CCPA Explained: Part 6 - Article 3 -Business Practices for Handling Consumer Requests

 Oct 14, 2019 1:00 PM
by Derek Lackey

§ 999.314. Service Providers

A  A Service Provider (see Civil Code section 1798.140(v)) who provides services to a person or an organization that is not a business, shall be deemed a Service Provider under CCPA.

B If you help collect, use, disclose or sell personal information on behalf of another business, you are deemed a Service Provider under CCPA.

C  A Service Provider must inform consumers when collecting personal information for more than 1 client. 

D A Service Provider is not obligated to respond to consumer requests to know or delete, and should inform the consumer that it must make that request of the business who controls that data, making it as simple as possible to do so.

E A Service Provider must comply with CCPA on any personal information collected, not intended for a client they do business with.

§ 999.315. Requests to Opt-Out

A  A business must provide consumers with at least two methods of submitting a request to opt-out, including the mandatory "Do Not Sell My Info" clear and conspicuous button or link on their website. Other acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism (preference centres) , that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.

B A business should consider the usual methods of communicating with their consumer when selecting the second method of submitting an opt-out request.

C If a business is online it should accept browser controls or preference centre selections as a valid request for opt-out.

D A business can offer a granular opt-out upon reciept of a request for opt-out as long as the global option is called out more prominently than the other options.

E A consumer should be opted out within 15 days of making the request.

F A business must inform all parties it sold the personal information to within 90 days of recieving the request to opt-out, of the consumer's choice to opt-out. The business will inform the consumer once this is complete.

G A consumer can appoint an Authorized Agent to opt-out and the appointment must be in writing. A business can deny a request for opt-out if the Agent cannot provide proof in writing that the consumer has provided consent for the Agent ot operate on his/her behalf. Preference centres and browser settings requests are considered direct from the consumer.

H A request to opt-out need not be a verifiable request. If, however a business has a good reason to believe the request is fraudulent, it can deny the request and inform the consumer of the reasons for their denial, including the proof that the request is considered fraudulent.


§ 999.316. Requests to Opt-In After Opting Out of the Sale of Personal Information

A If a consumer wishes to opt back in, the business must use a two-step process (double opt-in) to confirm their choice.

B  Should a business be presented with an offer that includes the personal information of a consumer who has opted out, they can inform the consumer and include instructions to opt back in, if they wish to.


CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

CCPA Explained: Part 4 - Privacy Policy

CCPA Explained: Part 5 - Article 3 -Business Practices for Handling Consumer Requests