EXLSERVICE.COM © 2018 EXLSERVICE HOLDINGS INC. ALL RIGHTS RESERVED

Effective July 1, 2020 the California Consumer Privacy Act (CCPA) of 2018 will expand privacy rights of California consumers beyond the existing law that requires confidentiality of personal information and disclosure in event of security breach.

What are the Sanctions or Remedies?• Civil penalties of up to $7,500 per violation

• Statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater

Time to Compliance July 1, 2020, is when key requirements go into effect and companies must be compliant with CCPA

Who Does the New Privacy Law Cover?The new Act covers information related to all California residents, including those temporarily outside the state for purposes such as traveling

Who Must Comply? Business meeting at least one of these conditions:

• $25+ million in annual revenue

• Trade in the data of 50,000 or more persons or household devices

• Derive 50% or more revenue from selling personal consumer information

CALIFORNIA CONSUMER PRIVACY ACT OF 2018

PREPARING FOR THE CALIFORNIA CONSUMER PRIVACY ACTWhat businesses need to know in order to comply with this regulation by 2020

© 2018 EXLSERVICE HOLDINGS INC. ALL RIGHTS RESERVED

For more information about Regulation Compliance or other services, please visit www.exlservice.com.

Arvind Mehta Vice President, IT Advisory+1.646.462.9100 Arvind.Mehta@exlservice.com

Jagmeet SinghGlobal Head, Finance Transformation+1.917.535.6185 Jagmeet.Singh@exlservice.com

1. Data mapping and inventory: Maintain an inventory of personal information stored. Document data flow, data sources, storage locations, usage, and recipients

2. Online privacy policy: Update online privacy policies with newly required information, including a description of California residents’ rights

3. “Do not sell my personal information” link: Provide a clear and conspicuous “do not sell my personal information” link on the business’ Internet homepage, allowing users to opt out of the sale their personal information

4. Handing data access requests: Make available designated methods for submitting data access requests, including, at a minimum, a toll-free telephone number

5. Personal information record history: Maintain a record of categories of personal information collected, sources from where PI was collected, business purposes, and third parties to whom the data was disclosed or sold during the preceding 12 months

6. Develop alternative business models: Create alternative business models and web/mobile presences such as:

• California-only sites and offerings, and charging for formerly free services. Per law, a company has ability to impose service charges on California residents who object to alternate forms of data monetization

7. Implement new systems and process for consumer identity verification: Fund and implement new systems and processes to comply with the new requirements, such as:

• Verify the identity and authorization of persons who make requests for data access, deletion or portability

• Respond to requests for data access, deletion and portability within 45 days

• Avoid requesting opt-in consent for 12 months after a California resident opts out

8. Factor age in Data collection: Determine the age of California residents and implement processes to obtain parental or guardian consent for minors under 13 years of age, and the affirmative consent of minors between 13 and 16 years of age for data sharing

Civil Code Sections and Privacy Rights of California Residents

• 1798.100 – Right to Disclosure – Point of Collection: Rights to disclosure of categories and specific pieces of personal information (PI) and its usage at or before point of collection

• 1798.105 – Right to be Forgotten Rights to request deletion of personal information from business records and its direct service providers

• 1798.110 – Right with Businesses that ‘Collect’ PI Right to know categories and specifics of PI collected, as well as its sources; business purpose and categories of third party providers

• 1798.115 – Rights with the Businesses that ‘Sell’ PI Right to know categories of PI collected, PI sold, third parties to whom it was sold, and business purpose

• 1798.120 – Right to Opt Out Rights to opt out of sale of PI by businesses to third parties

• 1798.125 – Protection Against Discrimination Right to protection from any discrimination action, such as the refusal of goods or services, to individuals that exercise their privacy rights

Key Requirements for Compliance to Civil Sections Under California Consumer Privacy Act 2018

Data Mapping and

Inventory

Online Privacy Policy

“Do Not Sell My Personal

Information” Link

Handing Data Access

Requests

Personal Information

Record History

Develop Alternative

Business Models

Implement New Systems and Process

for Consumer Identity

Verification Factor Age

in Data Collection

1. 2. 3. 4. 5. 6. 7. 8.