In our first post on the CCPA, we provided an overview of the CCPA and its many impacts on businesses. In this post, we’ll focus on one of the most important aspects of the CCPA—the new rights it vests in consumers. Not only do these rights allow consumers to have more control over the information businesses collect about them, but these rights create a corresponding set of new obligations on businesses.
There are two main categories of the new rights that consumers have under the CCPA:
(1) the consumer’s right to disclosure of the information a business has collected about them, and
(2) the consumer’s right to have the business delete the information it has collected about a consumer.
Related are the consumer’s right to “opt out” of the sale of their personal information, and the right to be free from discrimination for exercising these rights under the CCPA.
The Right to Disclosure
A consumer can request disclosure of a few different types of information:
- The categories of information a business has collected about the consumer;
- The specific information the business has collected about the consumer;
- The business’ “business purpose” for collecting the information, if the business sells its consumers’ personal information.i
The CCPA requires that businesses have at least two separate methods by which a consumer can submit their request for disclosure. One method can be an online form, and another a toll-free phone number, for example.ii The business must verify each consumer request for disclosure to ensure that the request is legitimate, and to protect the information from disclosure to someone merely pretending to be a true consumer. The business has 45 days to verify the request and provide the disclosure to the consumer, with one available 45-day extension for good cause.iii
The right to disclosure only goes back 12 months before the date of the request—so a business is only obligated to provide the customer with a report of the information it gathered about the consumer over the past 12 months.iv This means that the disclosure could include information gathered before the CCPA went “live” on January 1, 2020.
The Right to Deletion
The right to deletionv is relatively straightforward in concept. It gets more complicated with the several exemptions that may allow a business to retain some or all of a consumer’s information despite the consumer’s request for deletion. Some of these exceptions are that the business must retain the information to comply with a legal obligation, to protect against fraud, or to complete the transaction for which the personal information was collected in the first place.vi Each exception is nuanced and has many gray areas.
Businesses need to understand the type of information they collected about their consumers, the purpose(s) for collection, and be prepared to identify exceptions on which they may rely.
Unlike the right to disclosure, the right to deletion appears to go back in time to include all information the business ever gathered about the consumer, no matter how long ago or the amount of information collected. There remains hope that this requirement will be clarified to reduce the time period of data subject to deletion, but presently there is no clear relief in sight.
The Right to “Opt Out”
If a business sells its consumers’ personal information, then there are a few additional obligations that arise. Chief among these is the consumer’s right to “opt out,” meaning the consumer can request that the business stop selling his or her information.vii Relatedly, a business must (1) include specific notice language on its website and (2) provide additional notice to the consumer about selling consumer information.viii
The Right to be Free from Discrimination for Exercising CCPA Rights
A business must not discriminate against a consumer because the consumer exercised any rights under the CCPA. For example, a business is not allowed to start charging someone a higher fee for a monthly service simply because the consumer made a request for disclosure.ix
The Consumer’s Private Right of Action
Currently, the consumer’s private right of action for a business’ CCPA violation is limited to data breaches that affect the consumer’s personal information. If a consumer has been harmed by a data breach, the business could be liable for civil penalties or actual damages and be subject to injunctive relief. All other CCPA requirements are enforced by the California Attorney General. This is one area in particular to keep an eye on, as later amendments to the CCPA could expand the private right of action to include any violation.x
Consumer rights under the CCPA impose significant obligations on businesses subject to the Act. Businesses must have a game plan for properly maintaining data subject to the Act and responding to consumer requests, whether for information or deletion of data. Failure to do so could result in anything from disruption to one’s business to being subject to an enforcement action or civil lawsuit.