One of the biggest responsibilities for businesses covered by the California Consumer Privacy Act (CCPA) is to facilitate consumers' rights under the law. And the CPRA expanded the rights granted under the CCPA.
This means putting systems in place to allow consumers to make consumer rights requests, and then fulfilling those requests in a legally-compliant manner.
This article will help you understand the consumer rights under the CCPA (CPRA), what you need to know and what you need to do when it comes to each of the rights.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. The Right to Notice
- 1.2. Notice at Collection
- 1.3. Notice of the Right to Opt Out
- 1.4. Notice of Financial Incentive
- 2. The Right to Know
- 2.1. Designated Methods of Submitting a Request
- 2.2. Denying a "Right to Know" Request
- 2.3. Responding to a "Right to Know" Request
- 2.4. "Category Requests" Under the Right to Know
- 2.4.1. Verifying a Consumer's Identity: Category Requests
- 2.5. "Specific Requests" Under the Right to Know
- 2.5.1. Verifying a Consumer's Identity: Specific Requests
- 3. The Right to Delete
- 3.1. Fulfilling a Request to Delete
- 3.2. Exceptions to the Right to Delete
- 3.3. Rejecting a Request to Delete
- 3.4. Verifying Consumers' Identities
- 4. The Right to Opt Out
- 5. The Right to Opt In (for Minors)
- 5.1. Minors Aged 13-16
- 5.2. Minors Aged Under 13
- 6. The Right to Non-Discrimination
- 7. Summary
The Right to Notice
The right to notice requires you to provide consumers with notice of your company's practices regarding the collection, use, sale, and sharing of personal information.
The CCPA (CPRA) identifies these types of notice:
- Notice at collection
- Notice of the right to opt out
- Notice of financial incentive
- A comprehensive summary of how your business collects, sells, and shares personal information
- An explanation of the CCPA (CPRA) consumer rights
Notice at Collection
When you collect personal information from consumers, you must provide "notice at collection."
Your notice at collection should:
- Provide a list of which categories of personal information you're collecting
- Explain the business or commercial purposes for which you are collecting each category of personal information
- Provide a link to your "Do Not Sell My Personal Information" page, if you have one
Here's how Right Toyota covers all these bases (and more) in its notice at collection.
First, Right Toyota provides a table identifying what types of personal information the business collects:
Note that Right Toyota helpfully explains the scenarios in which it collects the personal information.
Next, the company provides a key that links with the "business purposes" for collecting personal information in the table above.
Right to Toyota goes beyond the CCPA/CPRA's requirements here and provides a great level of transparency for consumers.
Notice of the Right to Opt Out
If you sell personal information, you must provide notice of the right to opt out via a link on your website homepage, and/or mobile app landing or download page, reading "Do Not Sell My Personal Information" or "Do Not Sell My Info."
Your "Do Not Sell My Personal Information" page must:
- Explain the right to opt out
- Provide a web form that enables personal information to opt out of the sale of their personal information
- Provide at least one other designated method for submitting a request to opt out (e.g. a toll-free number, an email address, or a paper form).
For more information, see our article How to Create and Display a "Do Not Sell My Personal Information" Page.
Notice of Financial Incentive
You only need to give notice of financial incentive if you operate a financial incentive scheme, such as a loyalty program.
The CCPA/CPRA's provision on financial incentives allows businesses to offer consumers bonuses in exchange for their personal information without violating the right to non-discrimination. The bonuses that a business offers must be based on the actual value that the business derives from the personal information.
A notice of financial incentives must:
- Provide a summary of the financial incentive scheme
- Explain the scheme's terms and identify the categories of personal information requested from consumers
- Explain how to opt into the scheme
- Explain how to withdraw from the scheme
Explain how the benefits to consumers are related to the value of their personal information:
- Give a good-faith estimate of how much the consumer's personal information is worth to the business
- Describe how you calculated the value
The Right to Know
The right to know allows consumers to request a summary of the personal information you have collected about them, and a copy of the specific pieces of personal information you have collected about them.
Designated Methods of Submitting a Request
You must maintain at least two "designated methods of submitting a request" under the right to know (and the right to delete).
There's one exception. If your business operates exclusively online and deals directly with consumers, you only have to provide one designated method of submitting a request: a form on your website.
You should provide a designated method that best reflects the ways in which you interact with consumers. Examples include:
- A toll-free number (mandatory)
- A web form
- A form submitted via email, physical mail, or in person
If a consumer makes a request via a method you haven't designated, you can either:
- Deal with the request, or
- Require the consumer to use one of your designated methods
Here's an example from Acxiom of a web form that consumers can use to initiate a "right to know " or "right to delete" request:
Note that Acxiom only uses this form to initiate the CCPA rights process. The business will then contact the consumer to verify their identity and provide a response.
Denying a "Right to Know" Request
You can deny a request under the right to know if all of the following conditions are met:
- You don't store the personal information in a "searchable or reasonably accessible" format
- You only store the personal information for legal or compliance purposes
- You don't sell the personal information or use it for any commercial purpose
- You tell the consumer what categories of records contain the personal information
You can also deny a request if you cannot verify the consumer's identity.
Responding to a "Right to Know" Request
You must acknowledge receipt of a request within 10 business days, and provide the information requested by the consumer within 45 days. This deadline includes any time you spend verifying a consumer's identity. You can extend this deadline by a further 45 days if "reasonably necessary."
A consumer can make a "right to know'' request twice in every 12 month period. You must not charge a fee for fulfilling a request.
If a consumer holds a password-protected account with your business, you can deliver the requested information through their account. If not, you should deliver it via email or physical mail. Take "reasonable security measures" when transmitting personal information.
There are two types of requests under the right to know, which we'll call "category requests" and "specific requests." For each type of request, there are different rules on how to verify a consumer's identity.
"Category Requests" Under the Right to Know
Under what we're calling a "category request" under the right to know, a consumer may request the following information in respect of the preceding 12-month period (taken from the date of the request):
- The categories of personal information you collected about them
- The categories of sources from which you collected their personal information
- The business or commercial purpose for which you collected or sold their personal information
- The categories of third parties with which you shared their personal information
- The categories of their personal information you sold, and for each category, the categories of third parties to which you sold it
- The categories of their personal information you disclosed for a business purpose, and for each category, the categories of third parties to which you disclosed it
Verifying a Consumer's Identity: Category Requests
Before you provide personal information under a "category request," you must have a "reasonable degree of certainty" that the person making the request is the correct consumer.
Where possible, you should use information that you already have in your possession to verify the consumer's identity.
You should ask the consumer to confirm at least two data points from the personal information you hold about them. For example, the value of the last purchase they made through your online store, or the email address registered to their account.
"Specific Requests" Under the Right to Know
Under what we're calling a "specific request" under the right to know, a consumer can request the specific pieces of personal information you have collected about them.
Do not disclose the following pieces of personal information:
- Social Security number
- Driver's license number
- Any government-issued identification number
- Financial account number
- Any health insurance or medical identification number
- Account password
- Security questions and answers
- Unique biometric data generated from measurements or technical analysis of human characteristics
Verifying a Consumer's Identity: Specific Requests
Before you provide personal information under a "specific request," you must have a "reasonable degree of certainty" that the person making the request is the correct consumer.
This means asking the consumer to:
- Confirm at least three data points from the personal information you hold about them, and
- Provide a "signed declaration under penalty of perjury" stating that they are the consumer whose personal information is being requested
The Right to Delete
Under the right to delete, consumers may request that you delete the personal information you've collected about them as well as any third parties that you may have sold or shared the data with.
A consumer can make a "right to delete'' request twice in every 12 month period. You must not charge a fee for fulfilling a request.
You must acknowledge receipt of a request within 10 business days, and delete the relevant personal information within 45 days. This deadline includes any time you spend verifying a consumer's identity. You can extend this deadline by a further 45 days if "reasonably necessary."
The rules around providing designated methods for submitting a request under the right to delete are the same as the rules for the right to know.
Fulfilling a Request to Delete
When carrying out a consumer's request to delete their personal information, you have several options:
- Permanently delete it from your systems
- Deidentify (anonymize) it
- Aggregate it
You don't have to delete personal information that you store on archived or backup systems until it becomes active.
You must let the consumer know once you have carried out their request.
Exceptions to the Right to Delete
There are nine exceptions to the right to delete. If it's necessary for you to retain the consumer's personal information for one of the following reasons, you might be able to refuse a deletion request:
- Performing obligations under a contract
- Ensuring you can maintain security
- Exercising or defending free speech and other legal rights
- Complying with the California Electronic Communications Privacy Act (available here)
- Conducting certain research in the public interest
- Using it for solely internal and reasonable purposes
- Complying with a legal obligation
- Using it for other internal purposes that are reasonable considering the context in which you collected the personal information
Rejecting a Request to Delete
If you decide that you are covered by an exception and you plan to reject a consumer's deletion request, there are several things you must do:
- Let the consumer know that you will not be deleting their personal information, and explain why
- Delete any personal information not covered by an exception
- Refrain from using the personal information for any reason other than that covered by the exception
Verifying Consumers' Identities
When a consumer makes a deletion request, you must consider the potential impact it will have.
If a consumer is requesting to delete non-sensitive personal information, such as their account history or contact details, you should apply the weaker level of verification that applies for "category requests" under the right to know.
If a consumer is requesting to delete more sensitive personal information, such as family photos or medical documents, you should apply the stricter level of verification that applies for "specific requests" under the right to know.
Once you've accepted the request and you're ready to delete their personal information, you must ask the consumer to authenticate themselves again before you carry out their request.
The Right to Opt Out
If your business sells personal information, you must provide notice of the right to opt out in the form of a "Do Not Sell My Personal Information" page.
Once you receive a request under the right to opt out, you must stop selling the consumer's information as soon as possible, and within 15 business days at the latest.
You can ask the consumer if you wish to opt back into the sale of the personal information, but not for at least 12 months following their original request.
There's also a right to opt out of automated decision-making, and the right to have the use of personal information limited.
The Right to Opt In (for Minors)
The CCPA (CPRA) has strict rules about selling the personal information of minors (under the age of 16).
Unless you have processed a valid opt-in request, you must not sell the personal information of a consumer if you have "active knowledge" that they are a minor, or if you "willfully disregard" their age.
If you have reason to believe that your business is used by minors, whether you target them or not, you should take positive steps such as age verification checks to ensure that you do not sell their personal information.
Minors Aged 13-16
If you wish minors aged 13-16 to be able to opt into the sale of their personal information, the CCPA (CPRA) states that you must "establish, document, and comply" with a "reasonable process" to enable this.
This must be a "two-step" verification process where the consumer:
- Opts in via a designated method
- Confirms that they wish to opt in
During the opt-in process, you must inform the consumer of their right to opt out and provide instructions on how to do so.
Minors Aged Under 13
A consumer under 13 cannot exercise the right to opt in. However, their parent or guardian can opt into the sale of their personal information on their behalf.
To verify a parent or guardian's identity, you must ask them to do one of the following things:
- Sign a consent form under penalty of perjury
- Make a credit card payment
- Call your toll-free number
- Make a video call
- Meet face-to-face
- Provide government-issued ID, as long as you check it against an official database and promptly delete any copy of the ID
The Right to Non-Discrimination
The right to non-discrimination requires businesses not to discriminate against consumers who have exercised their CCPA (CPRA) rights.
The CCPA (CPRA) lists several examples of ways in which a business may discriminate against consumers:
- Denying them goods or services
- Charging them different prices
- Providing a different level or quality of goods or services
- Suggesting that you might do any of the above
As mentioned, there is a limited exception to the right to non-discrimination for financial incentive schemes.
Facilitating these consumer rights is one of the most complicated parts of CCPA (CPRA) compliance. Here's what you can do to get started:
- The right to notice: Prepare any of the four notices relevant to your business.
- The right to know and right to delete: Set up your designated methods of submitting a request. Set up a system for verifying consumers' identities.
- The right to opt out: Create and display a "Do Not Sell My Personal Information" page (if required).
- The right to opt in: Set up age verification checks. Set up a system for verifying parents' or guardians' identities (if required).
- The right to non-discrimination: Set up a compliant financial incentive scheme (if required).