Ensure Your Business Complies with California Privacy Law: Practical Tips for Handling Privacy Rights Requests

The California Privacy Rights Act (CPRA) has amended the California Consumer Privacy Act (CCPA) and expanded individuals’ data subject rights. If you’re running a business that collects or processes the personal information of California residents, it’s important to understand whether the CCPA applies to your company, and, if it does, what your obligations are under this act. This post provides valuable insights and tips for companies to ensure compliance with their consumer privacy rights obligations under the CCPA, as amended by the CPRA. 

Here are some practical tips to help you avoid fines and ensure that you respect the privacy of the individuals whose personal information you handle:

  1. Know the personal information you handle: Identify all personal data you collect, process, store, and share by creating a data map or inventory. Take particular care when it comes to sensitive personal information.
  2. Have a clear, accurate and complete privacy notice: Make sure your privacy notice complies with the requirements of the CCPA and clearly states how you collect, use, disclose, and protect personal information in an easy-to-understand way. 
  3. Update your website: If you sell or share individuals’ personal information, you will need to insert a “Do Not Sell or Share My Personal Information” link on your website. Individuals must be empowered to submit such requests by way of a webform and one other avenue, such as email or a toll-free number. If you process sensitive personal information, you will need a “Limit the Use of My Personal Information” link. 
  4. Set up mechanisms for individuals to submit their privacy requests to your company: If an individual would like to know what personal information is collected on them or wants you to delete, correct, or limit how you use their personal information, they need a way to submit such requests to you. This could include setting up a toll-free number, a web form, or an email address. You will need a process to verify their identity, and the authority of their authorized agents.
  5. Ensure proper handling of privacy rights requests: Set up a process for properly responding to privacy rights requests within the statutory time limits (normally, 10 or 45 days). The best way to do this is by creating internal policies that set out how to process each type of request, including how to verify the identity and authority of the requestors, and train your employees on the policy.  
  6. Contractually oblige your service providers to assist you with privacy rights requests: Have agreements in place with the vendors to which you disclose personal information that require those vendors to forward privacy rights requests to you, only respond to requests following your instructions, and to help you obtain, correct, and delete the personal information the requests relate to. 

Protecting consumers’ privacy and meeting your CCPA obligations is critical for building and maintaining trust in your business. Don’t let the complexity of the task hold you back. Let VeraSafe’s team of privacy law and IT professionals simplify the process for you by ensuring that you have the necessary policies, notices, and procedures in place, and even handling your consumer privacy rights requests on your behalf. Engaging VeraSafe will allow you to focus on what you do best – running your business. Schedule a free consultation to get started. 

Related topics: CCPA, US Privacy Laws, Compliance Tools and Advice

You may also like:
Does the CCPA Apply to My Organization?
CIPA vs. Chatbots: Can Websites Be Sued for Eavesdropping?
Dark Patterns: How To Detect and Avoid Them

Contact VeraSafe to discuss your data security management and privacy program today.