CCPA Compliance Checklist

1. Develop a privacy plan for your organization
   1. Assign a privacy champion
   2. Update privacy policy
   3. Communicate policy to staff
   4. Implement the Data Subject Request form
      1. Make sure staff knows how to handle requests
      2. Make this available in your privacy policy and other easily located areas of your website, as well as for people who may walk into your business.
      3. Work with your legal team to understand exemptions
      4. Know where data is stored (other place than just website – ie: circ/advertising systems)
         1. This includes at least a high level Data Map
      5. A DSR can be one of the following types:
         1. Access their personal information (also known as an “Access Request”)
         2. Rectify or correct their personal information (also known as a “Rectification Request”)
         3. Delete their personal information (also known as a “Deletion Request”)
         4. Object to or restrict processing of their personal information
         5. Opt-out of the sale of their personal information (also known as an “Opt-Out Request”)
         6. Obtain their personal information in a portable form (also known as a “Portability Request”)
      6. Potential Data Deletion Request exemptions
         1. Requestor is NOT a resident in the European Economic Area or US.
         2. Requestor is a resident in the European Economic Area, AND the personal information is necessary for one of the following:
            1. To comply with a legal obligation.
            2. To exercise the right of freedom of expression and information.
            3. For archiving purposes in the public interest, scientific research historical research or statistical purposes.
            4. For the performance of a task carried out in the public interest or in the exercise of official authority.
            5. For the establishment, exercise or defense of legal claims.
            6. Information is used internally in a manner that is compatible with the context of the collection.
            7. Information is necessary for one of the following:
               1. To comply with a legal obligation.
               2. To exercise the right of freedom of expression and information.
               3. For archiving purposes in the public interest, scientific research historical research or statistical purposes.
               4. For the performance of a task carried out in the public interest or in the exercise of official authority.
               5. For the establishment, exercise or defense of legal claims.
         3. Requestor is a resident of California (US in general), AND one of the following applies:
            1. To comply with a legal obligation.
            2. To promote free speech.
            3. For scientific, historical or statistical research in the public interest.
            4. To complete a transaction requested by the data subject or to perform a contract.
            5. To detect security incidents.
            6. To protect against deceptive, fraudulent or illegal activity.
            7. To identify and repair errors.
            8. For internal uses of a company, if those uses are reasonable expected by consumers.
   5. Implement “Do Not Sell My Information” link on your site
      1. Use either the TownNews Utility: Copyright block or OneTrust link builder
      2. Note that on your website this is probably just related to programmatic ads, but if you are selling customer information (or sharing it for value) with another vendor, you need to have a way of communicating that request.
      3. Should be linked with instructions in your privacy policy as well
      4. You should also have an 800 number for users to call to opt-out. This is part of CCPA.
   6. Implement a Cookie Acceptance Tool.
      1. TownNews has integrated with OneTrust and will automatically handle this for any TownNews core scripts and functions.
      2. We will also provide documentation on how you can use this to control other 3^rd party widgets you may place on your website.
      3. If you choose to partner with another Cookie Consent vendor, then you will need to make your own integration

Categories of personal information: This was pulled from https://reciprocitylabs.com/resources/what-are-the-ccpa-categories-of-personal-information/

1. Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
2. Customer records information: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information
3. Characteristics of protected classifications under California or federal law: Race, religion, sexual orientation, gender identity, gender expression, age
4. Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
5. Biometric information: Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data
6. Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement
7. Geolocation data
8. Audio, electronic, visual, thermal, olfactory, or similar information
9. Professional or employment-related information
10. Education information: Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
11. Inferences

OneTrust/CookiePro: 

1. Go to the link https://www.cookiepro.com/pricing/?referral=TOWNNEWS2020
2. Purchase the level of customization you would like
3. You can also purchase training package from them if you would like
4. Follow steps outlined here to implement.

OneTrust CCPA Opt-Out Tool: https://www.cookiepro.com/ccpa-opt-out/builder/

Consulting Support:

Michelle De Mooy, mdemooy@gmail.com

Good Legal Resource:

BCLP Law (Bryan, Cave, Leighton, Paisner) – www.bclplaw.com

 Local Media Consortium Webinars

              Large Market:  https://www.youtube.com/watch?v=Q34Yd2yy0u8

              Small Market:  https://www.youtube.com/watch?v=EioJB9Z55Nc

TownNews Data Subject Request Form:

https://bloximages.chicago2.vip.townnews.com/townnews.com/content/tncms/assets/v3/editorial/9/79/9793a8ac-aa70-11ea-ab70-e32896cd6d93/5edfbce4bf639.file.zip