Last updated on 24 December 2020 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The California Consumer Privacy Act (CCPA) brings consumers some powerful new rights over their personal information. It also requires businesses to set up a toll-free number for consumers wishing to exercise some of those rights.
Like many parts of the CCPA, the toll-free number requirement has caused some confusion amongst businesses.
Thankfully, the California Attorney General has provided some clarification on the issue. There has also been an important change to the requirement that might mean your business is no longer required to maintain a toll-free number.
Let's take a look at how this important requirement may affect your business.
Before we turn to the toll-free number requirement, you may wish to check whether the CCPA applies to your company. Feel free to skip ahead if you already know that you're affected.
The CCPA only applies to "businesses," which it defines as any entity operating for profit in California that fulfills at least one of the following criteria:
The CCPA applies to businesses all over the world. To fulfill the definition of a "business," You do not need to have any presence in California or even the United States.
There is an exemption for "service providers" that operate on behalf of other companies. For more information, see our Guide to CCPA Service Providers.
Here are some of the key questions businesses are asking about the toll-free number requirement and the other designated methods for submitting a request.
The CCPA requires that businesses help consumers exercise their CCPA rights by providing two "designated methods for submitting a request."
With some exceptions, businesses must provide a toll-free telephone number as one of the designated methods for submitting a request under "the right to know."
Initially, the CCPA required all businesses to provide a toll-free number. However, in October 2019, the California Attorney General put forward an amendment to the CCPA that created an exemption to the requirement.
Here's the relevant part of the amendment:
The new rules state that a business does not need to provide a toll-free number if it:
Neither the Attorney General nor the CCPA explains the terms "operating exclusively online" or "having a direct relationship with a consumer."
However, we can reasonably assume that:
If your business meets these criteria, you do not have to provide a toll-free number. You only have to provide the following designated methods for submitting a request:
You might also want to provide a toll-free number. However, unlike other businesses, the CCPA does not require you to do so.
As we've seen, a toll-free number is just one of the CCPA's designated methods for submitting a request. Here are the other examples of designated methods listed in the CCPA and the Proposed Regulations:
These are just examples, and there might be other methods that are appropriate for your business.
The California Attorney General states that you should consider the context in which you interact with consumers when choosing your designated methods. For example:
As we've seen, unless your business falls under the new "operating exclusively online" exemption, you must provide at least two designated methods for submitting a request, and one of these must be a toll-free number.
You might not have total freedom around which other designated methods you provide.
If you have a website, you must "make the website available" for requests under the right to know. This means creating a form on your website that consumers can use to submit a request. This still applies to businesses that fall under the new exemption.
It's also important to remember that if you sell personal information, you must create a "Do Not Sell My Personal Information" page to facilitate requests under the right to opt out. This is in addition to any requirements that apply to you in respect of the right to know.
You can build your CCPA Opt-Out code by following the steps below:
The toll-free number requirement might seem somewhat out-of-place in the broader context of the CCPA. After all, personal information exists in written form and is usually stored electronically.
Businesses have been quite critical of the toll-free number requirement. However, besides the limited exemption for businesses operating exclusively online, the toll-free number requirement remains part of the CCPA.
We're going to look at how you can use your toll-free number to help consumers make requests under the right to know and the right to delete.
Note that your business can directly manage its own toll-free number or hire a third-party service provider to manage one on its behalf. In either case, it's your responsibility to ensure that consumer requests are carried out in the proper way.
When processing a request via your toll-free number, it's important that you do not disclose or delete a consumer's personal information without verifying the identity of the person making the request.
The Attorney General provides some detail about the steps a business should take to verify a consumer's identity in the CCPA Proposed Regulations (these regulations are subject to change).
There are three main types of request that consumers can initiate by calling your toll-free number:
Your toll-free number can play a role in all three types of requests.
For "category requests" under the right to know, you must verify the consumer's identity to a "reasonable degree of certainty" by asking the consumer to confirm at least two data points that you hold about them.
For example, you could ask the consumer to confirm the value of an item that they purchased from your business on a specific date. In any case, you should try to identify a consumer via personal information that they have already provided to you.
You can use your toll-free number to receive a category request. The call handler could ask the consumer to confirm their identity and provide their contact details.
However, the call handler cannot provide the requested information over the phone. You must send the requested information through the consumer's account with your business (if they have one), physical mail, or email.
For "specific requests" under the right to know, you must verify the consumer's identity to a "reasonably high degree of certainty." This requires that you ask the consumer to:
Therefore, you will not be able to complete a specific request using only your toll-free number. Even though the call handler can confirm the consumer's identity over the phone, you will need to use another method to receive the consumer's signed declaration.
The call handler also cannot fulfill a specific request over the phone. You must send the consumer their personal information either:
Under the right to delete, a consumer can request that you delete any personal information you have collected about them.
Consumers can make a deletion request using your toll-free number, but you aren't required to provide a toll-free number for this purpose.
You have some discretion when verifying the identity of consumers making a deletion request. Consider the nature of the personal information and the potential impact of deleting it.
A consumer may request that you delete less sensitive personal information. For example, your records of their account activity or contact details.
When deleting less sensitive personal information, you may only require a "reasonable degree of certainty" about the consumer's identity (as with a "category request" under the right to know). In this case, you may be able to verify a consumer's identity over the phone.
Alternatively, a consumer may request that you delete more sensitive personal information. For example, legal documents or family photos.
When deleting more sensitive personal information, you may require a "reasonably high degree of certainty" about the consumer's identity (as with a "specific request" under the right to know).
In this case, you will be unable to verify a consumer's identity over the phone, as you will need to request "a signed declaration under penalty of perjury" stating that they are the consumer whose personal information you are deleting.
You must also "re-verify" the consumer's identity once you're ready to delete their personal information. This re-verification takes place as a separate interaction.
Here's an example from fitness company The Bar Method:
Note that The Bar Method integrates the information about its designated methods of submitting a request into its explanation of the CCPA consumer rights.
Here's another example from Mizzen and Main:
Take these steps to ensure you're compliant with this important part of the CCPA:
Ensure that your staff know how to fulfil a consumer request, including:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
24 December 2020