Consumer Rights Granted by the CCPA
The California Consumer Privacy Act (CCPA) gives Californian consumers certain rights over how businesses collect, use, and process their personal information. The CCPA ensures that Californians can:
- Buy goods and services online without opting in to online marketing,
- Opt out of marketing without the risk of discrimination, and
- Ask businesses to delete their personal information after it's collected
The CCPA is one of the most comprehensive and far-reaching privacy laws in the United States. It greatly enhances the consumer rights available to Californian citizens, and it is designed to give Californians similar rights as European Union (EU) citizens have over their personal data under the General Data Protection Regulation (GDPR).
- 1. The CCPA: Who it Applies to
- 2. What is Personal Information?
- 3. Consumer Rights Under the CCPA
- 4. CCPA Consumer Right #1: Right to Access
- 5. CCPA Consumer Right #2: Knowledge
- 6. CCPA Consumer Right #3: Consent
- 7. CCPA Consumer Right #4: Equality
- 8. CCPA Consumer Right #5: Deletion
- 9. Conclusion
The main consumer rights granted to Californian citizens under the CCPA, which came into force on January 1st, 2020, are:
- The right to access the personal information that a business holds on them
- The right to know what personal data a business plans on collecting from them before the point of collection
- The right to opt in or out of marketing, analytics, and other similar activities
- The right to equal services without discrimination
- The right to request deletion of personal data
There's also a duty placed on businesses offering goods and services to Californians to inform consumers of these rights. You can comply with your obligations under the CCPA in various ways, and luckily, they're all fairly straightforward. To fulfil your obligations under the Act, you should:
- Tell consumers about their rights before you collect any personal data from them
The CCPA: Who it Applies to
If you run a business, you're probably wondering - does the CCPA apply to every business? The short answer is no, but the reality is that many businesses are affected by it.
You have to comply with the CCPA if you run a for-profit business, do any business in California, and any one of the following conditions applies to you:
- You have gross annual takings in excess of $25 million,
- 50% or more of your annual revenue comes from the data you sell that belongs to Californians, or
- You process, receive, or transfer data from over 50,000 visitors each year
Let's consider what this means. Firstly, the CCPA doesn't apply to you if you run a charity or a non-profit. If you run a for-profit company, the Act applies if you, for example:
- Make $20 million a year, but 80% of your revenue comes from selling data belonging to Californians
- Receive 51,000 visitors to your site each year and you don't sell any personal data
The Act wouldn't apply if, for example, your gross annual takings are $15 million, you don't sell data, and you only receive 20,000 visitors each year. To read the rules for yourself, you can find these terms set out in more detail in Section 1798.140 of the CCPA:
It makes sense to comply with the CCPA however big your business is because it's very similar to the GDPR, and it's extremely likely that your business is already obligated to comply with this Act.
If you're unfamiliar with data privacy laws, you might be wondering what exactly is meant by "personal information." Let's take a look.
What is Personal Information?
Personal information is fairly easy to categorize. Basically, personal information is any information which can be used to identify an individual, their family, or their home address. Examples of personal information include:
- Home address
- Email address
- IP address
- Date of birth
- Passport or social security number
- Biometric data
- Geometric and other location data
There's a bigger breakdown of examples of personal information in Subsection O of Section 1798.140:
Note that this list is non-exhaustive, meaning there are other pieces of information which could be classified as personal data.
Consumer Rights Under the CCPA
As we've mentioned, there are five categories of rights granted to Californian consumers under the CCPA. These rights are to:
- Deletion (also known as the right to be forgotten)
CCPA Consumer Right #1: Right to Access
It's a basic tenet of the CCPA that consumers have the right to access the personal information that a business holds on them. In other words, consumers can access:
- What information a business collects from them
- Why the business collects this data
- Where the information comes from
- Third party apps or businesses the company shares the data with
The applicable clause is Section 1798.100:
Here's an example from Cancer Research UK. It may be a charity, but it's an example of a very clear and concise access clause that's simple to understand and straightforward in its terms. Clarity and user-friendliness are key to complying with the CCPA:
Cancer Research UK's clause tells people that:
- They have a right to access the information held on them
- They can ask for a copy of the personal data stored on them
- There are at least two ways the individual can contact the company to access the data
In terms of legal exceptions, there are very few instances where a company can legally withhold information from a user. The exception typically only applies when, for example, you're storing the data to handle a complaint or lawsuit, or the consumer makes numerous repetitive demands to see their data within a short space of time.
Here's a commercial example, from BMW. You'll note that again, it's a short clause, but there's more information on what specific rights of access consumers have. Contact details are a little further down the page, which is still CCPA-compliant:
Top tip: Include a simple clause that tells customers exactly how they can contact you to find out what information you store on them, and why.
CCPA Consumer Right #2: Knowledge
Just as important as the right of access is the right to know that a business collects personal information in the first place, and why this collection is necessary. You may see this right also referred to as the right of notice, and it means the same thing.
Essentially, consumers have a right to know:
- What categories of personal information you plan on collecting from them
- Why the collection is necessary
- Who you intend to share the personal information with, and why
- How they can opt out of anything other than essential data collection (that includes, for example, collecting personal data to complete a transaction and arrange goods delivery)
It's important to note that consumers should be told about these rights before the information is collected. It's also worth noting that the consumer must be re-informed if you plan on changing the amount of data you collect or if you want to change who you're sharing it with.
First, the types of personal information collected are broken down:
Then it's explained why this information is collected:
Next, the categories of third parties to whom the personal data is disclosed, and why, is included:
CCPA Consumer Right #3: Consent
Under the CCPA, every consumer has the right to object to you selling their data to any third party, for any purpose. Moreover, if a consumer tells you that you can't sell their data, you can't ask them for their consent again for at least 12 months from the day they give you their objection.
You can read about this right in Section 1798.120 of the CCPA:
Here's an example from AVG which is specifically targeted at Californians:
Top tip: If you plan on selling customer personal data, you must obtain their consent before doing so. If you don't sell customer personal data, which nowadays is the more common position, it's good to highlight this so that customers know they can trust you with their data.
CCPA Consumer Right #4: Equality
At the heart of consumer rights under the CCPA is the right to non-discrimination. In other words, you can't discriminate against a consumer for refusing to consent to marketing or other non-essential data collection, including Google analytics.
Examples of discrimination would include:
- Refusing services
- Offering discounts or other incentives to customers just because they consent to marketing
- Providing a lesser level of service or lesser quality goods
Top tip: Use short sentences and clear, unambiguous language when you're drafting these clauses.
CCPA Consumer Right #5: Deletion
Every consumer has the right to be forgotten by your business. A consumer can request that you delete information they provided to you at any time. You don't have to delete data in limited circumstances, including:
- You've identified a security incident
- You're raising or defending a legal claim
AVG sets out a very brief but effective clause in its Policy that addresses the right to be forgotten. Note how it explains that the company is entitled to keep the data if it's necessary to protect its interests, such as in court proceedings:
This is a simple yet great clause because it protects AVG's right to keep the data without infringing on the consumer's right to deletion.
Top tip: Ensure that consumers know they can request erasure of their personal data at any time, but there are times when you can't comply with this request. This reduces the chance of confusion for the consumer.
To summarize, the CCPA affords Californian consumers many new rights over their personal data. These rights include the right to:
- Fair and equal treatment, regardless of whether they consent to marketing
- Know what personal data a business holds on them, and for what purpose
- Know who a business shares this data with, and why
- Request their data is deleted
- Refuse consent to marketing, and to opt-out from having their data sold to third parties
Consumers can ask to see the personal data you hold on them at any time, and in most cases, you must comply with their request.