Consumer Rights Granted by the CCPA (CPRA)
The California Consumer Privacy Act (CCPA) as amended by the CPRA, gives Californian consumers certain rights over how businesses collect, use, and process their personal information. The CCPA (CPRA) ensures that Californians can:
- Buy goods and services online without opting in to online marketing,
- Opt out of marketing without the risk of discrimination, and
- Ask businesses to delete their personal information after it's collected
The CCPA (CPRA) is one of the most comprehensive and far-reaching privacy laws in the United States. It greatly enhances the consumer rights available to Californian citizens, and it is designed to give Californians similar rights as European Union (EU) citizens have over their personal data under the General Data Protection Regulation (GDPR).
In this article, we'll look at the important consumer rights granted by the CCPA (CPRA), what they mean, and how you can display them appropriately in your Privacy Policy.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. Does the CCPA (CPRA) Apply to Your Business?
- 2. What is Personal Information Under the CCPA (CPRA)?
- 3. What Consumer Rights are Granted by the CCPA (CPRA)?
- 3.1. Right to Access Information
- 3.2. Right to Correct Inaccurate Personal Information
- 3.3. Right to Know What Personal Information is Collected
- 3.4. Right to Opt Out of Sharing, Processing and Selling
- 3.5. Right to Opt Out of Automated Decision-Making Technologies
- 3.6. Right to Opt in for Minors
- 3.7. Right to Data Portability
- 3.8. Right to Limit the Use and Disclosure of Sensitive Personal Information
- 3.9. Right to Non-Discrimination and Non-Retaliation
- 3.10. Right to Request Deletion
- 4. Summary
Does the CCPA (CPRA) Apply to Your Business?
The CCPA (CPRA) applies to for-profit businesses that operate in California and meet at least one of the following criteria:
- Have a gross annual revenue greater than $25 million
- Buy, receive, or sell the personal information of 100,000 or more California residents, households or devices, or
- Generate at least 50% of their annual revenue by selling California residents' personal information
This is defined in section 1798.140 (C) of the text of the act:
Note that this is different than it was before the CPRA updates took effect.
What is Personal Information Under the CCPA (CPRA)?
Personal information is fairly easy to categorize. Basically, personal information is any information which can be used to identify an individual, their family, or their home address. Examples of personal information include:
- Home address
- Email address
- IP address
- Name
- Date of birth
- Passport or social security number
- Biometric data
- Geometric and other location data
There's a bigger breakdown of examples of personal information in Subsection O of Section 1798.140:
Note that this list is non-exhaustive, meaning there are other pieces of information which could be classified as personal data.
What Consumer Rights are Granted by the CCPA (CPRA)?
The consumer rights granted to Californians under the CCPA (CPRA) are:
- The right to access the personal information that has been collected
- The right to correct inaccurate personal information
- The right to know what personal information is being collected
- The right to opt out of sharing, processing and selling of information
- The right to opt out of automated decision-making technology
- The right of opting in for minors
- The right of data portability
- The right to limit the use and disclosure of sensitive personal information
- The right to non-discrimination and non-retaliation
- The right to request deletion of personal data from the business that collected it and anyone who it was shared with
The responsibility of informing consumers of these rights and others falls squarely on business' shoulders.
Now we'll look at the rights individually to help you address each in your Privacy Policy. Addressing each of the rights in your Privacy Policy is the ideal way to stay compliant while providing your user base with the required information.
Right to Access Information
The right to access allows residents of California to have access to the personal data that businesses collect on them. This means that residents of the state can request a copy of the specific personal information a business holds on them.
Here's an example from Cancer Research UK. It may be a charity, but it's an example of a very clear and concise access clause that's simple to understand and straightforward in its terms. Clarity and user-friendliness are key to complying with the CCPA:
Cancer Research UK's clause tells people that:
- They have a right to access the information held on them
- They can ask for a copy of the personal data stored on them
- There are at least two ways the individual can contact the company to access the data
Here's how A.P. Chem Beauty lists out exactly how the right of access works, where a user makes a request that gets verified, and then specific information is disclosed. Listing out all of the information a user can receive is not necessary, but it is helpful:
In terms of legal exceptions, there are very few instances where a company can legally withhold information from a user. The exception typically only applies when, for example, you're storing the data to handle a complaint or lawsuit, or the consumer makes numerous repetitive demands to see their data within a short space of time.
Right to Correct Inaccurate Personal Information
Consumers in California have the right to request that businesses correct any of their personal information that's inaccurate.
After receiving and verifying the authenticity of a correction request, businesses must make a reasonable effort to make the necessary corrections in accordance with regulations.
Note that there are exceptions when businesses may not have to comply with the consumer's request, like when the requestor's identity can't be verified and when complying would put undue burden on the company.
Here's how San Diego-based commercial and residential moving company Corovan addresses the right to correct inaccurate information in its Privacy Policy, along with some other rights:
Right to Know What Personal Information is Collected
Essentially, consumers have a right to know:
- What categories of personal information you plan on collecting from them
- Why the collection is necessary
- Who you intend to share the personal information with, and why
- How they can opt out of anything other than essential data collection (that includes, for example, collecting personal data to complete a transaction and arrange goods delivery)
Here's how OpenAI addresses the right to know in its Privacy Policy:
It's important to note that consumers should be told about these rights before the information is collected. It's also worth noting that the consumer must be re-informed if you plan on changing the amount of data you collect or if you want to change who you're sharing it with.
The best practice way to satisfy the right to know is by having and displaying an informative Privacy Policy.
Here's how Waterstones links to its Privacy Policy in its website footer so that it's always easily and freely accessible from any page to any website visitor:
The Privacy Policy sets out, in detail, what personal information Waterstones collects, and how it is used. You'll see that Waterstones uses bullet points and short paragraphs to make it easy for consumers to read the clauses.
First, the types of personal information collected are broken down:
Next, it's explained why this data is collected:
Next, the categories of third parties to whom the personal data is disclosed, and why, is included:
Right to Opt Out of Sharing, Processing and Selling
Under the CCPA (CPRA), every consumer has the right to object to you selling their data to any third party, for any purpose. Moreover, if a consumer tells you that you can't sell their data, you can't ask them for their consent again for at least 12 months from the day they give you their objection.
You can read about this right in Section 1798.120 of the CCPA:
It's common for businesses who do not sell personal data to third parties to also disclose this in their Privacy Policy.
California-based heavy-duty truck sales and service company Inland Kenworth addresses the right to opt out in its Privacy Policy as follows:
Some businesses choose not to sell or share the personal data they collect because it limits liability and puts customers at ease.
Just keep in mind that if a customer opts out of having their data collected, you're prohibited from asking them for consent again for at least one year.
The CCPA (CPRA) requires the displaying of a Do Not Sell My Personal Information link, like SeaWorld does here:
For more information, check out our feature article: Creating and Displaying a "Do Not Sell My Personal Information" Page
Right to Opt Out of Automated Decision-Making Technologies
The CCPA (CPRA) allows consumers to opt out of the use of automated decision-making, profiling and other similar technologies.
Automated decision-making and profiling are generally defined as processes that evaluate personal aspects of a natural person and predict future behavior.
The types of information analyzed during the automated decision-making and profiling processes can include work, health, finance, and personal preference data to name just a few.
Here's an example of a clause that addresses this right:
Right to Opt in for Minors
Because children are particularly vulnerable, they're granted a number of age-specific rights under the CCPA (CPRA).
For example, businesses are only permitted to sell personal information collected from a child known be younger than 16 if they get authorization first. This affirmative authorization can be given by the child and is referred to as the right to opt in for minors.
On the other hand, for children younger than 13, authorization can only be granted by a parent or legal guardian.
Here's how heavy-duty truck manufacturer PACCAR addresses the collection of children's data in its Privacy Statement:
PACCAR also includes a link to an email address for users who have additional questions about the company's data collection policies.
Right to Data Portability
Under the CCPA (CPRA), consumers enjoy the right to data portability. This means that upon request, the collector must provide their data in an easily readable and commonly used format so that they can transfer or migrate it to another entity.
If they'd rather not do it themselves, consumers in California can also exercise their right to portability by requesting that a business transit some or all of their data to another entity for them.
State Street clearly lays out how users can exercise their Right to Data Portability:
State Street also lets users know that their identity must be verified before a request can be acted upon, and that access and portability requests can only be made no more than two times in any 12-month period.
Right to Limit the Use and Disclosure of Sensitive Personal Information
When defining sensitive personal information, the CCPA (CPRA) includes more than a dozen data points including:
- Religious beliefs
- Sexual orientation
- Political leanings
- Health and medical information
- Geographic location
Under the CRPA amendments, Californians are able to request that a business only use their sensitive personal information when it's necessary to deliver goods or provide services.
The CPRA also introduced the requirement of an additional link on each company's homepage with the heading, Limit the Use of My Sensitive Personal Information.
Here's how Lynx displays a link in its website footer for more information about how a user can limit the use of sensitive personal information:
The linked webpage notifies readers of their right to limit the use of their sensitive personal information and how they can exercise it in a number of ways:
Right to Non-Discrimination and Non-Retaliation
When it comes to the collection of personal data, Californians have the right to non-discrimination, non-retaliation, and equality.
In other words, businesses can't discriminate or retaliate against a consumer just because he or she refused to consent (opted out) to having personal data collected.
Here's how Inland Kenworth notes that it doesn't discriminate against customers who exercise their rights:
Under the terms of the CCPA (CPRA), discrimination generally includes the following:
- Refusing to sell products or services
- Offering discounts or other incentives to customers who consent to data collection or opt into marketing schemes
- Providing inferior products or services to customers who opt out
Right to Request Deletion
If you're a business owner or data collector, it's important to know that consumers can request that you delete their information at any time.
To make this as easy as possible and avoid non-compliance issues down the road, it makes sense to inform them how they can initiate the process and what to expect every step of the way.
Businesses are generally required to make a good faith effort to comply with customer deletion requests, but in the following instances you may not be required to do so:
- You can't verify who sent the request
- Complying with the request may create a security issue
- Deletion would make difficult or impossible to complete a transaction, initiate a recall, or deliver a product or service
- You're currently complying with other legal obligations that take precedence
- The customer is requesting the deletion of information that the CCPA (CPRA) specifically exempts
SeaWorld addresses the right to deletion in its Privacy Policy as follows:
SeaWorld also informs customers that in cases where deletion requests are denied, the company will explain why they haven't complied.
In regard to the right to deletion, it's also worth noting that:
- You must let customers know how to submit a deletion request
- Two means of communication must be provided (an email address is enough for online businesses)
- You can't require a customer to create an account before submitting his or her deletion request
- You must respond to deletion requests within 45 business days (this can be extended to 90 days with proper notification)
- Businesses are required to pass the deletion request on to third parties
Summary
The CCPA (CPRA) provides various consumer rights that limit how businesses collect, store, and share Californian's personal data.
Under the act, Californians have the following rights:
- The right to access the personal information that has been collected
- The right to correct inaccurate personal information
- The right to know what personal information is being collected
- The right to opt out of sharing, processing and selling of information
- The right to opt out of automated decision-making technology
- The right of opting in for minors
- The right of data portability
- The right to limit the use and disclosure of sensitive personal information
- The right to non-discrimination and non-retaliation
- The right to request deletion of personal data from the business that collected it and anyone who it was shared with
Note these rights and how users can exercise them within your Privacy Policy to help ensure compliance.
