The California Consumer Privacy Act (CCPA) brings consumers some powerful new rights over their personal information. It also requires businesses to set up a toll-free number for consumers wishing to exercise some of those rights.
Like many parts of the CCPA, the toll-free number requirement has caused some confusion amongst businesses.
Thankfully, the California Attorney General has provided some clarification on the issue. There has also been an important change to the requirement that might mean your business is no longer required to maintain a toll-free number.
Let's take a look at how this important requirement may affect your business.
Who Needs to Comply with the CCPA?
Before we turn to the toll-free number requirement, you may wish to check whether the CCPA applies to your company. Feel free to skip ahead if you already know that you're affected.
The CCPA only applies to "businesses," which it defines as any entity operating for profit in California that fulfills at least one of the following criteria:
- It raises annual gross revenues of at least $25 million
- It buys, sells, receives for commercial purposes, and/or shares for commercial purposes, the personal information of at least 50,000 California consumers ("consumers"), households, and/or devices
- It raises at least 50% of its annual gross revenues selling consumers' personal information
The CCPA applies to businesses all over the world. To fulfill the definition of a "business," You do not need to have any presence in California or even the United States.
There is an exemption for "service providers" that operate on behalf of other companies. For more information, see our Guide to CCPA Service Providers.
CCPA Toll-Free Number Requirement: Your Questions Answered
Here are some of the key questions businesses are asking about the toll-free number requirement and the other designated methods for submitting a request.
What is the Toll-Free Number Requirement?
The CCPA requires that businesses help consumers exercise their CCPA rights by providing two "designated methods for submitting a request."
With some exceptions, businesses must provide a toll-free telephone number as one of the designated methods for submitting a request under "the right to know."
Does Every Business Have to Provide a Toll-Free Number?
Initially, the CCPA required all businesses to provide a toll-free number. However, in October 2019, the California Attorney General put forward an amendment to the CCPA that created an exemption to the requirement.
Here's the relevant part of the amendment:
The new rules state that a business does not need to provide a toll-free number if it:
- Operates "exclusively online," and
- Has a direct relationship with a consumer from whom it collects personal information
Neither the Attorney General nor the CCPA explains the terms "operating exclusively online" or "having a direct relationship with a consumer."
However, we can reasonably assume that:
- Operating exclusively online means that a business does not have any physical, customer-facing premises.
- Having a direct relationship with a consumer means a business provides goods and services to consumers directly, rather than via or on behalf of a third party.
If your business meets these criteria, you do not have to provide a toll-free number. You only have to provide the following designated methods for submitting a request:
- An email address
- A web page (if you have a website)
You might also want to provide a toll-free number. However, unlike other businesses, the CCPA does not require you to do so.
What are the Other Designated Methods for Submitting a Request?
As we've seen, a toll-free number is just one of the CCPA's designated methods for submitting a request. Here are the other examples of designated methods listed in the CCPA and the Proposed Regulations:
- A mailing address, including via a form that you provide consumers
- A form submitted in person
- An email address
- A web page
These are just examples, and there might be other methods that are appropriate for your business.
The California Attorney General states that you should consider the context in which you interact with consumers when choosing your designated methods. For example:
- If you collect personal information from consumers in person, you should consider providing a paper form that you can hand to them.
- If you operate a mobile app, you should consider providing a method that allows consumers to submit a request from within the app itself, such as privacy controls.
Can Businesses Choose Which Designated Methods They Use?
As we've seen, unless your business falls under the new "operating exclusively online" exemption, you must provide at least two designated methods for submitting a request, and one of these must be a toll-free number.
You might not have total freedom around which other designated methods you provide.
If you have a website, you must "make the website available" for requests under the right to know. This means creating a form on your website that consumers can use to submit a request. This still applies to businesses that fall under the new exemption.
It's also important to remember that if you sell personal information, you must create a "Do Not Sell My Personal Information" page to facilitate requests under the right to opt out. This is in addition to any requirements that apply to you in respect of the right to know.
Using Your Toll-Free Number
The toll-free number requirement might seem somewhat out-of-place in the broader context of the CCPA. After all, personal information exists in written form and is usually stored electronically.
Businesses have been quite critical of the toll-free number requirement. However, besides the limited exemption for businesses operating exclusively online, the toll-free number requirement remains part of the CCPA.
Fulfilling a Consumer Request via Your Toll-Free Number
We're going to look at how you can use your toll-free number to help consumers make requests under the right to know and the right to delete.
Note that your business can directly manage its own toll-free number or hire a third-party service provider to manage one on its behalf. In either case, it's your responsibility to ensure that consumer requests are carried out in the proper way.
When processing a request via your toll-free number, it's important that you do not disclose or delete a consumer's personal information without verifying the identity of the person making the request.
The Attorney General provides some detail about the steps a business should take to verify a consumer's identity in the CCPA Proposed Regulations (these regulations are subject to change).
There are three main types of request that consumers can initiate by calling your toll-free number:
- A "category request" under the right to know (sometimes called an "access request"). This requires you to disclose general information about the categories of personal information you have collected about a consumer, your sources, your purposes for collecting the personal information, and the third parties with whom you share the personal information.
- A "specific request" under the right to know (sometimes called a "data portability request"). This requires that you disclose the specific pieces of personal information you have collected about a consumer.
- A request under the right to delete
Your toll-free number can play a role in all three types of requests.
"Category Requests" Under the Right to Know
For "category requests" under the right to know, you must verify the consumer's identity to a "reasonable degree of certainty" by asking the consumer to confirm at least two data points that you hold about them.
For example, you could ask the consumer to confirm the value of an item that they purchased from your business on a specific date. In any case, you should try to identify a consumer via personal information that they have already provided to you.
You can use your toll-free number to receive a category request. The call handler could ask the consumer to confirm their identity and provide their contact details.
However, the call handler cannot provide the requested information over the phone. You must send the requested information through the consumer's account with your business (if they have one), physical mail, or email.
"Specific Requests" Under the Right to Know
For "specific requests" under the right to know, you must verify the consumer's identity to a "reasonably high degree of certainty." This requires that you ask the consumer to:
- Confirm at least three data points that you hold about them, and
- Provide a "signed declaration under penalty of perjury" stating that they are the consumer whose personal information you are providing (or else that they are authorized to receive the information)
Therefore, you will not be able to complete a specific request using only your toll-free number. Even though the call handler can confirm the consumer's identity over the phone, you will need to use another method to receive the consumer's signed declaration.
The call handler also cannot fulfill a specific request over the phone. You must send the consumer their personal information either:
- Via physical mail, or
- Electronically, in "a portable [...] readily useable format that allows the consumer to transmit this information to another entity without hindrance" (e.g. CSV, JSON)
Requests Under the Right to Delete
Under the right to delete, a consumer can request that you delete any personal information you have collected about them.
Consumers can make a deletion request using your toll-free number, but you aren't required to provide a toll-free number for this purpose.
You have some discretion when verifying the identity of consumers making a deletion request. Consider the nature of the personal information and the potential impact of deleting it.
A consumer may request that you delete less sensitive personal information. For example, your records of their account activity or contact details.
When deleting less sensitive personal information, you may only require a "reasonable degree of certainty" about the consumer's identity (as with a "category request" under the right to know). In this case, you may be able to verify a consumer's identity over the phone.
Alternatively, a consumer may request that you delete more sensitive personal information. For example, legal documents or family photos.
When deleting more sensitive personal information, you may require a "reasonably high degree of certainty" about the consumer's identity (as with a "specific request" under the right to know).
In this case, you will be unable to verify a consumer's identity over the phone, as you will need to request "a signed declaration under penalty of perjury" stating that they are the consumer whose personal information you are deleting.
You must also "re-verify" the consumer's identity once you're ready to delete their personal information. This re-verification takes place as a separate interaction.
- Explain the CCPA consumer rights
- Make consumers aware of your toll-free number (and any other designated methods for submitting a request)
Here's an example from fitness company The Bar Method:
Note that The Bar Method integrates the information about its designated methods of submitting a request into its explanation of the CCPA consumer rights.
Here's another example from Mizzen and Main:
CCPA Toll-Free Number Checklist
Take these steps to ensure you're compliant with this important part of the CCPA:
- Check whether you are exempt from the toll-free number requirement.
- Consider what other "designated methods" you will provide.
- Decide whether you will set up your own toll-free number or use a third-party provider.
Ensure that your staff know how to fulfil a consumer request, including:
- Understanding the CCPA consumer rights
- Verifying the identity of a consumer
- Taking appropriate action following the phone call to ensure the request is processed