The CCPA: California Consumer Privacy Act provides consumers with the opportunity to make a number of requests to businesses that collect personally identifiable information (“PII”). Specifically, consumers may request that the business disclose what PII has been collected, what PII has been sold, and take action to delete the consumer’s collected PII.
In order to process these CCPA requests, the law requires that businesses make “reasonably accessible” processes available to consumers. The CCPA specifies that two or more methods for submitting requests must be available for consumers to use. One of these methods must, at a minimum, include a toll-free telephone number. This article will provide an overview of the requirements pertaining to this toll-free phone number. Becoming familiar with these requirements will be critical in preparing your business to efficiently respond to CCPA consumer requests in a compliant manner.
This article will discuss the following three topics:
- An overview of the CCPA’s toll-free number requirements
- Additional guidance from the California Attorney General
- Preparing to comply with the toll-free number requirements
An overview of the CCPA’s toll-free number requirement
First, businesses are only required to furnish a toll-free number if they are a covered entity under the CCPA. Provided that the business is a covered entity under the law, the CCPA generally requires the business to provide consumers with the ability to make a variety of requests pertaining to their PII.
In response to consumers’ requests for disclosures related to the PII collected, used, and sold by the business (requests to “know”) and requests to delete collected PII, businesses must make available to consumers two or more designated methods for submitting the requests. At a minimum, one of these methods must include a toll-free number and if the business has a website, a website address. Other acceptable methods, in addition to a toll-free number, include a designated email address, an in-person form, or a form submitted in the mail.
Additional guidance from the California Attorney General
Per the CCPA draft regulations, businesses are not required to provide a toll-free number under certain circumstances. For this exception to apply, the following two requirements must be met:
- The business must operate exclusively online
- The business must have a direct relationship with the consumer
The regulations do not specify exactly what constitutes operating “exclusively online.” However, one could reasonably conclude that businesses with no physical locations or storefronts, and instead provide products or services via a website, most likely qualify under this requirement. Additionally, a “direct relationship” may constitute an interaction such as an online purchase request made directly to the business. Provided that this purchase does not materially involve a service provider as defined by the CCPA acting as a sort of “middleman,” it is likely that a “direct relationship” is present under the regulations.
Provided that these two requirements are met, businesses are only required to make an email address available for submitting requests to “know.” This means that disclosure requests pertaining to what PII the business has collected, used, and sold may be made exclusively via email. Businesses that do not meet these requirements must comply with the text of the CCPA and provide two or more designated methods for submitting requests, including a toll-free number at minimum.
The regulations offer some additional guidelines for businesses to follow when assessing what methods to provide for submitting both right to know and deletion requests. Specifically, businesses should consider the methods by which it “primarily interacts with consumers.” For example, if a business primarily interacts with consumers in-person, then an acceptable approach would be to provide some sort of document containing the business’s toll-free number for exercising consumer rights under the CCPA.
Preparing to comply with the toll-free number requirement
Ultimately, whether your business is required to furnish a toll-free number will depend on a number of factors. Provided your business is a covered entity under the law, this necessarily means that consumers must have the ability to issue a number of requests relating to their PII. If your business is operated exclusively online and rarely works with service providers, there is a good chance that your business will not be required to provide a toll-free number. This is predicated on the CCPA regulations finalizing. If the regulations are not finalized, you should prepare to provide a toll-free number to consumers, irrespective of whether your business operates exclusively online or not.
Provided that your business is required to provide a toll-free number, best practices would include implementing a system for logging requests made via the toll-free number so that your business will be ready to comply by the CCPA enforcement period beginning July 1st, 2020. This logging system could provide a number of benefits, including allowing your business to categorize requests based on the information requested by the consumer and respond to these requests in a timely manner.
Tyler is a third year law student attending Seton Hall University School of Law. He is a Certified Information Privacy Professional (CIPP/U.S.) as well as the Founder and President of the Cybersecurity and Privacy Society of his law school, a student organization dedicated to exploring major legal issues in all things technology, from data privacy to Artificial Intelligence. The organization is also dedicated to helping law students find career opportunities in the growing fields of cybersecurity and privacy.