California’s New Privacy Tool: The Consumer Privacy Interactive Tool

​The California Attorney General (AG) has released the Consumer Privacy Interactive Tool designed to make it simple for consumers to protect the rights granted to them under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). The tool is designed to make it easy for consumers to draft notices of noncompliance to send to businesses that collect data from California consumers.

What does the Consumer Privacy Interactive Tool do?

At the moment, the tool is only equipped to help consumers draft notices to businesses that sell personal information and do not have a clear and conspicuous “Do Not Sell My Personal Information” link on their websites. Consumers are asked to answer a few basic questions, before receiving a draft notice that they can copy into an email or print out and send to the business.

What does the new privacy tool mean for businesses?

The reason this is significant for businesses is that the consumer sending this notice may trigger the 30-day requirement to ‘cure’ violations of the CCPA. This notice and opportunity to cure is a prerequisite for the AG bringing an enforcement action against your business, so it should be treated seriously.

Action Items for businesses that collect personal information from California residents

The California AG also issued a summary of its CCPA enforcement activity since the law went into effect in January 2020. The summary includes illustrative examples of the types of non-compliance which prompted the AG to take action and provides a roadmap to businesses looking to understand what they should avoid doing. Key takeaways include the following:

• Notice at Collection. Your notice of collection needs to be provided either at or before your business collects personal information from a consumer. You should ensure your notice appears to consumers in a timely manner and in a clear and easily comprehensible format.
• Privacy Policy. Your privacy policy must outline your practices for the collection, use, sharing, and sale of personal information collected online and offline. It should also contain details for consumers on their rights and how to exercise them.
• “Do Not Sell My Personal Information” link. If your business discloses personal information to third parties for monetary consideration or anything of value you must post an easy-to-find “Do Not Sell My Personal Information” link on your website. Remember that sharing personal information with third-party advertising and analytics providers counts as a sale.
• CCPA Requests to Know and Delete. Your business should also stress test and streamline its internal processes designed to manage consumer requests regarding their ‘right to know’ and ‘right to delete’. Make sure your privacy policy explains how consumers can submit these requests and make sure you are prepared to respond quickly.

Does your business need to comply?

While businesses that don’t fall within the scope of California privacy law may not be subject to enforcement action as a result of non-compliance with the CCPA, there are compelling reasons to put strong privacy protocols in place anyway. Consumers increasingly expect businesses to make it easy for them to manage their privacy, and regulators are attempting to keep up with this expectation (as we see with the laws banning dark patterns, as well as the growing patchwork of privacy rights across the US). Moreover, businesses that align with consumer privacy expectations enjoy a competitive advantage, increased loyalty, and a better reputation.

For assistance managing consumer privacy at your business, get in touch. We’re here to help!

• Privacy