The California Consumer Privacy Act (CCPA) is a bill intended to enhance privacy rights and consumer protection for residents of California. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018. Amendments to the CCPA, in the form of Senate Bill 1121, were passed on September 13, 2018. Additional substantive amendments were signed into law on October 11, 2019. The CCPA became effective on January 1, 2020, although will not be enforced by the State Attorney-General’s office until July 2020.
The intentions of the Act are to provide California residents with the right to:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Say no to the sale of personal information (whereby “sale” is notably broadly defined).
- Access their personal information.
- Request a business to delete their personal information.
- Not be discriminated against for exercising their privacy rights.
- Provide them with a private right of action to bring a claim for set amounts of damages upon the occurrence of a qualifying data security breach.
The CCPA applies to any business, including any for-profit entity that collects consumers’ personal information, which does business in California (regardless of whether it is physically established in California), and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
Responsibility and accountability
Organizations are required to implement and maintain reasonable security procedures and practices in protecting consumer data.
- Implement processes to obtain parental or guardian consent for minors under 13 years of age and the affirmative consent of minors between 13 and 16 years in order to sell the personal information of minors.
- Post a “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt-out of the sale of their personal information.
- Designate methods for submitting requests to exercise rights, including, at a minimum, a toll-free telephone number and, if the business collects personal information online, a webform.
- Update privacy policies with the newly required information, including a description of California residents’ rights.
- Avoid requesting opt-in consent for 12 months after a California resident opts-out.
Recommended Tools and Settings
CallTrackingMetrics offers a number of tools and recommended configurations to help you comply with CCPA requirements.
- Make sure each person you have logging into your CallTrackingMetrics account is using their own unique login for security and tracking purposes.
- For added login security, enable two-factor authentication to ask for a verification code on every login or every 30 days.
- Require a user to log in to listen to any call recording links.
- Enable encryption for your audio recordings so they are encrypted in transit and at rest. Encryption is a security measure that can help prevent information from being subject to the private right of action in respect of a qualifying security breach.
- Consider turning off the Caller ID if you do not need to collect the name or location of your callers.
- Enable automatic redaction features on your account:
- Redaction removes personal information from records of calls, texts, live chats, and forms in your account. Redaction is a security measure that can help prevent information from being subject to the private right of action in respect of a qualifying security breach.
- Redaction can be configured to occur daily, every 30 days, every 60 days, or every 90 days.
- If you don’t want to use automatic redaction, you can manually redact information from any of your interactions.
- If you are using FormReactor, be sure to include language in the form that explains to people what will happen once they fill out the form, what you are doing with their information, and use a checkbox to gain their consent to those next steps.
- If using outbound text or call programs, be sure to keep your do not contact lists (for calls and texts) up to date based on the consent you have received and/or opt-out requests that have come in.
- To help respond to requests from California residents to exercise their rights, you can edit a contact’s data as needed in your call log or text log.
- To help respond to requests from California residents to exercise their rights, you can use the export calls or export texts options.
- If you are recording calls, you can use features like voice prompts and IVR menus to gather consent.
Some things to avoid:
- Avoid configuring triggers, notifications, or exports that move call data out of CallTrackingMetrics into emails or text messages, as these modes of communication are not generally secure and CTM cannot control the security of those systems. If choosing to use any of these features to send personal information outside of CTM application, it is your responsibility to ensure the security of the information once it leaves CTM.
- CallTrackingMetrics recommends exporting any data through the API or through the use of the secure SFTP export option.
- Be sure that “Enable Enhanced Caller ID” is in the off position. That is an optional service that collects demographic information for callers.
- Do not assume that just announcing call recording is enough. You likely need consent to be recorded under telecommunications and privacy laws more generally.
This article is informational only and does not constitute legal advice. CallTrackingMetrics recommends that its customers obtain independent legal advice in relation to the CCPA.