How to Make Sure Your Website is CCPA Compliant
Are you CCPA Compliant?
The enforcement of the California Consumer Privacy Act (CCPA) set to begin July 1, 2020 remains on track. With this date quickly approaching, it’s important to put in place the necessary measures to be in compliance. While many aspects of your business may be subject to the new regulation, none are likely to be more susceptible to external scrutiny by consumers, activists, and authorities than your website.
Here’s a look at five highly visible features that must be present on your website to comply with the California Consumer Privacy Act CCPA:
1. CCPA Consumer Rights Description
Your website will need to provide a description of the ‘consumer rights’ granted Californians by the CCPA. It can appear on a dedicated webpage or included in your online privacy policy. If on a dedicated webpage, include a link to the page on your homepage. The link needs to be formatted in a way that grabs the attention of California consumers and, when clicked, opens a page that provides a full and accurate description of all the rights granted to California consumers by the CCPA.
2. Online Privacy Policy
A link to your Online Privacy Policy must contain the word ‘privacy’ and be conspicuously placed so it’s readily accessible to consumers. The Privacy Policy needs to be clearly written using common, easy-to-understand language and provide a full and comprehensive disclosure of both your online and offline privacy practices. It’s required to be legible (even on small screens), printable, and accessible to consumers with disabilities. A detailed description of the CCPA rights granted to Californians or a link to the California-specific page where those rights are documented should be included as well.
3. Data Collection Notice
Your website needs to provide notification to California consumers “at or before” the point of collection of the categories of data to be collected as well as the business purpose for collecting that data. A link to this notice should appear on every page where consumer data is collected and be formatted in a way that attracts the attention of California consumers. When clicked, the ‘Notice at Collection’ that appears should be written using common, non-technical language to ensure the consumer clearly understands what data will be collected and how it will be used. The notice should also advise consumers that no other types of data other than those disclosed in the notice will be collected and the collected data won’t be used for any other purposes than those disclosed.
4. Consumer Rights Request Webform
Your website needs to contain an interactive webform to enable Californians to exercise the rights granted to them under the CCPA. These include the right to request:
- A portable copy of their data (‘Right to Access’)
- Personal data be deleted (‘Right to Delete’)
- Personal data is not sold (‘Right to Opt-Out’)
If your company doesn’t sell the personal information of California consumers, be sure to include a statement to that effect in your Online Privacy Policy (or California-specific rights description page). The consumer-rights request form itself should only collect the minimal information needed to verify the consumer’s identity and to fulfill the request. Once submitted, the consumer should be notified of next steps. And, once the request is fulfilled, a record of the request should be logged for audit purposes.
5. “Do Not Sell My Personal Information” Link
If your company sells the personal information of California consumers, make sure your website contains a conspicuously placed link titled: “Do Not Sell My Personal Information” or “Do Not Sell My Info.” This link must appear on your homepage and be referenced in your Online Privacy Policy and Notice at Collection. When clicked, this link should take the user to the Consumer Rights Request Webform where the opt-out request can be completed and submitted.
While the absence of any of the above will draw the attention of the regulators, their presence doesn’t guarantee CCPA compliance. The proposed regulations have plenty of details to consider when implementing these features. Best practice is to always review the actual regulations with your legal and compliance teams when planning your CCPA website implementation or enhancement projects.
How Milestone Can Help
At Milestone, our Governance, Risk, and Compliance (GRC) team is well-versed in consumer privacy and data protection requirements. Whether your organization needs to comply with CCPA, GDPR, or similar privacy regulations, we have the regulatory compliance expertise as well as the deep ServiceNow platform experience needed to ensure your compliance solution is not only effective but also highly efficient and scalable. We can help accelerate your time to compliance and ensure that your ServiceNow solution remains continually compliant and regulator ready as consumer privacy laws continue to emerge both domestically and internationally.
Please contact us for more information.
About the Author
Mike DeAndrea, GRC Practitioner and Advisory Solution Architect, Milestone
With more than 20 years of applied expertise in Governance, Risk, and Compliance, Mike helps Milestone customers understand how they can leverage the power of ServiceNow to meet their regulatory compliance needs in the shortest time. Mike has extensive experience both as a practitioner and a consultant. As a practitioner, he managed the compliance efforts of a large enterprise-wide IT operations department of a multi-billion-dollar, multi-national company for several years. As a consultant, Mike has been helping high-profile customers deploy GRC solutions in ServiceNow for over five years. He maintains a number of ServiceNow and industry certifications and specializes in designing compliance solutions that are not only effective but also highly efficient, that minimize the time to value, and that drive down the cost, burden, and impact of compliance on your organization. Connect with Mike on LinkedIn.