Consumer Rights Under the California Consumer Privacy Act (CCPA)

California Consumer Privacy Act (CCPA)In 2018, the state of California passed privacy legislation known as the California Consumer Privacy Act (CCPA). Under the CCPA, entities that handle the personal information of California residents are subject to restrictions as to how the information may be used. The California Consumer Privacy Act protects the personal information of consumers, whom the law defines as California residents. Specific consumer rights granted under the law are discussed below.

To Whom Does the California Consumer Privacy Act Apply?

The coverage of the California Consumer Privacy Act is broad. The following entities must comply with the California Consumer Privacy Act:

Entities that collect consumer personal information

Entities that determine the purposes and means of processing that personal information

Entities that do business in California, and that meet one of the following thresholds:

Have an annual gross revenue that exceeds $25 million;

Annually buy, receive for commercial purposes, sell, or share for commercial purposes personal information relating to 50,000 or more consumers, households, or devices; or

Derive more than 50% of their annual revenue from selling consumers’ personal information.

What is “Personal Information” Under the CCPA?

Under the CCPA, personal information includes any information that:

Identifies;

Relates to;

Describes; 

References;

Is capable of being associated with; or

Could reasonably linked to, directly or indirectly,

A particular consumer or household.

What Consumer Rights are Granted by the California Consumer Privacy Act?

The California Consumer Privacy Act provides consumers with the following rights:

The right to request deletion of personal information

The right to access personal information

The right to opt out of the sale of personal information

The right to be free from discrimination

What is the Right to Request Deletion of Personal Information?

Generally, under the California Consumer Privacy Act, businesses must delete – and direct their service providers to delete – any personal information collected about a consumer, if the consumer requests deletion. The California Consumer Privacy Act contains limited exceptions under which businesses are not required to grant such a request.

What is the Right to Access Personal Information?

Upon a consumer’s request, a business must disclose details about personal information pertaining to a consumer collected by the business. The business, upon request, must also disclose details about personal information the business may have sold or disclosed. In response to a consumer request, a business must disclose the following: 

The category or categories of personal information about the consumer that the business sold to a third party.

The business or commercial purpose for which personal information was collected or sold.

The types of third parties to whom the business sold or disclosed the personal information.

The categories of sources from which the personal information was collected.

The categories of personal information about the consumer that the business collected.

The specific items of personal information that the business collected about the consumer.

What is the Right to Opt Out of the Sale of Personal Information?

The California Consumer Privacy Act creates a right of consumers to opt out of the sale of their personal information. The “opt out” provision contained in the California Consumer Privacy Act is also contained in a number of other states’ laws that protect personal information, reflecting a growing trend to prevent sale of personal information without meaningful consumer consent.

Generally, under the California Consumer Privacy Act, a business must honor a consumer request to opt out of the sale of his or her personal information. 

The Act ensures that consumers are aware of this right to opt out, by requiring businesses to include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on the business’ website’s homepage.

What is the Right to be Free of Discrimination?

The California Consumer Privacy Act also imposes requirements on businesses to ensure that consumers are not discriminated against in the exercise of the Act’s data privacy rights. Under the California Consumer Privacy Act, a business may not:

Charge different prices or rates to consumers;

Provide different services; or

Deny goods or services,

To consumers who exercise their rights under the CCPA. Essentially, the Act prevents retaliation against consumers who exercise their legally protected rights.