With the implementation and enforcement of CCPA, and with additional legislation on the way, individual rights as they pertain to personal data are having a moment.
So what do these enhanced individual rights mean for a business that wants to stay on the right side of compliance?
What does it mean, internally, for tracking data through systems and keeping tabs on who has access to it? And externally, what rights do you need to honor, and how will it impact your customer relationships and your business practices?
Individual rights, for purposes of our discussion, are all about giving a person control over their personal information. Respecting individual rights is essential for building a strong brand culture of trust and sustaining relationships with your customers, vendors, and employees.
But negative experiences don’t just impact immediate concerns—though they absolutely do that, too. Each negative experience erodes the hard work of your marketing and sales teams. It throws a wrench in your operation practices. Taken all together, it damages your long-term business strategies.
When it comes to compliance considerations, this breaks down into six different areas.
#1: Right to notice
You have to tell your customers about your data collection practices. Full stop. This is one of the big-ticket items for individual rights. Moreover, you have to tell them:
- At or before the point of collection what categories of personal information you’re gathering and why you’re doing it
- How to get in touch with you about any of this
If you’re an online-only business with a direct connection with customers, an email address or contact form on your website will suffice. But for all other businesses, you need to provide a toll-free number plus one other method of contact (email, website form, or physical form).
#2: Right to request access to information
Under CCPA, your customers have the right to request access to their information. This means your data inventory needs to be up to date in order for you to be able to fulfill the request. You should be able to articulate:
- What categories of personal information you’re collecting
- What categories of source the personal information is collected from
- Business and/or commercial purpose for the data
- What categories of third parties you’re sharing personal information with
- What pieces of personal information your business holds about them
This might seem pretty detailed—and it is! You need an easily accessible and complete population of information about every single one of your consumers.
Let’s take a moment to really drive home the point: It becomes really important to stay on top of your data inventories. What’s your workflow? Are you using the best tools for the job? Are you staying on top of the process? (Nothing in privacy is ever a one-and-done deal, after all!)
You, the IT team, will know where to find the data, and that’s a big win. Complying with individual rights requests is a combination of both business owners and the IT team who can work their magic.
#3: Right to get data in an easily accessible format
When you have a consumer’s data, they have the right to know if it’s being transferred (i.e., sold or shared). But they also have the right to get this information in an accessible, easy-to-understand format.
Upholding this right isn’t just good because it’s what you’re supposed to do. Making data accessible and understandable for customers goes a long way to supporting a culture of trust and transparency with them.
#4: Right to deletion
Your consumers can ask that you delete their personal information from your database, but only if it’s collected directly from them. But what if it’s not? Some data is collected indirectly and may be needed beyond the scope of your data collecting program—and it’s exempt from this right.
Experts agree the law gets vague here when it comes to the listed exceptions. You don’t have to delete information if it’s:
- Necessary for detecting security incidents
- Required for exercising free speech
- Protecting or defending against legal claims
- For internal uses, reasonably aligned with the consumer’s expectations
Again, here is where the business and IT teams must collaborate. Typically the business owner will approve the request and will rely on the IT team to ensure the data is appropriately deleted.
When there’s a mapped out process on how to handle these requests, the communication between the teams will run much more smoothly and can be completed in a timely way.
#5: Right to opt-out
Under CCPA, opt-out is defined as the right to stop the sale, meaning the sale or transfer of your personal data.
The right to opt-out also provides for minors. Consumers under the age of 16 are considered minors, and you can’t collect information on minors unless you’ve received an explicit opt-in from either the parents themselves (for children under 13) or directly from the child (if they’re between 13-15).
Knowing where the data lives is critical for the business process owner. To opt out of the sale of data, the IT team will potentially need to be involved to help pull an individual out via an API, a data warehouse, create a flag in a system, or other methods to support the request by an individual to opt out of the sale of data.
#6: Right to equal service and price
Equal services are perhaps the most important piece of this puzzle. You absolutely cannot deny a consumer equal service and prices if they chose to exercise their rights.
This contrasts with the fact that you can offer financial incentives for sharing data. However, incentives must correspond to said data’s value, and the individual must review and consent to the terms before opting in.
Supporting individual rights through your privacy practices
It’s not enough to just have a solid understanding of what your customers’ rights are, though. You need to know how to implement these rights through your business practices.
Your IT systems should be structured to allow the appropriate controls, and everyone should be trained on how to use them. Otherwise, you’re only half delivering.
Handling consumer requests
A big part of upholding individual rights is honoring requests to access and delete a consumer’s personal information. Is your team ready to handle requests?
What you need to know about handling requests
You have 10 days to confirm receipt of a Request for Access and/or Deletion, and you must respond to the request within 45 calendar days after receipt of the request. Responding quickly is essential to demonstrate to your customers that you take their privacy seriously.
However, all opt-out requests must be acted upon within 15 days, and you must notify all third parties to whom you have sold data to between receiving the Opt-Out request and executing it.
Be aware of when you have the right to refuse a request and when you are required to comply. Consumers are only allowed to make most information requests twice a year and only for the previous 12 months. (There is an exception for deletion and do not sell requests—those are unlimited).
Each request made must be verified before actually executing the request. In order to properly verify a request, an organization must do the following:
- Establish with a reasonable degree of certainty that the requestor is valid before executing the request. Two matching data points are sufficient for this.
- Don’t ask for new information—use existing information in the consumer’s profile.
- Avoid asking for sensitive information like their Social Security number.
Your staff are your best resource
All of this requires significant internal support. First and foremost, you need to have your operational pieces securely in place. What are the processes that employees need to follow? How are employees trained? What does ongoing reporting look like?
Is the relationship between the business team and the IT team well established with clear lines of communication?
And does your staff understand the value of individual rights to data within the context of your company? Are they able to help your customers exercise them?
Think of it this way: Your processes support your brand. If all the key business and IT functions are well equipped to handle not just the day-to-day issues that come up, but unexpected problems and challenges too, then they’ll be strongly positioned to provide customers with a good experience each and every time. And each good experience builds trust in your privacy practices.
If you need a leg up on providing your staff with training that will give them the tools they need to serve your customers and stay in compliance, Red Clover can help. Contact them today for a free consultation.
To learn more about successful compliance, check out our eBook, Conquering Compliance: A Guide for Security and Data Privacy in the Era of SaaS.