The California Consumer Privacy Act (CCPA) gives consumers several privacy rights and more control over personal information collected by businesses.
It became effective on January 1, 2020, and was then amended with new rules by the California Privacy Rights Act (CPRA), which became enforceable by the California Privacy Protection Agency on July 1, 2023.
This technical brief focuses on requirements under CCPA regulations for businesses to support California consumers’ privacy rights and act on data subject access requests from consumers when they want to exercise their CCPA rights.
We recommend you read TrustArc’s California Consumer Privacy Act (CCPA) Compliance Checklist first to understand compliance requirements, such as making sure consumers can easily access your updated CCPA rights notices.
Remove risk by engaging a TrustArc consultant for a CCPA assessment who will lead you through our three-step CCPA Compliance Review Methodology:
Step 1: Assess compliance and identify gaps that need addressing
Step 2: Develop a remediation action plan, including a heat map of risks, with recommendations on the effort, schedule and budget needed to address gaps
Step 3: Build consensus across the business and implement and maintain a comprehensive CCPA compliance program.
Summary of California Consumers’ Privacy Rights
The California Consumer Privacy Act regulations (including rules as amended by CPRA) give California consumers several types of rights designed to address privacy concerns:
- Right to know what personal information a business collects, discloses, and/or sells through a data subject access request – and after exercising that right, consumers have two ways to regain some control of records of their personal information: the right to delete and right to correct.
- Right to limit the use and disclosure of sensitive personal information collected about them by a business.
- Right to opt-out from allowing their personal information to be shared or sold by a business to any other business.
Note: to streamline privacy rights management, organizations must get consent to share/sell personal information from California consumers before they can collect this data. - Right to opt-in to having their personal information sold. For adults, this right is mostly exercised after they have previously exercised the right to opt-out via a consent mechanism.
However, for minors (under 16 years old) consent/opt-in to sell personal information must be authorized first, before any information is collected with the intent to sell. If a minor is aged 13 to 16, they can authorize consent themselves (or their parent/guardian can on their behalf), but if they are less than 13 years old consent must be authorized by their parent or guardian.
Technical Requirements for Managing Consumer Consent
When CCPA was signed into law in California on June 28, 2018, by then governor Jerry Brown, assemblymember Ed Chau, who had worked on amendments to California’s data privacy legislation, reiterated the explicit intent of the landmark privacy law:
“Consumers should have a right to choose how their personal information is collected and used by businesses. It is your data, your privacy, your choice.”
The California Code of Regulations article 1 general provisions on consumer consent under CCPA state businesses must make it easy for Californians to exercise their right to give or withhold consent for use or sale of their personal information.
Note: businesses must offer two or more methods for consumers to opt-out of the sale of their personal information.
Essential technical task: Design and implement methods for submitting CCPA requests and obtaining consumer consent that are easy to understand and offer symmetry of choice.
Making Privacy Choices Easy to Understand
The first requirement – ‘easy to understand’ – means the text appearing on a banner, pop-up or disclosure notice must be easy to read and in plain language to help consumers make an informed choice about giving or withholding consent for your business to collect and sell their personal information.
Offering Genuine Symmetry of Choice
The second requirement – ‘offer symmetry of choice’ – means when customers choose to exercise ‘a more privacy-protective option’, such as opting-out of having personal information sold, the methods supporting this choice must not take more time or more click-throughs than the methods supporting consent.
For example, ‘yes’ and ‘no’ buttons give consumers equal choices when recording their privacy preferences, whereas ‘yes’ and ‘ask me later’ buttons skew the choice to consent, because if the customer clicks the later, this implies the business will continue to seek consent (opt-in) until it’s given.
Similarly, the regulation prohibits any technical or design impairments to opting out from sale of personal information or submitting a data subject access request. Examples of technical impairments include:
- Unnecessary click-throughs or scrolls to find the mechanism for exercising privacy rights
- Broken links to access information relevant to privacy rights, including mechanisms for exercising those rights
- Any activity that makes it difficult to find and/or read information about why, how and where a business collects, discloses and/or sells personal information
- Email addresses that lead to unmonitored inboxes
- Mechanisms that put consumers into a holding pattern, such as forcing them to wait unnecessarily on a webpage while the business processes a request and/or confirms a privacy choice has been actioned.
Consent Management Technology
TrustArc Customer Consent Preference Manager gives businesses a sophisticated technical toolkit to personalize customer experiences at scale across all digital touchpoints, while ensuring compliance with CCPA and other privacy regulations. It supports:
- Customer choice – a single location for customers to view and update their preferences, which accurately manages consent preferences by automatically synching them across all channels.
- Data privacy compliance – a centralized privacy regulation compliance platform that is simple to implement, integrates with 500+ industry platforms, including Salesforce, HubSpot, and Marketo, and gives ready access to essential forms and reports for legal and marketing teams.
TrustArc Cookie Consent Manager is a configurable software platform giving businesses the tools to implement, manage, and report on cookie consent activities across all domains in all countries.
TrustArc Cookie Consent Manager Advance offers streamlined methods for setting up and managing complex processes, including:
- Support for compliance with EU and CCPA-related IAB Transparency & Consent Framework Policies
- Customised website scanning
- Customised scan support (such as control via login)
- Auto-detection of customers’ Global Privacy Control (GPC) settings to simplify CCPA compliance with this alternative method for customers to signal “Do not sell or share or share my personal information”.
For more information about GPC, read our article: What is Global Privacy Control and Why is it Such a Hot Topic?
Technical Requirements for Managing Data Subject Requests
Like the General Data Protection Regulation (GDPR), CCPA gives individuals (aka ‘data subjects’) the right to know along with the right to delete content of personal data records the business holds related to them.
When a consumer makes a data subject request the business must address it within the following timeframes:
- Less than 10 days – verify the person making the request (whether exercising their rights to know, correct and/or delete) is the consumer about whom the business has collected personal information.
For more information on what is expected in this verification process, read the California Code of Regulations article 5, 7060. General Rules Regarding Verification.
- Up to 10 days – confirm receipt of the request in writing (this can be an automated response), with information about the verification process and an expected timeframe for a response.
- Up to 45 days – respond to the request accurately. If the work required to address the request accurately (including locating, consolidating and/or deleting records) can’t be completed in this timeframe, the business must communicate a valid explanation for delaying the response to the consumer.
For detailed information on managing these processes, we recommend reading our article How to Handle Consumer Requests Under CCPA.
Once the business has collected all the information it needs to accurately respond to the consumer who made the request, it must provide the consumer with the following:
- Copy of records of personal information collected by the business
- Categories of personal information collected, processed, disclosed and/or sold
- Purpose/s for collecting and processing, disclosing and selling personal information
- Source/s of the personal information held by the business if this data wasn’t directly collected from the consumer via interactions with the business (for example, the business bought their data)
- Planned data retention timeframe/s
- Explanation of methods used during automated decision-making, such as profiling
- For the right to delete requests, explanation of how the business managed this deletion process.
Individual Rights Management Technology
TrustArc Individual Rights Manager gives businesses a robust and scalable platform for fulfilling data subject requests efficiently and accurately, including built-in compliance with CCPA and other data privacy regulations.
Individual Rights Manager automates essential processes such as:
- Auto-assigning tasks to people within the business responsible for systems, processes and departments based on the type of request, customer persona, jurisdiction and brand/s – and following up with automated reminders (such as Jira tickets) to complete tasks within regulated timeframes.
- Verifying the person making the request is in fact the consumer about whom the business has collected personal information – this process can be conducted via automated email, capturing a selfie with the person’s permission or a verification process managed by a third-party vendor.
- Populating a dashboard with updates tracking progress on active requests, calculations of median completion times for closed requests and other information needed for compliance-ready reports.
Individual Rights Manager also streamlines CCPA compliance by providing:
- Logic-based templates that can be personalized and branded to help build consumer trust. These templates include customizable intake forms and landing pages.
- Integration with TrustArc’s Nymity Privacy Compliance Software Research and Alerts to ensure the business is kept up-to-date with changes in privacy regulations and best practices for managing compliance.
- Rapid API integration to accelerate and streamline processes to comply with data subject requests, such as connecting, updating and/or deleting personal information records across multiple systems.
Access More Information from TrustArc About CCPA Regulations and Compliance
This CCPA technical brief is part of a series of briefs by TrustArc experts on the California Consumer Privacy Act, which includes a background brief, a summary of the main rules, a compliance checklist, and expert commentary on CCPA implications.