Upon receiving an opt-out request, the business may no longer sell that consumer’s personal information unless they subsequently receive express authorization from the consumer to re-engage in the sale; however, the opt-out must be respected for at least 12 months before a business may request authorization.
Sale of Children’s Personal Information
The CCPA also includes a general prohibition on the sale of personal information of children without prior affirmative authorization. Specifically, businesses may not sell personal information of consumers where there is actual knowledge that those consumers are below age 16, unless the business has: a) received affirmative authorization from the child for children between 13 and 16; or b) received affirmative authorization from the parent or guardian for children below 13.
Right of Deletion
Consumers also may request deletion of any personal information collected about them by the business, and upon a verifiable consumer request, the business must delete the information from its records, and must direct service providers to do the same. Of course, like the GDPR, the CCPA includes a long list of exceptions to the right of deletion, including the need to comply with a legal obligation, or for security reasons, or to complete a transaction for which the information was collected.
Obligation not to discriminate against consumers who have exercised their rights
Businesses also are not allowed to discriminate against consumers who have exercised any of the above rights, for example, by denying goods or services; charging different prices or rates, including through discounts, benefits or penalties; providing different level or quality of goods or services; or suggesting that the consumer will receive a different price, rate, level or quality. There is one caveat to this, however, and this where the difference in service is reasonably related to the value provided to the consumer by the consumer’s data. Additionally, the Act clarifies that it is acceptable for businesses to offer financial incentives to consumers in exchange for the collection, use or sale of their personal information, as long as it is within certain parameters (they cannot be “unjust, unreasonable, coercive or usurious”).
At this point it is clear that the CCPA and the GDPR overlap in the areas of data subject rights, and that there are tools out there that can support both. However, what is less apparent are the other areas of operational overlap with the GDPR that organizations take advantage of in preparing for the CCPA.
Many organizations have viewed the building of records of processing as the first step in privacy compliance efforts, as doing so can serve as a foundation for tackling a multitude of obligations across frameworks (not only GDPR Article 30). This work can and should be leveraged for purposes of CCPA compliance, as it is imperative to identify the personal information that your organization processes, as well as where those data subjects are located. Knowing this will help you identify which laws are triggered by a data subject request (e.g., CCPA versus GDPR) and what your obligations are.
Operationally, up-to-date records of the above information will need to be kept in order to adequately respond to a request for information. One of the first places that we see many of our customers at OneTrust go to is building a data inventory, which becomes instrumental in properly handling data subject rights. Tools for managing data subject requests can help streamline the intake, management and fulfillment of requests, and in combination with a data map or data inventory, can ensure that requests are handled efficiently and accurately.
Create Standard Operating Procedures (SOPs)
If you dig in to your organization’s data subject request workflow, odds are you will find that the workflow is not contained within any single part of the organization—there are multiple different collection points and public-facing areas where data subjects interact with the organization, and different teams that a request touches before the request can be fulfilled.