The California Consumer Privacy Act (Part Two of Three)

This group of Frequently Asked Questions (FAQ) about the more notable provisions of the CCPA is the second of three-part series.  Part 1 addresses the scope and applicability of the statute and Part 3 addresses reasonable security standards and other compliance considerations.   

What Consumer Rights Does the CCPA Ensure?

A stated purpose of the Act is to further Californians’ privacy rights by providing consumers with steps they can take to effectively control their personal information.  These steps seek to ensure the following privacy rights as delineated in the Act: 

  • the consumer’s right to know what personal information is being collected about them;
  • the consumer’s right to know whether their personal information is sold or disclosed and to whom;
  • the consumer’s right to say no to the sale of their personal information;
  • the consumer’s right to access their personal information; and
  • the consumer’s right to equal service and price, even if they’ve exercised their privacy rights.

How Does the CCPA Ensure Consumer Privacy Rights?

To ensure the above stated privacy rights, the Act provides that consumers have the right to request that a covered business that collects their personal information disclose:

  • the categories of personal information collected;
  • the sources from which their personal information is collected;
  • the business or commercial purpose for the collection or sale of their personal information;
  • the categories of third parties with whom their personal information is shared; and
  • the specific pieces of personal information collected about them.    

The Act also provides that a consumer has the right to request that a covered business delete any personal information about the consumer that it has collected.

The Act provides that consumers have the right to request that a covered business that sells their personal information or that discloses it for a business purpose disclose:

  • the categories of personal information that the business collected about the consumer;
  • the categories of information that the business sold about the consumer;
  • the categories of parties to whom their personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold; and
  • the categories of personal information that the business disclosed about the consumer for a business purpose.

With respect to a covered business that sells consumers’ personal information, the Act also provides that, at any time, a consumer has the right to opt out of the sale – which means that the consumer can direct the business not to sell their personal information to third parties. 

The Act provides that a businesses may not discriminate against consumers who exercise any of the above rights by:

  • Denying goods or services;
  • Charging different prices or rates for goods or services or suggesting they will receive a different price or rate for goods or services; or
  • Providing a different level or quality of goods or services or suggesting that they will receive a different level or quality of goods or services (1).

What Are Some of the Obligations That the CCPA Imposes on Covered Businesses?

Under the Act, covered businesses are required to make available to consumers two or more designated methods for submitting their requests for information that businesses are required to disclose.  These methods must, at a minimum, include a toll-free telephone number and, if the business maintains an internet website, a website address.

Covered businesses that receive verifiable requests for information are required to disclose and deliver the requested information to the consumer free of charge within 45 days of receiving a request.  The 45-day time period may be extended once by an additional 45 days when reasonably necessary, as long as the consumer is notified of the extension within the first 45-day period.  The disclosure must:

  • Cover the 12-month period preceding receipt of the request;
  • Be in writing and delivered through the consumer’s account with the business; or
  • If the consumer does not maintain an account (2), by mail or electronically, at the consumer’s option; and
  • In a readily usable format that allows the consumer to transmit this information from one entity to another without hindrance.

Covered businesses that receive a verified request from a consumer to delete their personal information must delete the information from their records and direct any service providers to delete the consumer’s information from their records.  Exceptions to this obligation include, among other things:

  • Information necessary to complete the transaction for which the personal information was collected;
  • Information necessary to provide a good or service requested by the consumer;
  • Information necessary to detect security incidents;
  • Information necessary to comply with a legal obligation; and
  • Information necessary to otherwise use the consumer’s personal information internally in a lawful manner that is compatible with the context in which the consumer provided the information.

Covered businesses must ensure that individuals responsible for handling consumer inquiries about privacy practices or compliance with the Act are informed of the Act’s requirements that apply to consumer rights and know how to direct consumers to exercise those rights.

For consumers who exercise their right to opt out of the sale of their personal information, covered businesses are required to refrain from selling personal information collected about the consumer.  The business must respect the consumer’s decision to opt out of the sale for at least 12 months before requesting that the consumer authorize the sale of their personal information.

What Are Some of the Required Disclosures Under the CCPA?

The Act requires a business to disclose the following information in its online privacy policy (if it has one) and in any California-specific description of consumers’ privacy rights or, if the business does not maintain those policies, on its website:

  • A description of consumers’ right to disclosure of information covered by the Act and of consumers’ right to non-discrimination; 
  • One or more designated methods of submitting requests;
  • A list of the categories of personal information it has collected about consumers during the preceding 12 months;
  • A list of the categories of information it has sold about consumers during the preceding 12 months; and
  • A list of the categories of personal information it has disclosed about consumers for a business purpose during the preceding 12 months.

The Act also requires covered businesses that collect personal information about consumers to disclose the consumer’s right to request the deletion of their personal information.

The Act requires businesses that sell consumer’s personal information to disclose the consumer’s right to opt out of the sale.  To that end, businesses are required to include on their home page a clear and conspicuous link with the title “Do Not Sell My Personal Information” which, when activated will allow consumers to opt out of the sale of their personal information.  Businesses that sell consumers’ personal information are also required to include a description of the consumer’s right to opt out of the sale along with a separate link to the “Do Not Sell My Personal Information” web page in its online privacy policy (if it has one) and in any California-specific description of consumers’ privacy rights. 

Check this space for Part 1 and Part 3 of the FAQ series.  For questions about or assistance with the CCPA, I can be reached at kathy@kdwinger.com or 520-391-4475.

(1) – The Act does, however, permit a business to offer financial incentives, including payments to consumers as compensation, for the collection, sale or deletion of personal information.  If a business does so, it must notify consumers of the financial incentives and the consumer must give the business prior opt-in consent.  However, a business may not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

(2) – Businesses may not require that a consumer create an account with the business in order to make a verifiable request.

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.   

Connect

FacebookLinkedIn
Back To Top