Now that summer has officially started, fewer than six months remain until the California Consumer Privacy Act (CCPA) becomes effective. Implementing corporate processes necessary to meet the CCPA’s broad consumer privacy rights guarantees is a key aspect of CCPA compliance, but can prove challenging in practice.
As we outlined previously, the CCPA contains a number of consumer rights. We will address these rights in more detail in a two-part series. This first post presents a brief “field guide” to the CCPA’s consumer rights and their potential complications. The second installment will address how companies should respond to consumer requests. It’s important to remember that the term “consumer” is defined broadly to mean any individual who is a resident of California. Barring further amendments, this includes employees.
Consumer rights in the CCPA can be formulated in different ways, but we divide them into the following categories: (1) right to notice, (2) right to access, (3) right to opt out (or right to opt in), (4) right to request deletion, and (5) right to equal services and prices.
Right to Notice
Probably the most obvious right that consumers have under the CCPA is the right to notice. Consumers can expect to ring in the New Year in 2020 with a flurry of notifications similar to the deluge of emails that accompanied the EU’s General Data Protection Regulation (GDPR) taking effect on May 25, 2018—or the barrage of paper notices that signaled the implementation of the federal Gramm-Leach-Bliley Act Privacy Rule, 12 CFR Part 1016, in 2001.
Under the CCPA, businesses must inform consumers at or before the point of collection what categories of personal information will be collected and the purposes for which these categories will be used. This will be particularly difficult for personal information collected in person or from third parties. And businesses must provide notice again before collecting additional categories or collecting personal information for new purposes.1 This requires ongoing efforts to identify changes in collection or use of previously collected personal information.
The CCPA also sets forth specific disclosures that businesses must include in their privacy policies, including descriptions of consumer rights and how to exercise them.2
Right to Access
A corollary to the right to notice under the CCPA is the right to access. Consumers have the right to request that a business disclose the categories of personal information collected; the categories of sources from which personal information is collected; the business or commercial purpose; the categories of third parties with which the business shares personal information; and the specific pieces of personal information the business holds about a consumer.3 If a business sells personal information or discloses it for business purposes, consumers have the right to request the categories of information so sold or disclosed.4
Access requests may be easier for companies that maintain databases, but most companies also collect unstructured data (such as emails, images, files, etc.) related to consumers. Given that “personal information” includes any information “capable of being associated with” a consumer or a household, requests will encompass a wide range of data that a business possesses.
Right to Opt-Out
Consumers have the right—at any time—to direct businesses that sell personal information about the consumer to third parties to stop this sale, known as the right to opt out. If a consumer is a minor, the CCPA provides for a right to opt in to the sale of data (exercised by the minor if the consumer is between 13 and 16 years of age, or by the minor’s parent or guardian if the consumer is under 13 years old).5 Businesses must wait at least 12 months before asking consumers to opt back in.6 Companies should examine their relationships with third parties to which they provide personal information, because “sale” is defined broadly!
Right to Request Deletion
Consumers also have the right to request deletion of personal information, but only where that information was collected from the consumer. Like the right to erasure under the GDPR, this right is subject to exceptions. For instance, businesses need not delete personal information necessary for detecting security incidents, exercising free speech, protecting or defending against legal claims, or—in what is potentially a broad and likely contentious category—for internal uses reasonably aligned with the consumer’s expectations.7 Companies will have to determine the expectations of their particular consumers, how to handle the fact that personal information may be replicated many times and used for different purposes, and who (lawyers or the business) will make decisions regarding whether the CCPA’s exceptions apply.
Right to Equal Services and Prices
The CCPA prohibits businesses from discriminating against consumers by denying goods or services, charging a different price or rate for goods or services, providing a different level or quality of goods or services, or suggesting that they will do any of these things based upon a consumer’s exercise of any CCPA rights. Put differently, consumers have a right to equal services and prices.8 This provision is likely the most misunderstood section of the CCPA, no doubt in part due to confusing wording. The right to equal services and prices does not place any restrictions on a business’ ability to collect information or deny service if a consumer does not want to participate in collection; it only applies where the consumer exercises specific CCPA rights, such as opting out of downstream sale of the data.
A business may offer financial incentives for the collection and sale of data, but only with the consumer’s prior opt-in consent—which can be withdrawn at any time—and where the price or difference is directly related to the value of the consumer’s personal information.9 Proving the value of personal information may be difficult.
Doing Right by CCPA
The CCPA dramatically raises the bar on the options and information businesses must make available to any individual about whom data is collected. It also creates consumer rights, which—due to the widespread use of personal information for different purposes, some of which may involve third party partners—will be challenging for many businesses to implement in practice.
1 See CCPA §§ 1798.100, 1798.120.
2 See CCPA §§ 1798.130, 1798.135.
3 See CCPA §§ 1798.100, 1798.110, 1798.115.
4 See CCPA § 1798.115.
5 See CCPA § 1798.120.
6 See CCPA § 1798.120.
7 See CCPA § 1798.105.
8 See CCPA § 1798.125.
9 See CCPA § 1798.125.