Dissecting the New York Attorney General’s Guide on Safeguarding Against Unwanted Online Tracking

The Hidden Risks of Cookie Tracking

Ever noticed those pop-ups asking you to accept cookies when you visit a website? Saying ‘accept’ to these little text files might seem harmless, but they play a powerful role in how businesses interact with you online. Cookies keep you logged in, remember your shopping cart, and personalize your browsing experience.

However, they also raise significant privacy concerns. With the growing emphasis on data privacy in an increasingly digital world, understanding and managing cookie tracking has never been more critical for businesses.

Because here’s the catch: not all businesses are getting it right. Some are making serious mistakes that could not only erode customer trust but also land them in legal hot water. In this blog, we’ll dive into the common pitfalls businesses face with cookie tracking, the impact of New York’s consumer protection laws, and how you can ensure your website stays compliant while maintaining customer trust.

Why Cookie Tracking Matters to Your Business

Cookies are more than just bits of data; they’re essential to your website’s functionality and your business’s success. They enhance user experience, drive marketing strategies, and help you understand customer behavior. However, if mismanaged, cookies can also be a liability.

The recent scrutiny from the New York Attorney General’s Office (OAG) highlights just how crucial it is to get your cookie tracking and privacy controls right.

The OAG’s investigation revealed that many businesses, even high-traffic ones, fail to implement proper privacy controls. They found that on some websites, visitors were still tracked even after opting out, leading to broken trust and potential legal consequences. This is where businesses need to step up their game.

What You Need to Know: Common Cookie Tracking Mistakes

Uncategorized or Miscategorized Tags and Cookies

One of the most common issues is the mismanagement of cookie categories. Websites often use consent-management tools that allow users to enable or disable certain types of cookies. But if these cookies aren’t properly categorized or tagged, they won’t respond to user preferences, leading to unauthorized tracking.

Misconfigured Tools and Hardcoded Tags

Another frequent error is the misconfiguration of tools. Many businesses use both consent-management (which allows users to control what data they share and manage their consent preferences) and tag-management (which controls the deployment of tags that collect data on websites) tools.

But these need to be perfectly synced to work correctly. If not, cookies may remain active even when a user opts out. Additionally, some tags are hardcoded into the website, bypassing privacy controls entirely.

Over-reliance on Tag Settings

Businesses often rely on tag settings from third-party providers like Google or Meta, assuming these settings (which control how and what data is collected and used by tags on their websites) will automatically protect them from legal risks.

However, these settings may not be effective in certain states with strict privacy laws. In New York, this reliance can lead to unintended data collection and potential violations.

Dos and Don’ts for Privacy-Related Disclosures and Controls

According to the OAG, these are the Dos and Don’ts for providing effective disclosures and avoiding dark patterns that complicate easy-to-understand controls:

Do	Don’t
Use plain, clear language	Use large blocks of text that consumers are unlikely to read
Label buttons to clearly convey what they do	Use ambiguous buttons (e.g., clicking “X” in the corner of a cookie banner)
Make the interface accessible (e.g., allowing users to tab to privacy controls with a keyboard)	Use complicated language, including legal or technical jargon
Give equivalent options equal weight (e.g., “Accept” and “Decline” buttons of equal size, color, and emphasis)	Use confusing interfaces
	De-emphasize options to decline tracking
	Make it more difficult to decline tracking than to allow it (e.g., requiring more steps to opt out)

How to Do It Right: Best Practices for Cookie Tracking

Designate and Train Responsible Individuals

Start by designating a qualified individual or team to manage your website’s tracking technologies. Ensure they are well-trained and knowledgeable about your business’s privacy policies and the technologies you use.

Investigate and Understand Your Tags

Before deploying any new tags or tools, investigate what data they collect and how it’s used. Don’t hesitate to ask developers for information that might not be publicly available. This will help you avoid surprises and ensure compliance.

Proper Configuration and Regular Testing

Once your tools are set up, configure them correctly and test them regularly. Automated scanning tools can help identify issues, but manual checks are essential to ensure everything works as intended.

Review and Adjust Regularly

Technology and privacy laws are constantly evolving. Regularly review your tags and tools to ensure they are properly categorized and in sync with your consent-management tools. This proactive approach will help you stay compliant and maintain customer trust.

The Bottom Line: Complying with New York’s Consumer Protection Laws

In New York, your business’s privacy controls and disclosures must be truthful and not misleading. Ensure that your website’s privacy statements are accurate, and that your controls work as described. Avoid using confusing language or designing interfaces that mislead users about their privacy choices.

Protect Your Business and Your Customers

Privacy isn’t just a legal requirement; it’s a cornerstone of customer trust. Don’t let mismanaged cookies and broken privacy controls undermine your business. Audit your tracking technologies, refine your privacy controls, and ensure your website complies with all applicable laws today. Your customers—and your bottom line—will thank you.

From compliance to trust

As data breaches fill headlines and consumer skepticism is at an all-time high, the traditional view of privacy as merely a compliance requirement is rapidly becoming outdated. Privacy is growing. And it’s now a must-have for businesses.

Today, leading organizations understand that privacy is not just about meeting regulatory demands; it’s a strategic asset that can differentiate a brand and build deep, trusting customer relationships.

What caused this shift?

With the rise of technology and the internet over the past two decades, the amount of data available has exploded. Businesses recognized the potential to use this information to increase efficiency and profits.

And as technology use accelerated, regulators fell behind. In some companies, data protection and privacy fell by the wayside. But the enactment of the General Data Protection Regulation (GDPR) in 2018 ushered in a new era of privacy, where compliance was especially prioritized.

A positive privacy experience increases brand preference by as much as 43%.

Yet, in 2024, the tides have shifted again. Gone are the days when privacy was seen solely through the lens of regulation and compliance. Most of the population is protected under some type of data privacy regulation, and businesses have moved beyond privacy compliance to leveraging privacy as a differentiator.

For the second year in a row, TrustArc’s annual Global Privacy Benchmark survey reveals that ‘keeping brand trust’ was the top privacy goal for responding organizations. The report also highlights ‘risks to reputation and trust’ as the second highest privacy risk.

Consumers have also gotten savvier. Now, privacy is a pivotal point of customer experience, with a positive privacy experience increasing brand preference by as much as 43%. This dramatic shift signifies that customers are interested in the end product and the ethics and practices of the companies they engage with.

Companies like Apple are using this shift to their advantage. For example, Apple is known for championing user privacy. It encrypts all data stored on its devices and has a strict policy against collecting and sharing user data without explicit consent. And it focuses on educating consumers about how companies use their data and what options they have to protect it.

34% of consumers will switch companies after one suffers a data breach.

The standard has changed. B2B and B2C consumers expect businesses to be deeply committed to data protection and privacy. In fact, 34% of consumers will switch companies after one suffers a data breach.

The obscurity of trust and safety information

However businesses are running into a problem. Many companies’ policies, notices, communications, cookie banners, etc., aren’t building trust—they’re doing the opposite.

You can’t use privacy to build trust if your policies, notices, disclosures, overviews, and communications are scattered, outdated, and too hard to understand. From managing personalized data privacy preferences to real-time notifications about policy changes, customers want a better solution.

As technology advances and data becomes more valuable than ever, the importance of privacy and transparency will only grow. It’s no longer enough for organizations to simply comply with regulations and meet minimum requirements; they must prioritize building trust with their customers through transparency.

What is a unified Trust Center?

A Trust Center is more than a website or a section on a company’s page. It’s a comprehensive, centralized, virtual space where organizations transparently share privacy, legal, compliance, and security information. These centers demonstrate an organization’s commitment to safeguarding data and respecting user rights, showcasing everything from security reports such as SOC 2 and privacy certifications (e.g. TRUSTe Responsible AI Certification) to real-time updates on policy changes.

TrustArc’s Trust Center exemplifies this evolution, offering a seamless blend of brand elements that reinforce trust while managing all front-facing trust and safety information efficiently. By enabling organizations to update documents instantly and toggle between public and private settings, Trust Centers have become dynamic tools that reflect an organization’s live commitment to trust and safety.

It serves as a hub for consumer engagement, answering critical questions about a company’s privacy policies and practices. It has become a standard tool for managing trust content – crucial for organizations that uphold trust as a core brand value.

The ability to quickly provide stakeholders with easy access to privacy and security information streamlines workflows and drives tangible ROI through enhanced consumer relationships.

Unified Trust Center development

While building a unified Trust Center will vary depending on the organization, below is an example of what’s included in the process. For most organizations this takes at least three months and requires cross-collaboration between many stakeholders including privacy, security, legal, compliance, IT, marketing, and web development.

1. Strategic Planning and Vision:

Identify the trust center’s primary goals and determine its target audience and their specific needs. For example, simplify how the organization communicates and manages all trust and safety information, including privacy, security, legal, compliance, and product. The target audience includes consumers, regulators, and business partners or vendors. Establish a leadership team to oversee the project, align stakeholders, and assign roles and responsibilities.

2. Data Security and Privacy Notices and Policies:

Create or locate your data security and privacy notices and policies that adhere to applicable standards and regulations. Develop an internal audit of content and methods for easy maintenance of content updates.

3. Infrastructure and Technology:

Working with your organization’s information technology and security teams, establish a secure IT infrastructure with advanced security measures, secure data storage solutions, and backup mechanisms. Choose appropriate platforms for the Trust Center’s content management and website development.

4. Content Development:

Design a clear and intuitive information architecture for the Trust Center. Organize content into logical sections such as security, legal, privacy, and transparency/availability. Develop all necessary detailed documents including policies, procedures, certifications, and FAQs. Plan to update this content regularly to reflect the latest practices and updates.

5. Compliance and Certification:

If you haven’t already, consider obtaining relevant security and privacy certifications to display prominently on the Trust Center. Conduct regular audits and address their findings promptly and updated practices as needed.

6. User Experience and Design:

Design the Trust Center with a focus on usability and availability. Test the website’s responsiveness and be sure it works well on various devices and browsers. Incorporate interactive features like compliance reports, self-service portals, and customer support options. Provide tools for customers to assess your compliance and security posture and make individual rights requests.

Keep in mind that poor management of individual rights requests and a subpar user experience can undo the benefits of spending millions on building positive customer sentiment.

7. Continuous Improvement and Monitoring:

Implement tools to monitor the Trust Center’s performance, security, and user engagement. Use analytics to understand user behavior and improve the Trust Center continuously. Establish channels for user feedback and incorporate relevant suggestions into the Trust Center. Regularly review and iterate on your Trust Center based on user needs and industry trends.

8. Communication and Training:

Ensure all stakeholders know their roles in maintaining the Trust Center. Develop a communication plan to promote the trust center to customers and partners. Use various channels to keep stakeholders informed.

9. Incident Response and Management:

Have a clear process for reporting security incidents to customers. Provide timely updates and detailed reports on incidents and resolutions in the Trust Center.

10. Documentation and Reporting:

Gather detailed records of all security measures, compliance activities, and audit results. Be sure this information is easily accessible and current.

Aligning all stakeholders to plan and build a homegrown Trust Center is no easy task.

Not to mention, the build and continuous updates take away time from marketing and web development, costing between $15,000 and $30,000. It also takes weeks and months to build and maintain it (e.g., updating a policy or adding a downstream vendor).

There’s also an enhanced compliance risk to consider as legal and security teams will often need to wait several weeks for their updates to be implemented into the platform.

Don’t Create, Use Trust Center by TrustArc

The transition to viewing privacy as a trust-building tool represents an organizational cultural shift. TrustArc’s no-code Trust Center embodies this change, centralizing privacy, security, legal, and availability workflows, thereby enabling organizations to manage their front-facing trust efficiently.

As privacy regulations continue to evolve, so will the importance of trust and transparency in business practices. Organizations that strategically invest in building a strong Trust Center now will position themselves for long-term success as customer expectations shift towards increased privacy protection.

Creating a modern trust and safety hub like TrustArc’s unified Trust Center empowers core teams, setting up in minutes without the need for coding, and seamlessly blending brand elements into the Trust Center to reinforce trust. This approach enhances efficiency and showcases an organizational commitment to trust and safety by centralizing all relevant information.

The evolution of privacy from compliance to trust is an ongoing process, but embracing this shift can benefit businesses and consumers significantly.

By prioritizing transparency and investing in a comprehensive Trust Center, organizations can build strong customer relationships based on trust and ethical data practices. This will set them apart in a crowded marketplace and foster long-term loyalty and support, as privacy remains a crucial concern for individuals worldwide.

So, the message is clear- make sure your organization has a robust Trust Center in place to reduce reputational and legal risk, while achieving trust by demonstrating your commitment to privacy.

With more alternatives than ever, trust is paramount for business today. Consumers on all sides of the transaction prioritize organizations that are transparent, honest, and reliable. Across every transaction multiple layers of trust coincide.

As a consumer, you trust that a product or service is accurately described and of the quality you expect. If you’re making an online purchase, you trust that the business will, in fact, ship the product after receiving your payment. And your trust also extends to how the organization protects the information you share with it during the transaction.

In a business-to-business environment, you trust that the vendor will meet your needs and provide adequate service levels throughout the relationship. You also trust that your partner will adhere to the terms of your contract regarding proprietary information and company data. Similarly, you must trust that they hire trustworthy people and select other trustworthy vendors for their business.

Every employee in every business has a role to play in building trust inside and outside the organization. Especially the privacy, security, legal, compliance, marketing, and communications teams. These functions are responsible for having accurate information, such as privacy notices and customer-facing policies, available on the organization’s website.

The current state of trust management

Think about how things are run in your company. There’s the Privacy team, the Legal folks, Information Security pros, Compliance officers, the Marketing crew, and the Web Development team. Each group holds a crucial piece of what makes customers trust a company. But they’re often doing their own thing, making it tough to create a united front for earning customer trust.

When efforts and content is scattered, building trust with external stakeholders like customers and partners can fall short. Things like updating privacy policies are important, but if they’re just one-off tasks, they don’t add up to a big picture of trust.

A PWC report found that 24% of bosses say that not having a clear “trust boss” is a big roadblock.

That means there’s a huge opportunity being missed to work better and see real benefits from building trust.

What’s needed is a big shake-up in how companies approach trust. It’s about bringing all external-facing trust and safety information (e.g. legal terms, policies, security disclosures, compliance overviews, subprocessor disclosures, and more) together under one roof. Companies can make a real shift by aligning every action and decision with a clear plan and common goal.

The future of trust involves everyone moving together towards making customers feel secure and valued. That’s how you turn the act of building trust into something that not only feels good but also pays off.

The demand for a unified online hub

The amount of data created online daily is exploding. At the same time, privacy laws are getting stricter, and compliance is becoming more time-consuming. And have you seen the new AI regulations on the way?

On top of regulations are consumer demands.

A staggering 72% of people emphasize the importance of knowing a company’s AI policy before purchasing.

Legal, privacy, compliance, security, and marketing teams are burdened with keeping customer-facing policies, privacy notices, legal terms, compliance updates, overviews, and disclosures current. Likewise, expecting consumers to navigate too many “legal” links can be problematic for a good user experience.

This situation calls for something super handy: a one-stop online hub. You might have heard them called Trust Pages, Privacy Pages, Security Trust Centers, or Trust Portals. Despite the different names, their purpose is unified—to build trust by showcasing your organization’s commitment to all things trust and safety in a clear and easily available manner.

Think of it as a central station where customers can find everything they need to feel safe and informed. Policies? Check. Security details? Got it. Want to know about data handling or give your consent? It’s all there. Even system updates and legal stuff are included.

Plus, this hub makes it easy for everyone to use their privacy rights without a hassle. It’s about keeping things clear, secure, and user-friendly.

This hub is a unified, no-code Trust Center. It’s designed to consolidate fragmented data privacy, security, availability, and legal elements and operations into a unified platform, simplifying how organizations communicate and manage all trust and safety information . So you can easily demonstrate your commitment to data protection.

The storefront of your organization’s data governance practices

A Trust Center is a window into how you manage and protect customer data. It allows users to exercise individual rights, see your privacy certifications and policies, and access any compliance information like regulatory attestations and subprocessor lists.

It’s an interactive section of your website that’s constantly updated. One of the key features of Trust Centers is their user-friendliness. They should be easy to navigate, ensuring users can find needed information easily.

The Trust Center spectrum – Security, privacy, legal, and homegrown solutions

As the digital landscape evolves, Trust Centers have also advanced. Our latest count identifies over 15 different types of platforms; each offering varied capabilities, from standalone automated solutions to integrated systems within broader compliance frameworks.

This diversity means you have options. And you should carefully consider the tools to select the right one for your organization’s unique needs.

The future of trust management: The unified Trust Center

Welcome to the new age of trust management, where we’ve revolutionized the concept of Trust Centers. Our innovative approach combines everything – Privacy, Legal, Security, Compliance, and Product status – into one powerful, cohesive product. Here’s how it works:

• Privacy: Ensures all privacy documents, like policies and disclosures, are updated in line with global regulations.
• Legal: Keeps your organization ahead of legal and regulatory changes significantly reducing compliance risks.
• Security: Easily share important security documents – certifications, SOC reports, and encryption policies securely. Cuts down on incoming questionnaires and speeds up your sales process.
• Product Status: Offer real-time updates on product status and system availability, crucial for upholding Service Level Agreements.

We’re putting the power back into the hands of those who manage legal, security, compliance, and privacy matters. By doing so, organizations can cut down on marketing and development costs while staying compliant in real-time and slashing legal, reputational, and compliance risk.

But what’s in it for you besides cost savings and boosted team productivity? Plenty:

Empower Your Customers: Allows customers and vendors to take control, easily accessing and managing their data. This self-serve model amps up your trust credentials.
Meet Modern Trust Demands: Whether you’re dealing with B2B or B2C clients, our unified Trust Center meets today’s trust challenges head-on, efficiently and effectively.
Boost Trust Perception: When people can see your privacy policies and security measures clearly, they feel safer. It’s all about building confidence.

TrustArc Trust Center isn’t just for the privacy and legal eagles. We’ve designed it to support security, compliance, GRC, marketing, web development, and even product/IT teams. The result?

A smooth, hassle-free user experience that not only demonstrates your commitment to trust but also aligns with your brand values and supports scalable business growth.

In this era, trust is everything. And with a unified Trust Center, you’re not just keeping up; you’re leading the way.

Most for-profit businesses that collect personal information about consumers in California must implement and demonstrate CCPA compliance.

Although enforcement began on July 1, 2020, many organizations are still implementing processes for compliance.

Best Practices to Address Consumer Requests Under CCPA

A major factor for those seeking to comply is implementing a process for managing consumer requests under CCPA – similar to data subject access requests under GDPR.

Noncompliance with these guidelines can result in significant penalties and fines.

The California Consumer Privacy Act (CCPA) gives consumers the right to request a business disclose what personal information it holds about them, plus related rights to have that information deleted and to opt-out or opt-in to having information collected, shared, or sold.

CCPA Requests to Know or Delete

Methods for submitting requests to know

Businesses must provide two or more designated methods for submitting requests to know, including a toll-free telephone number (the minimum requirement).

If the business operates a digital property, it must provide an interactive web form accessible through its website or mobile application.

Methods for submitting requests to delete

Although the CCPA regulations do not prescribe a particular method for submission of requests to delete, at least one method offered must reflect the main communication methods between the consumer and the business, such as a webform, email or phone number.

For more information, see Section § 999.312.

Requests to access or delete household information

The definition of personal information under the CCPA includes information that could reasonably be linked with a household.

Therefore, requests to know, delete and opt-out may involve personal information not only of individual consumers, but also other consumers living in the same household.

The CCPA regulations attempt to address this by balancing individual and group privacy rights.

Businesses are allowed to respond to a request to know or to delete related to household personal information by providing aggregate household information, subject to verification, rather than individualized personal information.

If individualized personal information is requested, it may only be disclosed if the business can accurately verify all the members of the household individually.

The rules qualify this with the condition where a consumer does not have a password-protected account with a business, to make sure there is no disruption to procedures for accessing personal information a business may have for account holders of password-protected accounts.

Responding to Requests to Know and Delete

Business must meet the following CCPA requirements when responding to requests to know and delete.

Confirm receipt within 10 days of receiving these requests. Confirmations may be automated, but they must describe the business’s verification process and when the consumer should expect a response

Responses to requests to know or to delete must be provided within 45 days beginning on the day that business receives the request, regardless of time required to verify the request.

If more time is needed to deliver an accurate response, then the business must give proper notice and a valid explanation for the delay.

The rules state that if there is a delay, the response to a request must be completed within a maximum total of 90 days from the day the request is received.

Special considerations for requests to delete

Requests to delete can be handled in three different ways to meet CCPA compliance requirements:

1. Permanently and completely erasing the personal informal from existing systems (note: delays are allowed for archived or back-up systems, provided the personal information is deleted the next time these systems are accessed or used)
2. De-identifying the personal information or
3. Aggregating the personal information.

For any response to a request for delete, a business must specify how it has deleted the personal information and keep a record of the request.

Separately, the rules clarify that deletion requests should be a two-step process: consumers must first submit the request to delete and then separately confirm their desire for all consumer identifiers (PI) to be deleted.

CCPA Definitions and Requirements for Service Providers

Section § 999.314 of the CCPA regulations addresses several concerns raised by the public about what organizations qualify as service providers.

This is an important issue, as the CCPA does not classify personal information used by or shared with a service provider to perform a business purpose as a sale.

The CCPA defines a service provider as a for-profit legal entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.” (Civil Code, § 1798.140, subdivision (v)).

The CCPA regulations clarify the definition of a service provider as:

• A person or entity providing services to a person or organization that is not a business as that term is defined in Civil Code Section 1798.140, subdivision (c), but otherwise meets the requirements of a service provider, shall be deemed a service provider for purposes of the CCPA
  • Entities that process personal information on behalf of non-profit and government entities are service providers, even though the non-profit and government entities are not subject to the CCPA, and
• A person or entity that collects personal information directly from a consumer on the business’s behalf that otherwise meets all the other requirements of a service provider, will still be considered a service provider
  • Despite the CCPA definition of service provider referring to an entity “to which the business discloses a consumer’s personal information.

The CCPA regulations note that a service provider’s use of personal information collected from one business to provide services to another business would be outside the bounds of a necessary and proportionate use of personal information, as it would be advancing the commercial purposes of the service provider rather than the business purpose of the business.

However, there is now an exception in the CCPA regulations to allow some use of personal information to the extent necessary to detect data security incidents or protect against fraudulent or illegal activity.

The CCPA regulations also address the situation where a service provider may not be contractually allowed to disclose or delete the personal information it handles on behalf of businesses.

In such cases service providers are required to respond to a consumer’s disclosure or deletion request by:

• Explain the basis for the denial of the request
• Directing the consumer to the business in control of their information and
• When feasible, giving the consumer the contact information for the business in control of their information.

Note: an organization that acts as both a business and as a service provider under the CCPA is required to comply with CCPA and the CCPA regulations relating to any personal information it collects, maintains, or sells outside of its role as a service provider.

Methods for Submitting Opt-out Requests

Consumers can tell a business ‘do not sell’ personal information by submitting an opt-out request, which directs a business that has previously sold their personal information to stop selling it.

A consumer’s right to opt-out must be reinforced by:

Providing two or more methods for submitting requests to opt-out, including a conspicuous do not sell my personal information message (or similar words) on the business’s homepage which links to an opt-out request form; a toll-free number, a designated email address, or a form that can be submitted in person or via post.

And honoring a consumer’s opt-out decision by no longer selling their personal information for 12-months, along with a 12-month requirement to not request them to opt back in.

Businesses are allowed to give consumers granular opt-out options, such as for sales of certain categories of personal information, but only if a global option to opt-out of all the collection and sale of personal information is more prominently presented than the other choices.

The CCPA regulations also describe other ways consumers may signal or communicate their choice to opt-out of the sale of their personal information, such as user-enabled privacy controls, such as the Global Privacy Control signal (GPC).

Business must treat these signals as a consumer exercising their right to opt-out.

Business must meet the following CCPA requirements when responding to Requests to opt-out:

• Act on a request for opt-out no later than 15 days from the date the business receives the request
• Notify all third parties to whom it sold the consumer’s personal information in the last 90 days before the opt-out request was made and instruct those parties not to sell the personal information
• Notify the consumer when the do not sell instruction has been completed.

The rules also clarify that opt-out requests, unlike requests to know and requests to delete, need not be verified.

Managing Requests to Opt-in

The CCPA regulations rules for requests to opt-in are like those for requests to delete: consumers must first submit the request to opt-in and then separately confirm their choice to opt-in.

Where the sale of personal information is a condition of completing a transaction, but the consumer has already opted-out of the sale of their personal information, a business must:

• Inform the consumer they have previously opted-out and
• Give clear instructions on how the consumer can opt-in.

Note, opt-in requests can be actioned even if the required 12 month period (to abstain from requesting the consumer opt back in) has not passed.

Security Considerations

The CCPA rules address several key security concerns related to not disclosing specific pieces or even categories of personal information:

• When the consumer’s identity cannot be verified by the business
• Where disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, a consumer’s account or the business’s systems or networks
• Business must never disclose a consumer’s Social Security number, driver’s license number, other government-issued IDs, financial account number, health insurance or medical ID number, account password, or security questions and answers
• In any event, CCPA Section 1798.150 states that businesses must use reasonable security measures when transmitting personal information to the consumer and reasonable data security controls when disclosing personal information through a consumer portal.

Are You Ready for the CPRA Amendment to CCPA?

The California Consumer Privacy Act (CCPA) gives consumers several privacy rights and more control over personal information collected by businesses.

It became effective on January 1, 2020, and was then amended with new rules by the California Privacy Rights Act (CPRA), which became enforceable by the California Privacy Protection Agency on July 1, 2023.

This technical brief focuses on requirements under CCPA regulations for businesses to support California consumers’ privacy rights and act on data subject access requests from consumers when they want to exercise their CCPA rights.

We recommend you read TrustArc’s California Consumer Privacy Act (CCPA) Compliance Checklist first to understand compliance requirements, such as making sure consumers can easily access your updated CCPA rights notices.

Summary of California Consumers’ Privacy Rights

The California Consumer Privacy Act regulations (including rules as amended by CPRA) give California consumers several types of rights designed to address privacy concerns:

• Right to know what personal information a business collects, discloses, and/or sells through a data subject access request – and after exercising that right, consumers have two ways to regain some control of records of their personal information: the right to delete and right to correct.
• Right to limit the use and disclosure of sensitive personal information collected about them by a business.
• Right to opt-out from allowing their personal information to be shared or sold by a business to any other business.
  Note: to streamline privacy rights management, organizations must get consent to share/sell personal information from California consumers before they can collect this data.
• Right to opt-in to having their personal information sold. For adults, this right is mostly exercised after they have previously exercised the right to opt-out via a consent mechanism.
  However, for minors (under 16 years old) consent/opt-in to sell personal information must be authorized first, before any information is collected with the intent to sell. If a minor is aged 13 to 16, they can authorize consent themselves (or their parent/guardian can on their behalf), but if they are less than 13 years old consent must be authorized by their parent or guardian.

Technical Requirements for Managing Consumer Consent

When CCPA was signed into law in California on June 28, 2018, by then governor Jerry Brown, assemblymember Ed Chau, who had worked on amendments to California’s data privacy legislation, reiterated the explicit intent of the landmark privacy law:

“Consumers should have a right to choose how their personal information is collected and used by businesses. It is your data, your privacy, your choice.”

The California Code of Regulations article 1 general provisions on consumer consent under CCPA state businesses must make it easy for Californians to exercise their right to give or withhold consent for use or sale of their personal information.

Note: businesses must offer two or more methods for consumers to opt-out of the sale of their personal information.

Essential technical task: Design and implement methods for submitting CCPA requests and obtaining consumer consent that are easy to understand and offer symmetry of choice.

Making Privacy Choices Easy to Understand

The first requirement – ‘easy to understand’ – means the text appearing on a banner, pop-up or disclosure notice must be easy to read and in plain language to help consumers make an informed choice about giving or withholding consent for your business to collect and sell their personal information.

Offering Genuine Symmetry of Choice

The second requirement – ‘offer symmetry of choice’ – means when customers choose to exercise ‘a more privacy-protective option’, such as opting-out of having personal information sold, the methods supporting this choice must not take more time or more click-throughs than the methods supporting consent.

For example, ‘yes’ and ‘no’ buttons give consumers equal choices when recording their privacy preferences, whereas ‘yes’ and ‘ask me later’ buttons skew the choice to consent, because if the customer clicks the later, this implies the business will continue to seek consent (opt-in) until it’s given.

Similarly, the regulation prohibits any technical or design impairments to opting out from sale of personal information or submitting a data subject access request. Examples of technical impairments include:

• Unnecessary click-throughs or scrolls to find the mechanism for exercising privacy rights
• Broken links to access information relevant to privacy rights, including mechanisms for exercising those rights
• Any activity that makes it difficult to find and/or read information about why, how and where a business collects, discloses and/or sells personal information
• Email addresses that lead to unmonitored inboxes
• Mechanisms that put consumers into a holding pattern, such as forcing them to wait unnecessarily on a webpage while the business processes a request and/or confirms a privacy choice has been actioned.

Consent Management Technology

TrustArc Customer Consent Preference Manager gives businesses a sophisticated technical toolkit to personalize customer experiences at scale across all digital touchpoints, while ensuring compliance with CCPA and other privacy regulations. It supports:

• Customer choice – a single location for customers to view and update their preferences, which accurately manages consent preferences by automatically synching them across all channels.
• Data privacy compliance – a centralized privacy regulation compliance platform that is simple to implement, integrates with 500+ industry platforms, including Salesforce, HubSpot, and Marketo, and gives ready access to essential forms and reports for legal and marketing teams.

TrustArc Cookie Consent Manager is a configurable software platform giving businesses the tools to implement, manage, and report on cookie consent activities across all domains in all countries.

TrustArc Cookie Consent Manager Advance offers streamlined methods for setting up and managing complex processes, including:

• Support for compliance with EU and CCPA-related IAB Transparency & Consent Framework Policies
• Customised website scanning
• Customised scan support (such as control via login)
• Auto-detection of customers’ Global Privacy Control (GPC) settings to simplify CCPA compliance with this alternative method for customers to signal “Do not sell or share or share my personal information”.

For more information about GPC, read our article: What is Global Privacy Control and Why is it Such a Hot Topic?

Technical Requirements for Managing Data Subject Requests

Like the General Data Protection Regulation (GDPR), CCPA gives individuals (aka ‘data subjects’) the right to know along with the right to delete content of personal data records the business holds related to them.

When a consumer makes a data subject request the business must address it within the following timeframes:

• Less than 10 days – verify the person making the request (whether exercising their rights to know, correct and/or delete) is the consumer about whom the business has collected personal information.

For more information on what is expected in this verification process, read the California Code of Regulations article 5, 7060. General Rules Regarding Verification.

• Up to 10 days – confirm receipt of the request in writing (this can be an automated response), with information about the verification process and an expected timeframe for a response.
• Up to 45 days – respond to the request accurately. If the work required to address the request accurately (including locating, consolidating and/or deleting records) can’t be completed in this timeframe, the business must communicate a valid explanation for delaying the response to the consumer.

For detailed information on managing these processes, we recommend reading our article How to Handle Consumer Requests Under CCPA.

Once the business has collected all the information it needs to accurately respond to the consumer who made the request, it must provide the consumer with the following:

• Copy of records of personal information collected by the business
• Categories of personal information collected, processed, disclosed and/or sold
• Purpose/s for collecting and processing, disclosing and selling personal information
• Source/s of the personal information held by the business if this data wasn’t directly collected from the consumer via interactions with the business (for example, the business bought their data)
• Planned data retention timeframe/s
• Explanation of methods used during automated decision-making, such as profiling
• For the right to delete requests, explanation of how the business managed this deletion process.

Individual Rights Management Technology

TrustArc Individual Rights Manager gives businesses a robust and scalable platform for fulfilling data subject requests efficiently and accurately, including built-in compliance with CCPA and other data privacy regulations.

Individual Rights Manager automates essential processes such as:

• Auto-assigning tasks to people within the business responsible for systems, processes and departments based on the type of request, customer persona, jurisdiction and brand/s – and following up with automated reminders (such as Jira tickets) to complete tasks within regulated timeframes.
• Verifying the person making the request is in fact the consumer about whom the business has collected personal information – this process can be conducted via automated email, capturing a selfie with the person’s permission or a verification process managed by a third-party vendor.
• Populating a dashboard with updates tracking progress on active requests, calculations of median completion times for closed requests and other information needed for compliance-ready reports.

Individual Rights Manager also streamlines CCPA compliance by providing:

• Logic-based templates that can be personalized and branded to help build consumer trust. These templates include customizable intake forms and landing pages.
• Integration with TrustArc’s Nymity Privacy Compliance Software Research and Alerts to ensure the business is kept up-to-date with changes in privacy regulations and best practices for managing compliance.
• Rapid API integration to accelerate and streamline processes to comply with data subject requests, such as connecting, updating and/or deleting personal information records across multiple systems.

Access More Information from TrustArc About CCPA Regulations and Compliance

This CCPA technical brief is part of a series of briefs by TrustArc experts on the California Consumer Privacy Act, which includes a background brief, a summary of the main rules, a compliance checklist, and expert commentary on CCPA implications.

In the wake of GDPR, law firm Squire Patton Boggs reported a “sharp increase” in the number of UK residents who initiated data subject access requests (DSARs), fulfilling the same number of DSARs in the first five months of 2019 as they’d handled during the entire year of 2018.

CCPA data subject requests (DSRs) will likely have the same effect on California-based organizations. With a 45-day deadline for fulfillment, companies that don’t implement automated DSR fulfillment are at an increased risk of Denial of Service (DoS) attacks.

How Are Denial of Service Attacks Performed?

DoS attacks happen when legitimate users are unable to access information systems, devices, or other network resources due to cyber criminal activity that floods a host or network with traffic until it cannot respond or simply crashes, preventing access to email, online accounts, and websites.

These attacks disrupt a company’s online presence by keeping its web servers so busy with network requests that they cannot load web pages or Internet resources, costing organizations time and money. In contrast, their resources and services are inaccessible.

A DoS Attack Can Happen When a Company is Inundated with DSRs

It overwhelms the CSR and IT staff, who are forced to respond to requests manually and eventually reach a breaking point in which the company can’t safely respond to requests within the required timeline.

With CCPA right around the corner, there’s no time like the present to start thinking about your company’s plans to circumvent DoS attacks and streamline DSR processes.

According to the new regulations the process must now include identity verification prior to fulfilling each request.

Technology can help teams automate manual processes, which helps save time and promote consistency.

But it’s important for businesses to be aware of potential DSR threats like DoS attacks that can jeopardize fulfillment and result in both frustration and noncompliance.

Lessons Learned from GDPR

Many companies started preparing for GDPR by hiring lawyers and consultants to conduct privacy impact assessments (PIAs), data mapping, understanding workflows, manually surveying data sets, and introducing internal guidelines.

These steps were certainly helpful and necessary, but because the work had to be applied to multiple sets of data repositories, companies found they were duplicating efforts over and over.

Operationalizing CCPA with automation requires companies to leverage existing IT security tools and systems (e.g., SIEM, ticketing, data governance).

Thus, it’s critical to get buy-in from CTOs, CISOs, CPOs, and data governance teams from the beginning in order to execute processes correctly the first time.

Taking the time to prepare and automate DSR fulfillment processes can help mitigate the onslaught of DSRs, which result in DoS attacks.

GDPR Rights of the Data Subject

GDPR Chapter III, Rights of the Data Subject outlines the requirements. Article 12 through Article 23 cover areas such as Article 17 – Right to erasure (‘right to be forgotten’), which has been the hot topic of discussion.

Questions such as What if my company doesn’t have the technology to read that data anymore? have left privacy teams stumped.

You can get started in answering this question by following these steps:

• Ensure fundamental understanding of what data you process.
• Establish a process to intake requests (one that is easy on the individual and ensure this process is well-communicated throughout the organization.
  • A request may come in from many routes and the person receiving that request needs to understand that a request is being made. Individuals typically won’t understand or use the exact verbiage in the law).
• Once the request is received, have a process to review it, evaluate the data referenced, the reasons for processing the data, and evaluate any exceptions.
• Have a response process.
• Have an appeals process that goes beyond the individual whose request was denied.
• Retain documentation throughout the process.

Coordinated Data Subject Requests

Through the use of social media, online networking platforms, and other less obvious sources, many data subjects can quickly and easily coordinate to submit DSRs on behalf of people who may or may not exist, all at the same time.

The most recent example of this was executed under GDPR law, when Blizzard Entertainment stripped the World of Warcraft Tournament Champion of his title after publicly claiming support for Hong Kong protesters, which triggered the gaming community.

Multiple gaming sites, and even Reddit posts like this, instructed angry gamers who were upset with Blizzard how to exercise their rights under GDPR Article 15.

The weaponization of DSRs quickly caught on, and led to an influx of requests that was very difficult for Blizzard to manage.

Even for large organizations with robust processes and automated systems for managing DSRs, such a large number of coordinated requests are likely to have a lasting impact.

Attacks tend to cause an excessive and manual workload by clogging automated systems with complicated requests.

Not limited to large corporations, the coordinated DSR attacks will actually do more harm to smaller businesses that don’t have the resources to deal with the tidal wave of requests.

But it’s important to note that even moderate levels of DSR traffic can overwhelm organizations if they’re not properly prepared.

Automated DSR Fulfillment Recommendations

The first step is to build an effective intake form for DSRs that are visible, have predefined requests that the data subject can select from, and can be automated to fulfill requests quickly.

Automation tools also exist that can help businesses centralize requests in a single dashboard, automate notifications, track deadlines, and establish processes for individuals who are involved in each step of the workflow.

The second step is to ensure that identity verification techniques, congruent with the sensitivity of the data being requested, are prominently integrated at the very beginning of the DSR process.

This action alone can weed out bad actors and bots attempting to flood business systems with requests.

The more sensitive the data being requested (think: banking, insurance, healthcare, etc.), the higher the verification assurance should be for those submitting requests.

When it comes to preventing DoS attacks, manual DSR processes that require personnel to scan hundreds of systems for every request will not cut it. It’s a big data problem.

Often in the DSR fulfillment process duplicate data sets are the primary culprits for exposure of sensitive data to unnecessary parties.

Tips to Automate DSR Fulfillment

• Avoid creating additional copies of customer data
• Reduce PI surface area
• De-identify but beware of toxic combinations
• Comply with privacy and security-by-design principles
• Prepare for a data subject request DoS attack
• Respond to Data Subject Requests Faster

Individual Rights Manager can help your company with GDPR compliance with regard to individual data protection rights.

This comprehensive 3-in-1 solution combines proven technology with specialized content developed by our privacy experts, and consulting help if needed.