The CCPA: California Consumer Privacy Act is one of the most comprehensive privacy laws in the United States. Largely inspired by the European Union’s General Data Protection Regulation (“GDPR”), the CCPA provides consumers with a broad array of rights pertaining to their personally identifiable information (“PII”) that is collected by businesses.
This article will provide an overview of CCPA consumer rights. In addition to California, many other states have enacted, or in the process of enacting, comprehensive privacy legislation. Similarly to the CCPA, these privacy laws will significantly expand consumer control over how PII is collected and disclosed. The CCPA provisions discussed here are likely a glimpse into the future of privacy law in the United States. Preparing for the future will go a long way towards ensuring your business remains compliant and avoids potentially crippling fines and lawsuits.
This article will discuss five CCPA consumer rights:
- The right to notice;
- The right to deletion;
- The right to access;
- The right to opt-out of the sale of PII; and
- The right to non-discrimination.
CCPA consumer rights: the right to notice
At or before the point of the collection of a consumer’s PII, consumers are entitled to be notified of the categories of PII to be collected as well as the purposes for which the categories of PII will be used. If the business collects additional categories of PII or uses the collected PII for additional purposes, consumers must again be notified. Essentially, this means that one notice to consumers is not enough to lawfully comply with the right to notice. If the business’s PII collection and/or use policies materially change, there is a significantly high chance that consumers must be notified.
Additionally, businesses must provide a number of disclosures to consumers within their online Privacy Policies. These disclosures include the following:
- A description of the consumer’s rights under the CCPA, including one or more methods for submitting requests pursuant to those rights
- A list of categories of consumers’ personal information that the business has collected within the last 12 months, by reference to two lists:
1) a list of categories of personal information that the business has sold in the last 12 months; and
2) a list of categories of personal information that the business has disclosed in the last 12 months
The right to deletion
The CCPA provides consumers with the right to request the deletion of their collected PII under certain circumstances. Provided that the business is able to verify the identity of the requestor or the requestor’s designated agent, the business must delete the PII from its records and direct any service provider handling the PII to delete the data from its records as well.
However, the deletion right under the CCPA is not absolute. If the business and/or service provider requires the PII to complete a transaction, perform a service, comply with legal obligations, monitor a system’s security, or perform a variety of other tasks, deletion of the consumer’s PII is not required under the law.
CCPA consumer rights: the right to access
Under the CCPA, consumers may request that businesses make disclosures consisting of the following:
- Specific pieces of PII that a business has collected from the consumer;
- Categories of PII that the businesses has collected from the consumer;
- Categories of the sources from which the PII was collected;
- Categories of PII that the business has sold or disclosed for a business purpose;
- Categories of third parties to whom the PII was sold or disclosed for a business purpose; and
- The business or commercial purpose for collecting or selling the PII.
Similarly to deletion requests, businesses must verify the authenticity of the request before responding with the requested disclosures. Moreover, the CCPA requires that disclosures to consumers cover a 12-month period preceding the business’s receipt of the request.
Pursuant to fulfilling a consumer’s disclosure request, businesses must provide “portable” information within the disclosure. This “data portability” right is similar to what is provided by the European Union’s GDPR. Essentially, for data to be “portable,” it must be easily and readily transferable from one entity to another. To illustrate, restrictions on the data, such as encryption technology preventing easy access, may prevent the data from being easily transferable and thus noncompliant with the data portability requirement as found in the CCPA.
The right to opt-out of the sale of PII
Consumers also have the ability to opt-out of the sale of their collected PII under certain circumstances. Once the business receives the opt-out request, no verification of the requestor is required by the CCPA. The business must promptly end the sale of the PII to third parties. Businesses are required to wait at least 12 months before asking the consumer to opt-in or authorize the sale of their collected PII.
If businesses have “actual knowledge” that a consumer is less than 16 years old, businesses are prohibited from engaging in the sale of the consumer’s PII, irrespective of whether an opt-out request is received from the consumer. To illustrate this concept, businesses may possess “actual knowledge” that a consumer is less than 16 if users must provide their ages upon entering a website. If a user fills out a form indicating that he or she is less than 16 and the business has access to this document, this would most likely qualify as “actual knowledge” of the consumer’s minor status. This knowledge would prevent the business from selling the PII provided by the minor.
But businesses may engage in the sale of a minor’s PII under certain conditions. For minors between the ages of 13 and 16, these individuals may authorize, or “opt-in,” to the sale of their PII to third parties. If the consumers are less than 13, a parent or guardian may authorize the sale of the PII.
CCPA consumer rights: the right to non-discrimination
If a consumer chooses to exercise a right under the CCPA, the business is prohibited from engaging in the following activities:
- Denying goods or services to the consumer
- Charging different prices for goods or services
- Providing a different quality of the good or service
- Relaying to the consumer that she will receive a different price or quality of the good or service
Otherwise known as the right to “nondiscrimination,” businesses must also provide notice to consumers of this right within their online Privacy Policies.
However, the CCPA provides a broad exception that allows businesses to circumvent the right to non-discrimination. Provided that the value of the consumer’s data is reasonably related to the difference in price or the quality of the good or service provided, the business is entitled to provide a different price or quality to consumers who have exercised their CCPA rights.
Tyler is a third year law student attending Seton Hall University School of Law. He is a Certified Information Privacy Professional (CIPP/U.S.) as well as the Founder and President of the Cybersecurity and Privacy Society of his law school, a student organization dedicated to exploring major legal issues in all things technology, from data privacy to Artificial Intelligence. The organization is also dedicated to helping law students find career opportunities in the growing fields of cybersecurity and privacy.