The CCPA as amended by the California Privacy Rights Act (CPRA) grants California consumers a series of privacy rights related to the collection, use and sale of Personal Information.
CCPA Rights and Requirements
Right to Know – Businesses must disclose categories of Personal Information that will be collected from clients and the purposes for which it will be used
- No additional data can be collected by a business until it has disclosed the categories and purposes for which it will be used
- A California resident has the right to make a “verifiable request” to know what personal information a business collects, has collected, the purposes for collecting and who the information is being shared with
Right to Access - Businesses that collect Personal Information must, upon receipt of a “verifiable request”, disclose the following covering the 12-month period preceding receipt of the request:
- Categories and specific items of Personal Information the business has collected about that consumer
- Categories of sources from which the business has collected personal Information about the consumer
- Business or commercial purposes for which the business collects, discloses or sells Personal Information
- Categories of 3rd parties with which the business shares the consumer’s Personal Information
Businesses that sell or disclose Personal Information must, upon receipt of a “verifiable request”, disclose the following covering the 12-month period preceding receipt of the request:
- Categories of Personal Information collected about the consumer
- Categories of Personal Information the business has sold for each 3rd party to whom it was sold
- Categories of Personal Information disclosed for business purpose
Businesses are required to provide at least two designated methods for submitting a request, including at a minimum, a toll-free number and a website address.
- Businesses must respond to requests within 45-days
- Consumers have the right to make a request no more than twice in one year from any given business
Right to Delete and/or Correct – Upon request by a consumer, a business must delete and/or correct any Personal Information about the consumer which the business has collected
- Businesses must delete and/or correct Personal Information from its records and direct its service providers to do the same
- Exceptions to the Right to Delete and/or Correct
- Completion of transactions for which the Personal Information was collected, provision of a good or service, maintenance of an ongoing business relationship with the consumer or performance of a contract between the business and consumer
- Detection of security incidents, protection against malicious, deceptive, fraudulent or illegal activities OR prosecution of those responsible for that activity
- Engagement in research
- Compliance with legal obligations
- Use of the Personal Information internally, in a lawful manner compatible for which it was provided
Right to Opt Out (Sale of Information) - Businesses must provide consumers with notice that their information may be sold and their right to opt out
- Consumers may opt out at any time
- Businesses must provide “a clear and conspicuous link” on the homepage of their websites titled “Do Not Sell My Personal Information”
- Third parties cannot sell Personal Information that has been sold to them by a business, unless the consumer has received explicit notice of the sale and is provided an opportunity to opt out
Right to Opt In (Minors) - Opt-in consent for consumers 16 years of age and under for businesses to sell the Personal Information
- Affirmative authorization is required from the consumer for those 13 to 16 years of age
- Affirmative authorization from a parent or guardian is required for consumers under 13 years of age
Right to Equal Services - CCPA prohibits a business from discriminating against a consumer for exercising any right under the act
- Business cannot deny or provide a different level or quality of goods or services to consumers who’ve exercised a right under the act
- Businesses cannot charge different prices for goods or services (including discounts) to consumers who’ve exercised a right under the act
- Businesses cannot suggest the consumer will receive a different price or rate or different level or quality of goods or services if they exercise a right under the act