Published:

Updated:

CCPA toll-free phone number requirement

Privacy Policy

CCPA, United States

CCPA toll-free phone number requirement

NOTE: Since the writing of this blog, CCPA has been replaced by CPRA.


The CCPA: California Consumer Privacy Act provides consumers with the opportunity to make a number of requests to businesses that collect personally identifiable information (“PII”) and that need to comply with this law. Specifically, consumers may request that the business disclose what PII has been collected, what PII has been sold, and take action to delete the consumer’s collected PII. 

In order to process these CCPA requests, the law requires that businesses make “reasonably accessible” processes available to consumers. The CCPA specifies that two or more methods for submitting requests must be available for consumers to use. One of these methods must, at a minimum, include a toll-free telephone number. This article will provide an overview of the requirements pertaining to this toll-free phone number. Becoming familiar with these requirements will be critical in preparing your business to efficiently respond to CCPA consumer requests in a compliant manner. 

This article will discuss the following three topics: 

  • An overview of the CCPA’s toll-free number requirements 
  • Additional guidance from the California Attorney General 
  • Complying with the toll-free number requirement 

An overview of the CCPA’s toll-free number requirement

First, businesses are only required to furnish a toll-free number if they are a covered entity under the CCPA. Provided that the business is a covered entity under the law, the CCPA generally requires the business to provide consumers with the ability to make a variety of requests pertaining to their PII. 

In response to consumers’ requests for disclosures related to the PII collected, used, and sold by the business (requests to “know”) and requests to delete collected PII, businesses must make available to consumers two or more designated methods for submitting the requests. At a minimum, one of these methods must include a toll-free number and if the business has a website, a website address. Other acceptable methods, in addition to a toll-free number, include a designated email address, an in-person form, or a form submitted in the mail. 

Similar to business domain name generators, there are companies offering toll free telephone numbers for CCPA that you should consider checking out.

Additional guidance from the California Attorney General 

Per the CCPA draft regulations, businesses are not required to provide a toll-free number under certain circumstances. For this exception to apply, the following two requirements must be met: 

  • The business must operate exclusively online 
  • The business must have a direct relationship with the consumer

The regulations do not specify exactly what constitutes operating “exclusively online.” However, one could reasonably conclude that businesses with no physical locations or storefronts, and instead provide products or services via a website, most likely qualify under this requirement. Additionally, a “direct relationship” may constitute an interaction such as an online purchase request made directly to the business. Provided that this purchase does not materially involve a service provider as defined by the CCPA acting as a sort of “middleman,” it is likely that a “direct relationship” is present under the regulations. 

Provided that these two requirements are met, businesses are only required to make an email address available for submitting requests to “know.” This means that disclosure requests pertaining to what PII the business has collected, used, and sold may be made exclusively via email. Businesses that do not meet these requirements must comply with the text of the CCPA and provide two or more designated methods for submitting requests, including a toll-free number at minimum. 

The regulations offer some additional guidelines for businesses to follow when assessing what methods to provide for submitting both right to know and deletion requests. Specifically, businesses should consider the methods by which it “primarily interacts with consumers.” For example, if a business primarily interacts with consumers in-person, then an acceptable approach would be to provide some sort of document containing the business’s toll-free number for exercising consumer rights under the CCPA. 

Complying with the toll-free number requirement

Ultimately, whether your business is required to furnish a toll-free number will depend on a number of factors. Provided your business is a covered entity under the law, this necessarily means that consumers must have the ability to issue a number of requests relating to their PII. If your business is operated exclusively online and rarely works with service providers, there is a good chance that your business will not be required to provide a toll-free number. This is predicated on the CCPA regulations finalizing. If the regulations are not finalized, you should prepare to provide a toll-free number to consumers, irrespective of whether your business operates exclusively online or not. 

Businesses should provide clear instructions for making CCPA requests within an online Privacy Policy. These instructions should clearly specify the steps consumers may take to request disclosures, request the deletion of PII, and opt-out of the sale of their PII. Termageddon’s Privacy Policy generator helps to create CCPA ready Privacy Policies and avoid fines or even lawsuits. 

Photo of author
About the Author
Tyler Pewitt

Tyler is a third year law student attending Seton Hall University School of Law. He is a Certified Information Privacy Professional (CIPP/U.S.) as well as the Founder and President of the Cybersecurity and Privacy Society of his law school, a student organization dedicated to exploring major legal issues in all things technology, from data privacy to Artificial Intelligence. The organization is also dedicated to helping law students find career opportunities in the growing fields of cybersecurity and privacy.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates