The California Consumer Privacy Act (CCPA) is the first privacy law of its kind to pass in the United States – transforming the way organizations must think about and structure their privacy program. The CCPA outlines certain rights for California residents, including: 

One of the primary challenges for organizations gearing up for the CCPA is how to handle consumer requests. Here is a quick list of the most common Dos and Don’ts relating to consumer rights management under the CCPA.

 

CCPA Consumer Rights Management Dos: 

Take a Practical Approach  

Map workflows that are documented and repeatableScale to automation over time, or as needed and ensure your process is flexible and iterative. Edge cases will happen, so it’s important to be able to adapt accordingly.  

Standardize and Structure the Intake Process  

You will need multiple methods to comply with the CCPA’s requirements for intaking consumer requests, which is why it’s important to define a standardized and structured process to streamline things. To maintain compliance, you will need a phone number to intake requests, as well as a link on your website and ability to intake via mail.  

Validate Consumer Identity Based on Persona of Consumer  

Identity validation depends on how you interact with the consumer making the request. In most cases, you can validate with existing authentication or a combination of known data such as account number, address, and date of birth. In certain cases, you can escalate validation with security question, document uploads, and integrations with validation systems like Experian, etc. But keep in mind that this is not a one-size-fits-all process. Depending on the complexity of the request or the type of data being requested, you may need more advanced methods of gathering more data, as necessary. 

Training 

Think clearly about who on your team will intake and fulfill consumer requests—whether it’s IT, Privacy, Customer Care, etc.—and train them accordingly.  

 

CCPA Consumer Rights Management Don’ts: 

Do Not Force Account Creation  

Under the CCPA, you cannot force a consumer to create an account in order to fulfill a consumer request. Ensure that your consumer request methods comply with the CCPA.  

Do Not Forget About the Consumer  

You can have the most well-oiled system, but you still need to be able to intake the request and send data to the consumer in a secure manner, all while maintaining consumer satisfaction from a business perspective.  

Do Not Gather Too Much Information  

You need to consider what information is absolutely necessarily in order to verify the request. Asking too many questions for unnecessary information can be an unpleasant user experience and can violate collection limitation and data minimization principles. It is important to have a flexible workflow so that you can ask for more information only when needed. 

Regardless of the maturity of your privacy program, it’s never too soon to start planning for your CCPA readiness. OneTrust for CCPA is a full set of scalable solutions and services specifically designed to implement CCPA requirements and workflows to support a global privacy program.  

For additional information, or to request a live OneTrust Privacy Management Software demo, visit OneTrust.com or email [email protected]  

 Resources:  

Check out our CCPA blog series: