Skip to main content

Overview of the California Consumer Privacy Act

The CCPA as amended by the California Privacy Rights Act (CPRA) grants California consumers a series of privacy rights related to the collection, use and sale of Personal Information.

CCPA Rights and Requirements

Right to Know – Businesses must disclose categories of Personal Information that will be collected from clients and the purposes for which it will be used

  • No additional data can be collected by a business until it has disclosed the categories and purposes for which it will be used
  • A California resident has the right to make a “verifiable request” to know what personal information a business collects, has collected, the purposes for collecting and who the information is being shared with

Right to Access - Businesses that collect Personal Information must, upon receipt of a “verifiable request”, disclose the following covering the 12-month period preceding receipt of the request:

  • Categories and specific items of Personal Information the business has collected about that consumer
  • Categories of sources from which the business has collected personal Information about the consumer
  • Business or commercial purposes for which the business collects, discloses or sells Personal Information
  • Categories of 3rd parties with which the business shares the consumer’s Personal Information

Businesses that sell or disclose Personal Information must, upon receipt of a “verifiable request”, disclose the following covering the 12-month period preceding receipt of the request:

  • Categories of Personal Information collected about the consumer
  • Categories of Personal Information the business has sold for each 3rd party to whom it was sold
  • Categories of Personal Information disclosed for business purpose

Businesses are required to provide at least two designated methods for submitting a request, including at a minimum, a toll-free number and a website address.

  • Businesses must respond to requests within 45-days
  • Consumers have the right to make a request no more than twice in one year from any given business

Right to Delete and/or Correct – Upon request by a consumer, a business must delete and/or correct any Personal Information about the consumer which the business has collected

  • Businesses must delete and/or correct Personal Information from its records and direct its service providers to do the same
  • Exceptions to the Right to Delete and/or Correct
  • Completion of transactions for which the Personal Information was collected, provision of a good or service, maintenance of an ongoing business relationship with the consumer or performance of a contract between the business and consumer
  • Detection of security incidents, protection against malicious, deceptive, fraudulent or illegal activities OR prosecution of those responsible for that activity
  • Engagement in research
  • Compliance with legal obligations
  • Use of the Personal Information internally, in a lawful manner compatible for which it was provided

Right to Opt Out (Sale of Information) - Businesses must provide consumers with notice that their information may be sold and their right to opt out

  • Consumers may opt out at any time
  • Businesses must provide “a clear and conspicuous link” on the homepage of their websites titled “Do Not Sell My Personal Information”
  • Third parties cannot sell Personal Information that has been sold to them by a business, unless the consumer has received explicit notice of the sale and is provided an opportunity to opt out

Right to Opt In (Minors) - Opt-in consent for consumers 16 years of age and under for businesses to sell the Personal Information

  • Affirmative authorization is required from the consumer for those 13 to 16 years of age
  • Affirmative authorization from a parent or guardian is required for consumers under 13 years of age

Right to Equal Services - CCPA prohibits a business from discriminating against a consumer for exercising any right under the act

  • Business cannot deny or provide a different level or quality of goods or services to consumers who’ve exercised a right under the act
  • Businesses cannot charge different prices for goods or services (including discounts) to consumers who’ve exercised a right under the act
  • Businesses cannot suggest the consumer will receive a different price or rate or different level or quality of goods or services if they exercise a right under the act
CCPA Consumer Privacy Request Form