The California Consumer Privacy Act (CCPA), which took effect on 1 January 2020, is arguably the toughest privacy law in the United States. It was amended and expanded by the CPRA The Act specifically states that its purpose is to uphold key consumer privacy rights:
The rights that the CCPA (CPRA) gives to Californians are:
- To know what personal information is being collected about them
- To know whether their personal information is sold or disclosed and to whom
- To say no to the sale, share or processing of personal information
- To access, correct or request the deletion of their personal information
- To obtain their data in a portable format
- To equal service and price, even if they exercise their privacy rights (the right to non-discrimination)
- To have the use of their sensitive personal information limited
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
The CCPA (CPRA) can apply to any for-profit entity that does business in California. It doesn't matter where the business is based or what its legal structure is. Instead, the business comes under the CCPA (CPRA) if it meets at least one of three thresholds:
- Its annual gross revenue is more than $25 million.
- For business purposes, it buys, sells or shares personal information about at least 100,000 consumers or households.
- It makes at least 50 percent of its annual revenue from selling or sharing personal information about consumers.
The potential penalties for violating the law include:
- $7,500 for intentional violations
- $2,500 for unintentional violations
- $750 or actual damages, whichever is higher, for breaches that reveal "non-encrypted or non-redacted personal information"
The Importance of the CCPA/CPRA's Consumer Rights
The text of the CCPA (CPRA) specifically states that its measures are designed to uphold consumer rights. This means you need to keep these rights in mind when complying with the specific measures in the CCPA, particularly when deciding how to interpret a particular requirement.
Indeed, the CCPA (CPRA) also specifically says that its wording "shall be liberally construed to effectuate its purposes." In other words, don't expect to avoid legal problems by relying on linguistic loopholes or creative arguments. Everything you do to comply with the CCPA (CPRA) should take into account the user rights.
How to Uphold the CCPA/CPRA's Consumer Rights
Let's break down the measures you must take to uphold these rights.
To uphold this data right, the CCPA (CPRA) sets out specific information that you must provide to a consumer either before or when you collect their personal data. The CCPA (CPRA) classes different types of personal data into 12 designated categories, though some data may come under multiple categories.
You must tell consumers:
- Which categories the data you are collecting falls under
- Why and how you will use the data from each category
- How long you will keep the data from each category
The 12 categories are as follows:
- Names, account numbers, addresses and other personal identifiers
- Personal information as defined by the California Civil Code 1798.80 (which expands category A to include financial, medical and health insurance information)
- Information relating to protected classifications under state or federal law (such as race, disability, religion and citizenship status)
- Commercial information such as details of purchases
- Biometric data
- Information about the person's Internet activity
- Geolocation data
- Audio, electronic, olfactory, thermal, visual and similar data (In other words, personal information that is in a form other than text.)
- Data about employment or professional activity
- Data about education
- Inferred data (such as profiling a customer "type" based on their purchase history)
- Sensitive personal information
You can only use the collected data for the stated purposes. If you want to use the data for other purposes or collect data from other categories, you must again give advance notice to the consumer.
If you plan to sell or share user data with third parties, give advance notice that you'll use the data that way.
Remember that you'll also need to tell the consumer if you want to start selling or sharing data you've already collected for a different purpose.
Whenever you tell a consumer about your data selling and sharing (whether in advance or when responding to a data access request) you must give them a list. This list needs to include:
- Which of the categories cover the data you've sold
- For each category, the third parties to which you sold data that comes under that category
This example from FivePoint neatly covers data collection, disclosure and sales across the categories:
At any time, a consumer can tell you to stop selling personal data. You must follow this order.
Once a consumer has "opted out" in this way, you cannot sell their personal data unless and until they authorize you to do so. The consumer can approach you to do this at any time, but you must wait at least 12 months before asking them to let you start selling their data again.
When you receive an opt-out request, you have 10 days to stop selling the data. You also have 90 days to contact anyone you sold the data to and inform them that they in turn must stop selling or sharing that data.
You must have a dedicated page on your site that lets consumers opt out of their data being sold. You can't force the consumer to sign up for an account to exercise this opt-out. Your home page must have a link titled "Do Not Sell My Personal Information" that points to this dedicated page.
The rules are different for consumers aged 16 and under. An opt-in system applies, which means you can never sell the personal data unless and until you get authorization from the consumer (if aged 13-16) or their parent or guardian (if the consumer is aged under 13).
This example from Blizzard contains a simple link to opt out of data sales. This link creates a custom request depending on whether the customer already has an account or not:
Data Access Requests
Users have the right to request access to the personal data you hold about them. This right applies even when you've given advance notice before collecting the data.
When you get a data access request, you'll need to tell the person:
- The specific information you've collected about them
- The business purposes for which you collected or sold the data
For each of the 12 categories you must tell the person:
- Whether you've collected data about them in that category
- The source of the data
- Who you've shared the data with, including selling data
In each case, the details you provide must cover all data you've collected or shared in the previous 12 months.
The consumer has the right to make two data requests in any 12-month period.
You must give consumers at least two ways to make a data access request. One can be a toll-free telephone number. Another can be your website.
Once somebody makes a data access request, you must acknowledge receipt within 10 days. You've normally got 45 days to provide the information. You can extend this by a further 45 days if it proves reasonably necessary, but you must let the consumer know you are doing this before the original 45-day deadline.
This example from RSG tells customers how to make a data access request. It could be improved with clearer language and a bullet-pointed list rather than a continuous paragraph, but it covers all the information so it's adequate:
Equal Service and Price
You can't make the availability or price of your products and services dependent on whether or not the consumer exercises any of their CCPA (CPRA) rights.
Note that complaining or taking legal action over alleged breaches of these rights is itself a way of exercising the rights. That means you can't stop service or increase the price just because a customer has complained about you breaching the CCPA.
As part of upholding the user rights, the CCPA (CPRA) specifically details information that you must provide:
- In a special website section covering California privacy rights (if you have one)
The information you must provide is as follows.
- Details of the privacy rights
- At least one method for making a data access request
- A list of all the categories that apply to data you've collected about consumers in the past 12 months
- A list of all the categories that apply to data you've sold about consumers in the past 12 months
- A list of all the categories that apply to data you've disclosed about consumers in the past 12 months
This example from Reed Business Information covers the categories of collected data and adds information about how and why it collects data, helping uphold the CCPA (CPRA) notice right. Note this is just an excerpt of the full clause:
This example from Bank of America details the consumer's rights under the CCPA (CPRA):
This clause is outlined in a way that's very easy to read and clear to navigate, which is a great touch.
Let's recap what you need to know and do to uphold CCPA (CPRA) privacy rights.
- The CCPA (CPRA) applies to most very large businesses, plus those that handle a lot of data about Californians or make most of their money selling data about Californians. Your business doesn't have to be in California to fall under the CCPA/CPRA's scope.
- Whenever implementing the specific measures of the CCPA (CPRA), you should always remember that their purpose is to uphold user rights.
- Many of the measures in the CCPA (CPRA) involve knowing which of the designated categories covers each piece of personal data.
- You must give advance notice of the categories that apply when you collect data. You must also say why and how you will use the data.
- You must tell consumers if you are selling or sharing their personal data. You must give the details of the relevant third parties for each category where you've sold or shared data.
- Consumers can tell you to stop sharing their personal data and you must follow this order. Your home page must have a link marked "Do Not Sell My Personal Information" that points to a dedicated page for opting out.
- You can never sell or share personal data about somebody aged 16 or younger unless and until you have their express permission (or that of a parent or guardian for under-13s).
- If a consumer makes a data access request, you have 45 days to tell them what data you've collected in the past 12 months and why and how you've used it. You'll also need a list broken down by the designated categories saying whether you've collected data, where you got it, and who (if anyone) you've sold it to or shared it with.