Service Usage Guidance

What Does This Document Explain?

How do I Receive Consumer Privacy Requests?

What do I do When I Receive a Privacy Request?

How do I use CCPA Toll Free to Handle Each of the Steps?

How Does Auto Verification Work in Detail?

Can CCPA Toll Free Automate Additional Steps?

Where Can I Learn More About How to Handle CCPA Requests?

What Does This Document Explain?

This document assumes you have already configured CCPA Toll Free according to our Implementation Guidance and it explains what to do once you receive a privacy request.

How do I Receive Consumer Privacy Requests?

Consumers can place a privacy request via one of four methods:

1. Calling 866-I-OPT-OUT and entering your Service Code
2. Calling any dedicated phone number we have provided to you and entering a menu option if your hotline requires a consumer to enter one
3. Submitting an interactive web form request from a web form you have embedded in your privacy policy using the Integration Help button here.
4. Submitting an interactive web form request from a web form we host for you using our hosted web forms service.

When you receive a privacy request via any of the above methods, we will send you an email assuming you have subscribed to email alerts here. We recommend enabling “Near Real Time Updates” to start with, and then switching to Daily Summary Emails or Friday Summary Emails if your request volume is high. We also recommend you enable “48 Hours Deadline Approaching Warning“ so we can email again if you have not marked a request as Completed in your dashboard before the CCPA’s 45/90 day deadline. Emails will come from “Privacy Toll Free Support <do-not-reply@privacytollfree.com>” so please whitelist this domain.

What do I do When I Receive a Privacy Request?

Processing a privacy request requires it to be (1) Acknowledged, (2) Completion Deadline Extended (optional), (3) Consumer ID Verified and (4) Completed / Fulfilled. The Privacy Requests Tab in the CCPA Toll Free dashboard provide a series of checkboxes that you can check to update and track the status of each request as it flows through these steps:

As you check or uncheck each of the boxes, we log the date, time, request ID and user who took each of these actions in the Audit Trail to help you document your compliance:

Note you can see the unique request ID for each privacy request in the details screen for the request (accessible by clicking the details icon shown above in the Privacy Requests Tab).

How do I use CCPA Toll Free to Handle Each of the Steps?

We automate certain steps, and the remaining steps are handled outside of the CCPA Toll Free platform. Here is a step-by-step guide to responding to a privacy request:

1. Review the Request—as described above, we’ll email you when you receive a request; click the View Request button in email to see the Details screen for the request. On this page, for voicemail requests, you can listen to the request and categorize it as belonging to one of the for core CCPA rights by checking the corresponding boxes:

If the request pertains to a different type of valid CCPA request (e.g., opt-in to data sales), you can document that in the compliance notes section of the Details screen. Note: Compliance notes are internal only; we do not email them or any documents you attach to them to consumers. When you check off one of the boxes shown above, we both mark an entry in the Audit Trail and also execute a webhook event as recorded in the Webhooks / API tab. In advanced CCPA Toll Free implementations, you can use these events to automate responses to various request types (e.g., adding a consumer to your external opt-out list when you check off a request as a Do Not Sell request).

For web form requests, the details page will show you the boxes the consumer checked when they submitted the request. As with voicemail requests, you can trigger a webhook/API event upon receipt to take automated action in response to requests.  

Once you have reviewed a request, you may wish to update its Completion Status shown in the Details screen for the request to “Pending” as shown in Step 6 below. This can be helpful if you have multiple persons responsible for checking and fulfilling requests in CCPA Toll Free dashboard, as it will let them know that a request is in process. You may also wish to add a Compliance Note to the Details screen acknowledging which dashboard user is handling the request.  

2. Acknowledge the Request—CCPA regulations require you to do so within 10 days of receipt of the request. For webform requests, we automatically send the consumer an email as shown below acknowledging the request. For toll-free number requests, we send the same email when you listen to a voicemail and type the consumer’s email into the “Requestor Email to Verify” field on the details page for the request and click “Send Verification Email” as shown here:

 
If a consumer verifies their email by clicking the “Verify Email Address” button in the verification email within 7 days of receipt, we automatically check off Acknowledged in the dashboard, and make a corresponding entry in the Audit Trail under the username Automated Workflow:

We also update the Details page for the request with the consumer verified their email and the IP address of the device they used to verify it:

If automatic email verification does not occur for any reason, you may wish to take additional steps to acknowledge the request. If those steps succeed, you should  manually check the “Acknowledged” box and you may wish to leave a compliance note at the bottom of the Details page to document how you provided the acknowledgement.

3. Verify the Consumer’s Identity—required for all request types except Do Not Sell requests and Tell Me More requests where you are responding with general information only (i.e. no disclosure of personal information to the consumer).
   

If your method of verifying requests consists of verifying the consumer’s email address, you can check off a request as Verified as soon as you have obtained an email verification as per Step 1 above. If you have a different method of verifying the consumer’s identity, you can handle that as needed outside of the CCPA Toll Free platform. We recommend including in any communications with the consumer the CCPA Toll Free assigned unique Request ID so that you can tie those communications back to the corresponding request in the dashboard (cut and paste the ID provided in the Details screen for the request).

If an agent has made the request on behalf of the consumer, you should follow your internal procedures for verifying these requests (e.g., you can require the consumer to demonstrate that they’ve authorized the agent in a signed document by collecting a copy of it, and you can separately verify the consumer’s identity). You may wish to attach any agent authorization documents to a compliance note using the Add Document button.

If you need further assistance with verifying requests, including automating request verification that is not based on an email address, contact support@ccpatollfree.com.  

4. Extend the Deadline (optional)—if you need more than 45 days to complete a request, tell the consumer why you need more time, and per the CCPA you can extend the completion date by an additional 45 days to 90 days in total. You can inform the consumer via email from your normal customer support email or a call back. If you email, copying and pasting the Request ID shown in the Details screen for the request into your email so that you can tie that communication back to the request in the dashboard. After you inform the consumer, check off the Extended box in the CCPA Toll Free dashboard and we will automatically update the due date for the request to 90 days from receipt.

5. Complete the Request—fulfill any valid request you receive from a verified consumer (if verification is required), or let the consumer know why you cannot fulfill their request. For sample request denial emails, see our CCPA Email Response Templates.
   

To fulfill a request, you may need to take different actions outside of the CCPA Toll Free dashboard based on the request type and the information you collect about consumers.

To fulfill a Data Access request, be sure to send the data via a secure method. We recommend adding the data to an encrypted a zip file and sharing it with the consumer using the following process: (1) go to onetimescret.com and click the “generate a random password” button; (2) note the password shown and use it to encrypt the zip file; (3) copy the link provided by onetimescret.com and email it to the consumer, asking them to confirm when they have written down the password shown at the link (hint: remind them to write the password down the first time they click the link because the link will only work once); (4) email the consumer the encrypted zip file along with instructions for decrypting it.

For Tell Me More, Data Deletion and Do Not Sell requests you will need to take other appropriate action based on the data you collect. For help automating responses to all request types, contact support@ccpatollfree.com.

Whenever you email a consumer about their request, copy and paste the Request ID shown in the Details screen for the request into your email so that you can tie that communication back to the request in the dashboard.

6. Document the Request Disposition—after you fulfill or deny a request, use the Completion Status field in the Details screen for the request to select the final disposition of the request as shown here:

For example, marking a request as Fulfilled, or if you are denying a request, mark it as Spam (i.e. not a privacy related request), Withdrawn by the consumer, Unverifiable or Other. We also recommend creating a brief compliance note upon completion detailing the action taken (e.g. “Fulfilled by marc@companyemail.com on 08.14.20 by emailing requested information to user@gmail.com”). For a more complete compliance record, you can also use the Add Document button to include with any compliance note a copy of the data distributed to fulfill the request.  

How Does Auto Verification Work in Detail?

When a consumer submits a web form request, or when you listen to a voicemail and type the consumer’s email into the “Requestor Email to Verify” field on the details page for the request and click “Send Verification Email” we send the following email:

From: Privacy Request Email Verification <verification@privacytollfree.com>

To: [consumer email provided]

Subject: [Your Company Name] Privacy Request via CCPA Toll Free

When a consumer clicks the Verify Email Button, they will be taken to a webpage with the following information:

If the request has expired, the page will read as follows (this example is from a request that originated from a webform hosted by CCPA Toll Free—no URL is shown when the request originated from the toll-free number or webform embedded in your privacy policy):

Can CCPA Toll Free Automate Additional Steps?

Yes. As noted above, you may use our webhooks or API capabilities to automate your responses to requests—both verifying consumers and fulfilling requests. Automation generally requires a systems integration between CCPA Toll Free and your other IT systems. We can provide systems integration services upon request for an additional fee. Contact support@ccpatollfree.com to learn more.

Where Can I Learn More About How to Handle CCPA Requests?

We provide a free 30 minute video training course available at www.CCPAFreeTraining.com that covers the CCPA in detail, including the final Attorney General regulations. We also publish the lecture slides and provide a free training certificate to anyone who completes the learning questions.