Consumer Rights Under the CCPA (CPRA)

One of the biggest responsibilities for businesses covered by the California Consumer Privacy Act (CCPA) is to facilitate consumers' rights under the law. And the CPRA expanded the rights granted under the CCPA.

This means putting systems in place to allow consumers to make consumer rights requests, and then fulfilling those requests in a legally-compliant manner.

This article will help you understand the consumer rights under the CCPA (CPRA), what you need to know and what you need to do when it comes to each of the rights.

The Right to Notice

The right to notice requires you to provide consumers with notice of your company's practices regarding the collection, use, sale, and sharing of personal information.

The CCPA (CPRA) identifies these types of notice:

1. Privacy Policy
2. Notice at collection
3. Notice of the right to opt out
4. Notice of financial incentive

Below is an overview of each notice. For a more in-depth look at this topic, see our articles The CCPA/CPRA's Four Consumer Notices and CCPA (CPRA) Notices.

A Privacy Policy

Your Privacy Policy is one of the CCPA/CPRA's notices. Broadly speaking, it should include:

• A comprehensive summary of how your business collects, sells, and shares personal information
• An explanation of the CCPA (CPRA) consumer rights

Under the CCPA (CPRA), every business needs a Privacy Policy.

For a comprehensive guide to creating a CCPA/CPRA-compliant Privacy Policy, see our article CCPA (CPRA) Privacy Policy Checklist.

Notice at Collection

When you collect personal information from consumers, you must provide "notice at collection."

Your notice at collection should:

1. Provide a list of which categories of personal information you're collecting
2. Explain the business or commercial purposes for which you are collecting each category of personal information
3. Provide a link to your "Do Not Sell My Personal Information" page, if you have one
4. Provide a link to your Privacy Policy

Alternatively, you can link to a section in your Privacy Policy that includes the information above.

Here's how Right Toyota covers all these bases (and more) in its notice at collection.

First, Right Toyota provides a table identifying what types of personal information the business collects:

Note that Right Toyota helpfully explains the scenarios in which it collects the personal information.

Next, the company provides a key that links with the "business purposes" for collecting personal information in the table above.

Right to Toyota goes beyond the CCPA/CPRA's requirements here and provides a great level of transparency for consumers.

Notice of the Right to Opt Out

If you sell personal information, you must provide notice of the right to opt out via a link on your website homepage, and/or mobile app landing or download page, reading "Do Not Sell My Personal Information" or "Do Not Sell My Info."

Your "Do Not Sell My Personal Information" page must:

1. Explain the right to opt out
2. Provide a web form that enables personal information to opt out of the sale of their personal information
3. Provide at least one other designated method for submitting a request to opt out (e.g. a toll-free number, an email address, or a paper form).

For more information, see our article How to Create and Display a "Do Not Sell My Personal Information" Page.

Notice of Financial Incentive

You only need to give notice of financial incentive if you operate a financial incentive scheme, such as a loyalty program.

The CCPA/CPRA's provision on financial incentives allows businesses to offer consumers bonuses in exchange for their personal information without violating the right to non-discrimination. The bonuses that a business offers must be based on the actual value that the business derives from the personal information.

A notice of financial incentives must:

1. Provide a summary of the financial incentive scheme
2. Explain the scheme's terms and identify the categories of personal information requested from consumers
3. Explain how to opt into the scheme
4. Explain how to withdraw from the scheme

5. Explain how the benefits to consumers are related to the value of their personal information:

   1. Give a good-faith estimate of how much the consumer's personal information is worth to the business
   2. Describe how you calculated the value

Alternatively, you can link to a section in your Privacy Policy that includes the information above.

The Right to Know

The right to know allows consumers to request a summary of the personal information you have collected about them, and a copy of the specific pieces of personal information you have collected about them.

Designated Methods of Submitting a Request

You must maintain at least two "designated methods of submitting a request" under the right to know (and the right to delete).

There's one exception. If your business operates exclusively online and deals directly with consumers, you only have to provide one designated method of submitting a request: a form on your website.

You should provide a designated method that best reflects the ways in which you interact with consumers. Examples include:

• A toll-free number (mandatory)
• A web form
• A form submitted via email, physical mail, or in person

If a consumer makes a request via a method you haven't designated, you can either:

• Deal with the request, or
• Require the consumer to use one of your designated methods

Here's an example from Acxiom of a web form that consumers can use to initiate a "right to know " or "right to delete" request:

Note that Acxiom only uses this form to initiate the CCPA rights process. The business will then contact the consumer to verify their identity and provide a response.

Denying a "Right to Know" Request

You can deny a request under the right to know if all of the following conditions are met:

1. You don't store the personal information in a "searchable or reasonably accessible" format
2. You only store the personal information for legal or compliance purposes
3. You don't sell the personal information or use it for any commercial purpose
4. You tell the consumer what categories of records contain the personal information

You can also deny a request if you cannot verify the consumer's identity.

Responding to a "Right to Know" Request

You must acknowledge receipt of a request within 10 business days, and provide the information requested by the consumer within 45 days. This deadline includes any time you spend verifying a consumer's identity. You can extend this deadline by a further 45 days if "reasonably necessary."

A consumer can make a "right to know'' request twice in every 12 month period. You must not charge a fee for fulfilling a request.

If a consumer holds a password-protected account with your business, you can deliver the requested information through their account. If not, you should deliver it via email or physical mail. Take "reasonable security measures" when transmitting personal information.

There are two types of requests under the right to know, which we'll call "category requests" and "specific requests." For each type of request, there are different rules on how to verify a consumer's identity.

"Category Requests" Under the Right to Know

Under what we're calling a "category request" under the right to know, a consumer may request the following information in respect of the preceding 12-month period (taken from the date of the request):

1. The categories of personal information you collected about them
2. The categories of sources from which you collected their personal information
3. The business or commercial purpose for which you collected or sold their personal information
4. The categories of third parties with which you shared their personal information
5. The categories of their personal information you sold, and for each category, the categories of third parties to which you sold it
6. The categories of their personal information you disclosed for a business purpose, and for each category, the categories of third parties to which you disclosed it

Verifying a Consumer's Identity: Category Requests

Before you provide personal information under a "category request," you must have a "reasonable degree of certainty" that the person making the request is the correct consumer.

Where possible, you should use information that you already have in your possession to verify the consumer's identity.

You should ask the consumer to confirm at least two data points from the personal information you hold about them. For example, the value of the last purchase they made through your online store, or the email address registered to their account.

"Specific Requests" Under the Right to Know

Under what we're calling a "specific request" under the right to know, a consumer can request the specific pieces of personal information you have collected about them.

Do not disclose the following pieces of personal information:

• Social Security number
• Driver's license number
• Any government-issued identification number
• Financial account number
• Any health insurance or medical identification number
• Account password
• Security questions and answers
• Unique biometric data generated from measurements or technical analysis of human characteristics

Verifying a Consumer's Identity: Specific Requests

Before you provide personal information under a "specific request," you must have a "reasonable degree of certainty" that the person making the request is the correct consumer.

This means asking the consumer to:

• Confirm at least three data points from the personal information you hold about them, and
• Provide a "signed declaration under penalty of perjury" stating that they are the consumer whose personal information is being requested

The Right to Delete

Under the right to delete, consumers may request that you delete the personal information you've collected about them as well as any third parties that you may have sold or shared the data with.

A consumer can make a "right to delete'' request twice in every 12 month period. You must not charge a fee for fulfilling a request.

You must acknowledge receipt of a request within 10 business days, and delete the relevant personal information within 45 days. This deadline includes any time you spend verifying a consumer's identity. You can extend this deadline by a further 45 days if "reasonably necessary."

The rules around providing designated methods for submitting a request under the right to delete are the same as the rules for the right to know.

Fulfilling a Request to Delete

When carrying out a consumer's request to delete their personal information, you have several options:

• Permanently delete it from your systems
• Deidentify (anonymize) it
• Aggregate it

You don't have to delete personal information that you store on archived or backup systems until it becomes active.

You must let the consumer know once you have carried out their request.

Exceptions to the Right to Delete

There are nine exceptions to the right to delete. If it's necessary for you to retain the consumer's personal information for one of the following reasons, you might be able to refuse a deletion request:

1. Performing obligations under a contract
2. Ensuring you can maintain security
3. Debugging
4. Exercising or defending free speech and other legal rights
5. Complying with the California Electronic Communications Privacy Act (available here)
6. Conducting certain research in the public interest
7. Using it for solely internal and reasonable purposes
8. Complying with a legal obligation
9. Using it for other internal purposes that are reasonable considering the context in which you collected the personal information

Rejecting a Request to Delete

If you decide that you are covered by an exception and you plan to reject a consumer's deletion request, there are several things you must do:

• Let the consumer know that you will not be deleting their personal information, and explain why
• Delete any personal information not covered by an exception
• Refrain from using the personal information for any reason other than that covered by the exception

Verifying Consumers' Identities

When a consumer makes a deletion request, you must consider the potential impact it will have.

If a consumer is requesting to delete non-sensitive personal information, such as their account history or contact details, you should apply the weaker level of verification that applies for "category requests" under the right to know.

If a consumer is requesting to delete more sensitive personal information, such as family photos or medical documents, you should apply the stricter level of verification that applies for "specific requests" under the right to know.

Here's how Peoplease explains its verification process in its Privacy Policy:

Once you've accepted the request and you're ready to delete their personal information, you must ask the consumer to authenticate themselves again before you carry out their request.

The Right to Opt Out

If your business sells personal information, you must provide notice of the right to opt out in the form of a "Do Not Sell My Personal Information" page.

Once you receive a request under the right to opt out, you must stop selling the consumer's information as soon as possible, and within 15 business days at the latest.

You can ask the consumer if you wish to opt back into the sale of the personal information, but not for at least 12 months following their original request.

There's also a right to opt out of automated decision-making, and the right to have the use of personal information limited.

The Right to Opt In (for Minors)

The CCPA (CPRA) has strict rules about selling the personal information of minors (under the age of 16).

Unless you have processed a valid opt-in request, you must not sell the personal information of a consumer if you have "active knowledge" that they are a minor, or if you "willfully disregard" their age.

If you have reason to believe that your business is used by minors, whether you target them or not, you should take positive steps such as age verification checks to ensure that you do not sell their personal information.

Minors Aged 13-16

If you wish minors aged 13-16 to be able to opt into the sale of their personal information, the CCPA (CPRA) states that you must "establish, document, and comply" with a "reasonable process" to enable this.

This must be a "two-step" verification process where the consumer:

1. Opts in via a designated method
2. Confirms that they wish to opt in

During the opt-in process, you must inform the consumer of their right to opt out and provide instructions on how to do so.

Minors Aged Under 13

A consumer under 13 cannot exercise the right to opt in. However, their parent or guardian can opt into the sale of their personal information on their behalf.

To verify a parent or guardian's identity, you must ask them to do one of the following things:

• Sign a consent form under penalty of perjury
• Make a credit card payment
• Call your toll-free number
• Make a video call
• Meet face-to-face
• Provide government-issued ID, as long as you check it against an official database and promptly delete any copy of the ID

The Right to Non-Discrimination

The right to non-discrimination requires businesses not to discriminate against consumers who have exercised their CCPA (CPRA) rights.

The CCPA (CPRA) lists several examples of ways in which a business may discriminate against consumers:

• Denying them goods or services
• Charging them different prices
• Providing a different level or quality of goods or services
• Suggesting that you might do any of the above

As mentioned, there is a limited exception to the right to non-discrimination for financial incentive schemes.

Summary

Facilitating these consumer rights is one of the most complicated parts of CCPA (CPRA) compliance. Here's what you can do to get started:

• The right to notice: Prepare any of the four notices relevant to your business.
• The right to know and right to delete: Set up your designated methods of submitting a request. Set up a system for verifying consumers' identities.
• The right to opt out: Create and display a "Do Not Sell My Personal Information" page (if required).
• The right to opt in: Set up age verification checks. Set up a system for verifying parents' or guardians' identities (if required).
• The right to non-discrimination: Set up a compliant financial incentive scheme (if required).