- a consumer’s rights to know about the personal information collected;
- their right to request the deletion of their personal information
- their right to opt-out of the sale of their personal information;
- their right to non-discrimination for the exercise of any of their privacy rights;
- instructions about how an authorized agent can make a request on the consumer’s behalf;
- the business’s contact information where consumers can get more information if needed;
- the date of the policy’s last update;
- the process for record-keeping and training staff members to comply with the Act; and
- descriptions of the processes used for collecting information from minors under the age of 16 years of age
The first consideration for a business is to determine why it is collecting information in the first place. What makes the CCPA such a unique regulation is that consumers are now in charge of their data; to that end, a consumer must first know what is being collected, and why, in order to have an opportunity to make informed decisions about how their information may be used. Pursuant to the Act, every business must disclose, “at or before the point of collection,” the categories of personal information that the business plans to collect, the sources of that information, and the business purposes for which it will be collected. If a business is found to be collecting additional categories of information, or using it for another purpose, they may fall out of compliance with the Act.
The next consideration should focus on the methods that the business would like to implement for receiving requests to know, delete or opt-out, which will appear in the designated section of the policy itself. As guidance, the OAG has suggested that these determinations be based on how the business primarily interacts with consumers generally, and has provided examples in their regulations. For instance, if all transactions are consummated over the internet via a direct relationship with the consumer, that business need only provide an email address where requests can be sent to. All other businesses must have in place at least two methods available to consumers, one of which must be a toll-free telephone number. Other acceptable methods include, but are not limited to, email addresses, a form submitted in person, through the mail, or online through a tablet or computer portal.