03 September 2020
One of the biggest responsibilities for businesses covered by the California Consumer Privacy Act (CCPA) is to facilitate consumers' rights under the law.
This means putting systems in place to allow consumers to make consumer rights requests, and then fulfilling those requests in a legally-compliant manner.
This article will help you understand the following consumer rights under the CCPA:
We'll show you what you need to know and what you need to do when it comes to each of the CCPA consumer rights.
The right to notice requires you to provide consumers with notice of your company's practices regarding the collection, use, sale, and sharing of personal information.
The CCPA Proposed Regulations identify four types of notice:
When you collect personal information from consumers, you must provide "notice at collection."
Your notice at collection should:
Here's how Right Toyota covers all these bases (and more) in its notice at collection.
First, Right Toyota provides a table identifying what types of personal information the business collects:
Note that Right Toyota helpfully explains the scenarios in which it collects the personal information.
Next, the company provides a key that links with the "business purposes" for collecting personal information in the table above.
Right to Toyota goes beyond the CCPA's requirements here and provides a great level of transparency for consumers.
If you sell personal information, you must provide notice of the right to opt out via a link on your website homepage, and/or mobile app landing or download page, reading "Do Not Sell My Personal Information" or "Do Not Sell My Info."
Your "Do Not Sell My Personal Information" page must:
For more information, see our article How to Create and Display a "Do Not Sell My Personal Information" Page.
You can build your CCPA Opt-Out code by following the steps below:
You only need to give notice of financial incentive if you operate a financial incentive scheme, such as a loyalty program.
The CCPA's provision on financial incentives allows businesses to offer consumers bonuses in exchange for their personal information without violating the right to non-discrimination. The bonuses that a business offers must be based on the actual value that the business derives from the personal information.
A notice of financial incentives must:
Explain how the benefits to consumers are related to the value of their personal information:
The right to know allows consumers to request a summary of the personal information you have collected about them, and a copy of the specific pieces of personal information you have collected about them.
You must maintain at least two "designated methods of submitting a request" under the right to know (and the right to delete).
There's one exception. If your business operates exclusively online and deals directly with consumers, you only have to provide one designated method of submitting a request: a form on your website.
You should provide a designated method that best reflects the ways in which you interact with consumers. Examples include:
If a consumer makes a request via a method you haven't designated, you can either:
Here's an example from Acxiom of a web form that consumers can use to initiate a "right to know " or "right to delete" request:
Note that Acxiom only uses this form to initiate the CCPA rights process. The business will then contact the consumer to verify their identity and provide a response.
You can deny a request under the right to know if all of the following conditions are met:
You can also deny a request if you cannot verify the consumer's identity.
You must acknowledge receipt of a request within 10 business days, and provide the information requested by the consumer within 45 days. This deadline includes any time you spend verifying a consumer's identity. You can extend this deadline by a further 45 days if "reasonably necessary."
A consumer can make a "right to know'' request twice in every 12 month period. You must not charge a fee for fulfilling a request.
If a consumer holds a password-protected account with your business, you can deliver the requested information through their account. If not, you should deliver it via email or physical mail. Take "reasonable security measures" when transmitting personal information.
There are two types of requests under the right to know, which we'll call "category requests" and "specific requests." For each type of request, there are different rules on how to verify a consumer's identity.
Under what we're calling a "category request" under the right to know, a consumer may request the following information in respect of the preceding 12-month period (taken from the date of the request):
Before you provide personal information under a "category request," you must have a "reasonable degree of certainty" that the person making the request is the correct consumer.
Where possible, you should use information that you already have in your possession to verify the consumer's identity.
You should ask the consumer to confirm at least two data points from the personal information you hold about them. For example, the value of the last purchase they made through your online store, or the email address registered to their account.
Under what we're calling a "specific request" under the right to know, a consumer can request the specific pieces of personal information you have collected about them.
Do not disclose the following pieces of personal information:
Before you provide personal information under a "specific request," you must have a "reasonable degree of certainty" that the person making the request is the correct consumer.
This means asking the consumer to:
Under the right to delete, consumers may request that you delete the personal information you've collected about them.
A consumer can make a "right to delete'' request twice in every 12 month period. You must not charge a fee for fulfilling a request.
You must acknowledge receipt of a request within 10 business days, and delete the relevant personal information within 45 days. This deadline includes any time you spend verifying a consumer's identity. You can extend this deadline by a further 45 days if "reasonably necessary."
The rules around providing designated methods for submitting a request under the right to delete are the same as the rules for the right to know.
When carrying out a consumer's request to delete their personal information, you have several options:
You don't have to delete personal information that you store on archived or backup systems until it becomes active.
You must let the consumer know once you have carried out their request.
There are nine exceptions to the right to delete. If it's necessary for you to retain the consumer's personal information for one of the following reasons, you might be able to refuse a deletion request:
If you decide that you are covered by an exception and you plan to reject a consumer's deletion request, there are several things you must do:
When a consumer makes a deletion request, you must consider the potential impact it will have.
If a consumer is requesting to delete non-sensitive personal information, such as their account history or contact details, you should apply the weaker level of verification that applies for "category requests" under the right to know.
If a consumer is requesting to delete more sensitive personal information, such as family photos or medical documents, you should apply the stricter level of verification that applies for "specific requests" under the right to know.
Once you've accepted the request and you're ready to delete their personal information, you must ask the consumer to authenticate themselves again before you carry out their request.
If your business sells personal information, you must provide notice of the right to opt out in the form of a "Do Not Sell My Personal Information" page.
Once you receive a request under the right to opt out, you must stop selling the consumer's information as soon as possible, and within 15 business days at the latest.
You can ask the consumer if you wish to opt back into the sale of the personal information, but not for at least 12 months following their original request.
The CCPA has strict rules about selling the personal information of minors (under the age of 16).
Unless you have processed a valid opt-in request, you must not sell the personal information of a consumer if you have "active knowledge" that they are a minor, or if you "willfully disregard" their age.
If you have reason to believe that your business is used by minors, whether you target them or not, you should take positive steps such as age verification checks to ensure that you do not sell their personal information.
If you wish minors aged 13-16 to be able to opt into the sale of their personal information, the CCPA Proposed Regulations state that you must "establish, document, and comply" with a "reasonable process" to enable this.
This must be a "two-step" verification process where the consumer:
During the opt-in process, you must inform the consumer of their right to opt out and provide instructions on how to do so.
A consumer under 13 cannot exercise the right to opt in. However, their parent or guardian can opt into the sale of their personal information on their behalf.
To verify a parent or guardian's identity, you must ask them to do one of the following things:
The right to non-discrimination requires businesses not to discriminate against consumers who have exercised their CCPA rights.
The CCPA lists several examples of ways in which a business may discriminate against consumers:
As mentioned, there is a limited exception to the right to non-discrimination for financial incentive schemes.
Facilitating these consumer rights is one of the most complicated parts of CCPA compliance. Here's what you can do to get started:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.