Type: Blog
Topic: Compliance
The CCPA does provide for certain processing activities that are exempt from the CCPA requirements. Businesses should take a conservative approach to analyzing when these exemptions apply. It is recommended the organization formally document any processing activities around California personal data that meet one of the exemptions below to outline why the business is not subject to the requirements of CCPA.
Specifically, the CCPA shall not restrict a business’s ability to:
Further, the CCPA provides for various exemptions to personal data collected related to the following:
Notice Requirements:
As mentioned previously, the CCPA is based on three principles: transparency, accountability, and control. In order to meet the “transparency” principle, businesses must comply with the notice requirements included in the CCPA. Transparency has become a frequent commonality among recent data protection laws since the main goal of data protection is to provide consumers with more power and control over when and how their personal data is used. Transparency is key to pro-vide consumers with this control.
Under the CCPA, businesses must provide the following notice disclosures within their privacy policies:
The privacy policy should be regularly reviewed and updated upon any changes in data collection and processing activities to ensure compliance with the CCPA principles. At a minimum, the policy should be reviewed annually. These notice requirements should be provided whenever consumers personal data are collected or, if collected indirectly, within a reasonable timeframe after the data is collected. Failure to provide these disclosures will erode consumer trust and could lead to violations of the CCPA. The notice requirements are a cornerstone of the CCPA and should be made transparently. Consumers can easily check an organization’s privacy to determine CCPA readiness and this should be a priority for all organizations the CCPA applies to.
This blog is part of an educational series that will explain the fundamentals of California’s upcoming data protection act, CCPA – who it impacts, how to comply, and more. Follow along as our expert team breaks down the complexities of CCPA.
Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College. www.compliancepoint.com