CCPA compliance checklist
If you’re wondering what it takes to be compliant with the California Consumer Privacy Act (CCPA), here is a checklist for your business and its website.
The list is non-exhaustive, but covers the most central points of requirements in the CCPA.
- Feature a Do Not Sell My Personal Information link on their website that users can use to opt-out of third party data sales.
- Provide a notice at or before the point of collection informing the consumer of the categories of personal information that the company collects and for what purpose.
- React to an opt-out request within 15 days by stopping further selling and notifying all parties to whom it has sold the personal information in the previous 90 days.
- Obtain opt-in consent from minors age 13 to 16 before selling their personal information, and opt-in consent by parents or legal guardians from consumers under the age of 13.
- Provide consumers free of charge records of the personal information collected in the past 12 months (including sources, commercial purposes and categories of third parties with whom it has been shared) if a consumer requests disclosure or deletion.
- Respond within 10 days of receiving requests for disclosure or deletion with information on how the request will be processed. Substantive responses must be given to the consumer within 45 days of receiving a verified request.
- Include two steps for a deletion request, whereby the consumer can submit the request and subsequently agree to the personal information to be deleted.
- Only offer financial incentives (e.g. different prices, rates and quality) for goods and services if the differences are reasonably related to the value provided to the business by the consumer’s data.
- Refrain from discriminating based on a consumer’s choice to exercise their rights to opt-out, request disclosure or deletion.