Here's how Right Toyota covers all these bases (and more) in its notice at collection.
First, Right Toyota provides a table identifying what types of personal information the business collects:
Note that Right Toyota helpfully explains the scenarios in which it collects the personal information.
Next, the company provides a key that links with the "business purposes" for collecting personal information in the table above.
Right to Toyota goes beyond the CCPA's requirements here and provides a great level of transparency for consumers.
Notice of the Right to Opt Out
If you sell personal information, you must provide notice of the right to opt out via a link on your website homepage, and/or mobile app landing or download page, reading "Do Not Sell My Personal Information" or "Do Not Sell My Info."
Your "Do Not Sell My Personal Information" page must:
Explain the right to opt out
Provide a web form that enables personal information to opt out of the sale of their personal information
Provide at least one other designated method for submitting a request to opt out (e.g. a toll-free number, an email address, or a paper form).
You only need to give notice of financial incentive if you operate a financial incentive scheme, such as a loyalty program.
The CCPA's provision on financial incentives allows businesses to offer consumers bonuses in exchange for their personal information without violating the right to non-discrimination. The bonuses that a business offers must be based on the actual value that the business derives from the personal information.
A notice of financial incentives must:
Provide a summary of the financial incentive scheme
Explain the scheme's terms and identify the categories of personal information requested from consumers
Explain how to opt into the scheme
Explain how to withdraw from the scheme
Explain how the benefits to consumers are related to the value of their personal information:
Give a good-faith estimate of how much the consumer's personal information is worth to the business
Describe how you calculated the value
The right to know allows consumers to request a summary of the personal information you have collected about them, and a copy of the specific pieces of personal information you have collected about them.
Designated Methods of Submitting a Request
You must maintain at least two "designated methods of submitting a request" under the right to know (and the right to delete).
There's one exception. If your business operates exclusively online and deals directly with consumers, you only have to provide one designated method of submitting a request: a form on your website.
You should provide a designated method that best reflects the ways in which you interact with consumers. Examples include:
A toll-free number (mandatory)
A web form
A form submitted via email, physical mail, or in person
If a consumer makes a request via a method you haven't designated, you can either:
Deal with the request, or
Require the consumer to use one of your designated methods
Here's an example from Acxiom of a web form that consumers can use to initiate a "right to know " or "right to delete" request:
Note that Acxiom only uses this form to initiate the CCPA rights process. The business will then contact the consumer to verify their identity and provide a response.
Denying a "Right to Know" Request
You can deny a request under the right to know if all of the following conditions are met:
You don't store the personal information in a "searchable or reasonably accessible" format
You only store the personal information for legal or compliance purposes
You don't sell the personal information or use it for any commercial purpose
You tell the consumer what categories of records contain the personal information
You can also deny a request if you cannot verify the consumer's identity.
Responding to a "Right to Know" Request
You must acknowledge receipt of a request within 10 business days, and provide the information requested by the consumer within 45 days. This deadline includes any time you spend verifying a consumer's identity. You can extend this deadline by a further 45 days if "reasonably necessary."
A consumer can make a "right to know'' request twice in every 12 month period. You must not charge a fee for fulfilling a request.
If a consumer holds a password-protected account with your business, you can deliver the requested information through their account. If not, you should deliver it via email or physical mail. Take "reasonable security measures" when transmitting personal information.
There are two types of requests under the right to know, which we'll call "category requests" and "specific requests." For each type of request, there are different rules on how to verify a consumer's identity.
"Category Requests" Under the Right to Know
Under what we're calling a "category request" under the right to know, a consumer may request the following information in respect of the preceding 12-month period (taken from the date of the request):
The categories of personal information you collected about them
The categories of sources from which you collected their personal information
The business or commercial purpose for which you collected or sold their personal information
The categories of third parties with which you shared their personal information
The categories of their personal information you sold, and for each category, the categories of third parties to which you sold it
The categories of their personal information you disclosed for a business purpose, and for each category, the categories of third parties to which you disclosed it
Verifying a Consumer's Identity: Category Requests
Before you provide personal information under a "category request," you must have a "reasonable degree of certainty" that the person making the request is the correct consumer.
Where possible, you should use information that you already have in your possession to verify the consumer's identity.
You should ask the consumer to confirm at least two data points from the personal information you hold about them. For example, the value of the last purchase they made through your online store, or the email address registered to their account.
"Specific Requests" Under the Right to Know
Under what we're calling a "specific request" under the right to know, a consumer can request the specific pieces of personal information you have collected about them.
Do not disclose the following pieces of personal information:
Social Security number
Driver's license number
Any government-issued identification number
Financial account number
Any health insurance or medical identification number
Security questions and answers
Unique biometric data generated from measurements or technical analysis of human characteristics
Verifying a Consumer's Identity: Specific Requests
Before you provide personal information under a "specific request," you must have a "reasonable degree of certainty" that the person making the request is the correct consumer.
This means asking the consumer to:
Confirm at least three data points from the personal information you hold about them, and
Provide a "signed declaration under penalty of perjury" stating that they are the consumer whose personal information is being requested
The Right to Delete
Under the right to delete, consumers may request that you delete the personal information you've collected about them.
A consumer can make a "right to delete'' request twice in every 12 month period. You must not charge a fee for fulfilling a request.
You must acknowledge receipt of a request within 10 business days, and delete the relevant personal information within 45 days. This deadline includes any time you spend verifying a consumer's identity. You can extend this deadline by a further 45 days if "reasonably necessary."
When carrying out a consumer's request to delete their personal information, you have several options:
Permanently delete it from your systems
Deidentify (anonymize) it
You don't have to delete personal information that you store on archived or backup systems until it becomes active.
You must let the consumer know once you have carried out their request.
Exceptions to the Right to Delete
There are nine exceptions to the right to delete. If it's necessary for you to retain the consumer's personal information for one of the following reasons, you might be able to refuse a deletion request:
Performing obligations under a contract
Ensuring you can maintain security
Exercising or defending free speech and other legal rights
Complying with the California Electronic Communications Privacy Act (available here)
Conducting certain research in the public interest
Using it for solely internal and reasonable purposes
Complying with a legal obligation
Using it for other internal purposes that are reasonable considering the context in which you collected the personal information
Rejecting a Request to Delete
If you decide that you are covered by an exception and you plan to reject a consumer's deletion request, there are several things you must do:
Let the consumer know that you will not be deleting their personal information, and explain why
Delete any personal information not covered by an exception
Refrain from using the personal information for any reason other than that covered by the exception
Verifying Consumers' Identities
When a consumer makes a deletion request, you must consider the potential impact it will have.
If a consumer is requesting to delete non-sensitive personal information, such as their account history or contact details, you should apply the weaker level of verification that applies for "category requests" under the right to know.
If a consumer is requesting to delete more sensitive personal information, such as family photos or medical documents, you should apply the stricter level of verification that applies for "specific requests" under the right to know.
Once you've accepted the request and you're ready to delete their personal information, you must ask the consumer to authenticate themselves again before you carry out their request.
The Right to Opt Out
If your business sells personal information, you must provide notice of the right to opt out in the form of a "Do Not Sell My Personal Information" page.
Once you receive a request under the right to opt out, you must stop selling the consumer's information as soon as possible, and within 15 business days at the latest.
You can ask the consumer if you wish to opt back into the sale of the personal information, but not for at least 12 months following their original request.
The Right to Opt In (for Minors)
The CCPA has strict rules about selling the personal information of minors (under the age of 16).
Unless you have processed a valid opt-in request, you must not sell the personal information of a consumer if you have "active knowledge" that they are a minor, or if you "willfully disregard" their age.
If you have reason to believe that your business is used by minors, whether you target them or not, you should take positive steps such as age verification checks to ensure that you do not sell their personal information.
Minors Aged 13-16
If you wish minors aged 13-16 to be able to opt into the sale of their personal information, the CCPA Proposed Regulations state that you must "establish, document, and comply" with a "reasonable process" to enable this.
This must be a "two-step" verification process where the consumer:
Opts in via a designated method
Confirms that they wish to opt in
During the opt-in process, you must inform the consumer of their right to opt out and provide instructions on how to do so.
Minors Aged Under 13
A consumer under 13 cannot exercise the right to opt in. However, their parent or guardian can opt into the sale of their personal information on their behalf.
To verify a parent or guardian's identity, you must ask them to do one of the following things:
Sign a consent form under penalty of perjury
Make a credit card payment
Call your toll-free number
Make a video call
Provide government-issued ID, as long as you check it against an official database and promptly delete any copy of the ID
The Right to Non-Discrimination
The right to non-discrimination requires businesses not to discriminate against consumers who have exercised their CCPA rights.
The CCPA lists several examples of ways in which a business may discriminate against consumers:
Denying them goods or services
Charging them different prices
Providing a different level or quality of goods or services