Learn Key Requirements of the CCPA
After completing this unit, you’ll be able to:
- Explain the key consumer rights in the CCPA.
- Discuss key requirements to comply with the CCPA.
CCPA and Consumer Rights
As mentioned in the previous unit, the CCPA presents a significant expansion of privacy law in the United States. Consumer rights under the CCPA include the:
- Right to notice
- Right to access
- Right to opt out (or right to opt in)
- Right to request deletion, and
- Right to equal services and pricing
Let’s break these down one by one.
The Right to Know (Notice)
The right to know (receive notice) is probably the most straightforward right under the CCPA. Under the CCPA, Consumers have the right to receive clear and transparent information about the categories and types Personal Information Businesses are collecting about them. Accordingly, Businesses must inform Consumers at or before the point of collection of their Personal Information what categories of Personal Information will be collected and the purposes for which these categories will be used. Consumers are also entitled to know the identity of the third parties their Personal Information is being shared with.
The Right to Access
Consumers have the right to request that a Business disclose any or all of the following.
- The categories of Personal Information collected about them
- The categories of sources from which Personal Information is collected
- The purpose for which their Personal Information was collected
- The third parties with which the Business shares Personal Information
- The specific pieces of Personal Information (for example, name, email, address) the Business holds about a consumer
Additionally, if a Business Sells Personal Information or discloses it for business purposes, Consumers have the right to request information about the categories of information being Sold or disclosed.
At first glance, the right to access seems straightforward, but complying with Consumer requests for this information will require careful attention to detail. While some of the Personal Information collected by Businesses is stored in a structured way, like in a marketing database or in a contact list, Personal Information may also be in emails, texts, images, and other unstructured formats which nonetheless will also need to be disclosed.
The Right to Opt Out
Consumers have the right to at any time tell Businesses to stop Selling (as defined in the previous unit) their Personal Information. This is often referred to as the right to opt out. Furthermore, the CCPA prohibits the Sale of the Personal Information of children under 16 unless either:
- A child between the age of 13 and 16 affirmatively opts in, or
- The parent or guardian of a child under 13 affirmatively authorizes the Sale of their Personal Information.
Because the definition of Sale is so broad, Businesses will have to carefully track who they share Personal Information with and ensure there is a mechanism to stop such sharing if a Consumer requests that the Selling be stopped.
The Right to Request Deletion
Under the CCPA, Consumers have the right to request that Businesses delete their Personal Information when such information was collected from the Consumer. But just like in GDPR, this right has several exceptions. For example, Businesses do not have to comply with a deletion request if the Business needs the Consumer’s Personal Information to: perform a contract between the Business and the Consumer; detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or to prosecute those responsible for that activity. The CCPA includes other exceptions to the right of deletion, such as exercising free speech, protecting or defending against legal claims, retaining the data for internal uses reasonably aligned with the Consumer’s expectations.
The Right to Equal Services and Pricing
The right to equal services and prices may be the most difficult to understand correctly under the CCPA. It does not restrict or prohibit a Business from collecting Personal Information, and it only applies after a Consumer has exercised any or all of the other CCPA rights. If a Consumer exercises any of their rights under the CCPA, a Business cannot then charge a different price or change the quality of the services it provides that Consumer based upon the Consumer’s exercising of rights under the CCPA. In other words, a Business cannot reduce the quality of services or charge a higher price to a Consumer exercising their rights under the CCPA.
The CCPA is a dramatic change in US privacy law and requires significantly greater transparency from Businesses collecting Personal Information in California. Given that California is one of the largest economies in the world, companies will continue to do business in the state and therefore must invest resources in ensuring that the rights granted to Consumers under the CCPA are honored.
Key Compliance Requirements under CCPA
Now that we’ve discussed the rights that Consumers have under the CCPA, let’s review some of the key compliance requirements for Businesses under the CCPA.
Honoring Consumer Rights
To honor the rights granted to Consumers, the CCPA imposes obligations on Businesses.
These obligations include:
- Responding to disclosure requests
- Responding to requests for information from Businesses that Sell Personal Information
- Honoring opt out of Sale requests
- Obtaining opt-in consent for children
- Responding to Personal Information deletion requests
- Responding to access and portability requests
- Not discriminating against consumers who exercise their CCPA rights
Businesses working to honor Consumer requests should first verify the Consumer’s identity and ensure that none of the exceptions in the CCPA apply to the request. For example, if a Consumer makes a deletion request but the Consumer’s data is necessary to cooperate with law enforcement, a Business would not be required to honor the request under the CCPA. However, failure to comply with a Consumer request when no exception applies is a violation of the CCPA, so careful analysis of each Consumer request will be necessary to ensure compliance.
Additionally, the CCPA requires Businesses to create two or more designated methods for Consumers to submit CCPA rights requests, including at a minimum providing a toll-free telephone number. Additional acceptable methods for submitting requests include:
- Providing a postal mailing address
- Providing an email address
- Providing a link to an internet webpage or portal
- Providing some other contact information whereby consumers may exercise their rights and submit a request under the CCPA
The CCPA requires Businesses to respect Consumers’ privacy and provide a high level of transparency to their business practices. Several of the rights granted to Consumers by the CCPA, such as the right to know and the right to access, are designed to improve transparency and provide Consumers with detailed information about how Businesses collect and use their Personal Information.
Under the CCPA, Businesses have to disclose the categories of Personal Information they collect and use before or at the time of collection. Disclosures must include the following:
- The categories (types) of personal information collected
- The categories of sources from which Personal Information is collected
- The purpose for which the Personal Information is collected
- Any third parties that will have access to the Personal Information
It’s also important not to forget that the above disclosures must also be provided to a Consumer upon request. So Businesses must ensure both that the disclosures are publicly posted and that they have the ability to provide them directly to a unique Consumer upon request.
The CCPA requires that Businesses engaged in activities that constitute a Sale under CCPA provide “a clear and conspicuous link on the Business’ website, titled Do Not Sell My Personal Information,” that leads to a page that allows a consumer to opt out of the Sale of their Personal Information. Additionally, Businesses cannot require Consumers to create an account to opt out of Selling. For Consumers 16 years old or younger, this must be presented as an opt-in choice, not an opt-out.
Train Employees and Staff
The CCPA requires Businesses to ensure that any individuals responsible for handling consumer inquiries and compliance with the CCPA (employees, contractors, and so on) are properly trained on the requirements of the CCPA and on how to direct consumers to exercise their rights under the CCPA. Therefore, it is important that every Business provides training and resources to staff working on CCPA compliance, and it is best practice to document both trainings and procedures.
Ensure Vendors and Subprocessors Are Subject to Strict Contracting Terms
Businesses often hire vendors to handle Personal Information. The CCPA refers to these vendors as Service Providers. If you have a vendor that qualifies as a Service Provider under the CCPA, you must sign a written contract with the Service Provider that limits processing to the business purpose of the contract. The contract must also include, among other things, a certification from the Service Provider that it understands the restrictions and will comply with them.
The above discussion does not include all of the requirements of the CCPA. It is intended only to highlight some of the major requirements and to illustrate the complexity involved in complying with the law.
To make sure your organization implements a compliance strategy that meets all of the requirements of the CCPA, you should hire expert legal counsel to help you develop a plan that works best for your Business.