requests requests to know through a minimum of three channels. Such organizations must make at least the following methods readily available to consumers:
- A web form
- A toll-free phone number
- A paper form
Businesses operating in-person without a website must also offer a minimum of two request methods to consumers:
- A toll-free phone number
- A paper form submitted in person and/or by mail
What businesses are exempt from providing a toll-free number?
AB-1564 changed the request method obligations for web-based businesses. If a company has direct relationships with consumers and operates exclusively online, it does not have to provide a toll-free phone number. Instead, the business must provide at least the following online contact methods to receive and process consumer rights requests:
- An email address
- A web form
Note that businesses also provide at least two methods to support the right to delete personal information. The channels listed above fulfill these requirements.
A toll-free phone number is always an acceptable option, regardless of where the business primarily operates, so long as the fundamental requirements are met.
What does the CCPA toll-free number requirement mean for businesses?
If a company doesn’t meet the exemption enacted by AB-1564 for web-based businesses, it must provide at least two ways for consumers to submit requests for information and requests to delete. For many businesses, those methods will include a toll-free number and web form conspicuously linked on the company’s website.
When handling requests coming in through the toll-free channel, the following steps should ensure that these requests are processed efficiently.
- Keep records of each request that comes through the toll-free number, categorizing them based on the type of request (know, access, deletion, portability)
- When each call comes through, have two to three ways to reasonably determine the customer’s identity based on the data you have (phone number, address, account number, etc.)
- In case these requests require action to be taken on the customer’s side, use the phone call to establish a channel through email, and complete processing the request there.
- Maintain a database of requests that have started through the toll-free channel, with data on whether they were resolved by phone or needed to be taken online to resolve.
How can my business comply with the toll-free number requirement?
Compliance with the CCPA’s toll-free requirement is easier with the OneTrust CCPA suite of automated privacy management and data governance tools.
The OneTrust CCPA Toll-Free Number feature enables businesses to integrate a phone-based workflow into an automated consumer rights process. Use it to generate a unique or shared phone number, greet callers with a customized message, and verify consumer identities to log requests effectively.
With OneTrust CCPA Toll-Free Number, you can:
- Publish a toll-free phone number to satisfy legal requirements
- Set up a customized welcome greeting that aligns with your company’s messaging and CCPA/CPRA requirements
- Replace manual processing tasks, such as identity verification, with automated ones
- Integrate with existing web-based workflows, such as CCPA Consumer Rights and Do Not Sell solutions
- Automate request fulfillment when integrated with OneTrust Data Discovery
- Log consumer requests in a centralized location for compliance recordkeeping