The California Consumer Privacy Act (CCPA), which took effect on 1 January 2020, is arguably the toughest privacy law in the United States. The Act specifically states that its purpose is to uphold five key consumer privacy rights:
The five rights that the CCPA gives to Californians are:
- To know what personal information is being collected about them
- To know whether their personal information is sold or disclosed and to whom
- To say no to the sale of personal information
- To access their personal information
- To equal service and price, even if they exercise their privacy rights
The CCPA can apply to any for-profit entity that does business in California. It doesn't matter where the business is based or what its legal structure is. Instead, the business comes under the CCPA if it meets at least one of three thresholds:
- Its annual gross revenue is more than $25 million.
- For business purposes, it buys, sells or shares personal information about at least 50,000 consumers, households or devices.
- It makes at least 50 percent of its annual revenue from selling personal information about consumers.
The potential penalties for violating the law include:
- $7,500 for intentional violations
- $2,500 for unintentional violations
- $750 or actual damages, whichever is higher, for breaches that reveal "non-encrypted or non-redacted personal information"
Note that if you break the CCPA rules, it counts as a separate violation for each person affected. This means the penalties could rapidly add up.
The Importance of the CCPA's Consumer Rights
The text of the CCPA specifically states that its measures are designed to uphold five consumer rights. This means you need to bear these rights in mind when complying with the specific measures in the CCPA, particularly when deciding how to interpret a particular requirement.
Indeed, the CCPA also specifically says that its wording "shall be liberally construed to effectuate its purposes." In other words, don't expect to avoid legal problems by relying on linguistic loopholes or creative arguments. Everything you do to comply with the CCPA should take into account the five rights.
How to Uphold the CCPA's Consumer Rights
Let's break down the measures you must take to uphold these rights.
To uphold the first data right, the CCPA sets out specific information that you must provide to a consumer either before or when you collect their personal data. The CCPA classes different types of personal data into 11 designated categories, though some data may come under multiple categories.
You must tell consumers:
- Which categories the data you are collecting falls under
- Why and how you will use the data from each category
The 11 categories are as follows:
- Names, account numbers, addresses and other personal identifiers
- Personal information as defined by the California Civil Code 1798.80 (which expands category A to include financial, medical and health insurance information)
- Information relating to protected classifications under state or federal law (such as race, disability, religion and citizenship status)
- Commercial information such as details of purchases
- Biometric data
- Information about the person's Internet activity
- Geolocation data
- Audio, electronic, olfactory, thermal, visual and similar data (In other words, personal information that is in a form other than text.)
- Data about employment or professional activity
- Data about education
- Inferred data (such as profiling a customer "type" based on their purchase history)
You can only use the collected data for the stated purposes. If you want to use the data for other purposes or collect data from other categories, you must again give advance notice to the consumer.
Although it's not listed as one of the five core rights, the CCPA does say consumers can ask you to delete data you have already collected about them. You must do so unless the data is needed for security reasons or to complete an ongoing transaction or contract.
If you plan to sell or share user data with third parties, give advance notice that you'll use the data that way.
Remember that you'll also need to tell the consumer if you want to start selling or sharing data you've already collected for a different purpose.
Whenever you tell a consumer about your data selling and sharing (whether in advance or when responding to a data access request) you must give them a list. This list needs to include:
- Which of the 11 categories cover the data you've sold
- For each category, the third parties to which you sold data that comes under that category
This example from FivePoint neatly covers data collection, disclosure and sales across the categories:
The third right says that at any time, a consumer can tell you to stop selling personal data. You must follow this order.
Once a consumer has "opted out" in this way, you cannot sell their personal data unless and until they authorize you to do so. The consumer can approach you to do this at any time, but you must wait at least 12 months before asking them to let you start selling their data again.
When you receive an opt-out request, you have 10 days to stop selling the data. You also have 90 days to contact anyone you sold the data to and inform them that they in turn must stop selling or sharing that data.
You must have a dedicated page on your site that lets consumers opt out of their data being sold. You can't force the consumer to sign up for an account to exercise this opt-out. Your home page must have a link titled "Do Not Sell My Personal Information" that points to this dedicated page.
The rules are different for consumers aged 16 and under. An opt-in system applies, which means you can never sell the personal data unless and until you get authorization from the consumer (if aged 13-16) or their parent or guardian (if the consumer is aged under 13).
This example from Blizzard contains a simple link to opt out of data sales. This link creates a custom request depending on whether the customer already has an account or not:
Data Access Requests
The fourth consumer right under the CCPA is to request access to the personal data you hold about them. This right applies even when you've given advance notice before collecting the data.
When you get a data access request, you'll need to tell the person:
- The specific information you've collected about them
- The business purposes for which you collected or sold the data
For each of the 11 categories you must tell the person:
- Whether you've collected data about them in that category
- The source of the data
- Who you've shared the data with, including selling data
In each case, the details you provide must cover all data you've collected or shared in the previous 12 months.
The consumer has the right to make two data requests in any 12-month period.
You must give consumers at least two ways to make a data access request. One can be a toll-free telephone number. Another can be your website.
Once somebody makes a data access request, you must acknowledge receipt within 10 days. You've normally got 45 days to provide the information. You can extend this by a further 45 days if it proves reasonably necessary, but you must let the consumer know you are doing this before the original 45-day deadline.
This example from RSG tells customers how to make a data access request. It could be improved with clearer language and a bullet-pointed list rather than a continuous paragraph, but it covers all the information so it's adequate:
Equal Service and Price
This is the fifth and arguably least clear-cut right. The regulations and enforcement of the Attorney General are particularly important here. Let's break down what you can and can't do.
You can refuse to offer a product or service to a customer who is unwilling to provide particular personal data. That's because refusing to provide data isn't one of the five privacy rights.
You can also offer financial incentives, including cheaper service, to customers who provide personal data or consent to you selling their personal data. The only limit is that the financial incentive has to directly relate to the inherent value of that personal data.
What you can't do is make the availability or price of your products and services dependent on whether or not the consumer exercises any of their CCPA rights. In other words, you can't charge more or refuse service because the customer has:
- Asked for notice of how you handle their data
- Asked to know what data you have about them
- Told you to stop selling their personal data
Note that complaining or taking legal action over alleged breaches of these rights is itself a way of exercising the rights. That means you can't stop service or increase the price just because a customer has complained about you breaching the CCPA.
As part of upholding the five rights, the CCPA specifically details information that you must provide:
- In a special website section covering California privacy rights (if you have one)
The information you must provide is as follows.
- Details of the five privacy rights under the CCPA
- At least one method for making a data access request
- A list of all the categories that apply to data you've collected about consumers in the past 12 months
- A list of all the categories that apply to data you've sold about consumers in the past 12 months
- A list of all the categories that apply to data you've disclosed about consumers in the past 12 months
This example from Reed Business Information covers the categories of collected data and adds information about how and why it collects data, helping uphold the CCPA notice right. Note this is just an excerpt of the full clause:
This example from Bank of America details the consumer's rights under the CCPA:
This clause is outlined in a way that's very easy to read and clear to navigate, which is a great touch.
Let's recap what you need to know and do to uphold CCPA privacy rights.
- The CCPA enforcement is scheduled to start in July 2020 but it's already law and covers data you've collected in the past 12 months.
- The CCPA applies to most very large businesses, plus those that handle a lot of data about Californians or make most of their money selling data about Californians. Your business doesn't have to be in California to come under the CCPA.
The CCPA specifically gives Californians the right to:
- Know what personal information is being collected about them
- Know whether their personal information is sold or disclosed and to whom
- Say no to the sale of personal information
- Access their personal information
- Have equal service and price, even if they exercise their privacy rights
- Whenever implementing the specific measures of the CCPA, you should always remember that their purpose is to uphold these five rights.
- Many of the measures in the CCPA involve knowing which of the designated categories covers each piece of personal data.
- You must give advance notice of the categories that apply when you collect data. You must also say why and how you will use the data.
- You must tell consumers if you are selling or sharing their personal data. You must give the details of the relevant third parties for each category where you've sold or shared data.
- Consumers can tell you to stop sharing their personal data and you must follow this order. Your home page must have a link marked "Do Not Sell My Personal Information" that points to a dedicated page for opting out.
- You can never sell or share personal data about somebody aged 16 or younger unless and until you have their express permission (or that of a parent or guardian for under-13s).
- If a consumer makes a data access request, you have 45 days to tell them what data you've collected in the past 12 months and why and how you've used it. You'll also need a list broken down by the designated categories saying whether you've collected data, where you got it, and who (if anyone) you've sold it to or shared it with.
- The five CCPA rights
- How to make a data access request
- Separate lists for data you've collected, data you've sold and data you've disclosed about consumers in the past 12 months. Each of these lists should be broken down by the designated categories. You could combine the lists into a table.