Consumer Rights Granted by the CCPA

by Jennifer L. Legal writer.
Consumer Rights Granted by the CCPA

The California Consumer Privacy Act (CCPA) gives Californian consumers certain rights over how businesses collect, use, and process their personal information. The CCPA ensures that Californians can:

  • Buy goods and services online without opting in to online marketing,
  • Opt out of marketing without the risk of discrimination, and
  • Ask businesses to delete their personal information after it's collected

The CCPA is one of the most comprehensive and far-reaching privacy laws in the United States. It greatly enhances the consumer rights available to Californian citizens, and it is designed to give Californians similar rights as European Union (EU) citizens have over their personal data under the General Data Protection Regulation (GDPR).

The main consumer rights granted to Californian citizens under the CCPA, which came into force on January 1st, 2020, are:

  • The right to access the personal information that a business holds on them
  • The right to know what personal data a business plans on collecting from them before the point of collection
  • The right to opt in or out of marketing, analytics, and other similar activities
  • The right to equal services without discrimination
  • The right to request deletion of personal data

There's also a duty placed on businesses offering goods and services to Californians to inform consumers of these rights. You can comply with your obligations under the CCPA in various ways, and luckily, they're all fairly straightforward. To fulfil your obligations under the Act, you should:

  • Draft and publish a Privacy Policy
  • Include clauses in the Privacy Policy that inform consumers of their rights
  • Tell consumers about their rights before you collect any personal data from them
  • Make it easy for your consumers to find your Privacy Policy

The CCPA: Who it Applies to

The CCPA: Who it Applies to

If you run a business, you're probably wondering - does the CCPA apply to every business? The short answer is no, but the reality is that many businesses are affected by it.

You have to comply with the CCPA if you run a for-profit business, do any business in California, and any one of the following conditions applies to you:

  • You have gross annual takings in excess of $25 million,
  • 50% or more of your annual revenue comes from the data you sell that belongs to Californians, or
  • You process, receive, or transfer data from over 50,000 visitors each year

Let's consider what this means. Firstly, the CCPA doesn't apply to you if you run a charity or a non-profit. If you run a for-profit company, the Act applies if you, for example:

  • Make $20 million a year, but 80% of your revenue comes from selling data belonging to Californians
  • Receive 51,000 visitors to your site each year and you don't sell any personal data

The Act wouldn't apply if, for example, your gross annual takings are $15 million, you don't sell data, and you only receive 20,000 visitors each year. To read the rules for yourself, you can find these terms set out in more detail in Section 1798.140 of the CCPA:

California Legislative Info: CCPA Section 1798 140 - Definition of who the act applies to

It makes sense to comply with the CCPA however big your business is because it's very similar to the GDPR, and it's extremely likely that your business is already obligated to comply with this Act.

If you're unfamiliar with data privacy laws, you might be wondering what exactly is meant by "personal information." Let's take a look.

What is Personal Information?

Personal information is fairly easy to categorize. Basically, personal information is any information which can be used to identify an individual, their family, or their home address. Examples of personal information include:

  • Home address
  • Email address
  • IP address
  • Name
  • Date of birth
  • Passport or social security number
  • Biometric data
  • Geometric and other location data

There's a bigger breakdown of examples of personal information in Subsection O of Section 1798.140:

California Legislative Info: CCPA Section 1798 140 - Definition of personal information

Note that this list is non-exhaustive, meaning there are other pieces of information which could be classified as personal data.

Consumer Rights Under the CCPA

Consumer Rights Under the CCPA

As we've mentioned, there are five categories of rights granted to Californian consumers under the CCPA. These rights are to:

  • Access
  • Knowledge
  • Consent
  • Equality
  • Deletion (also known as the right to be forgotten)

We can now break down each of these broad rights in turn and give you tips on how to comply with them through your Privacy Policy.

CCPA Consumer Right #1: Right to Access

CCPA Consumer Right 1: Right to Access

It's a basic tenet of the CCPA that consumers have the right to access the personal information that a business holds on them. In other words, consumers can access:

  • What information a business collects from them
  • Why the business collects this data
  • Where the information comes from
  • Third party apps or businesses the company shares the data with

The applicable clause is Section 1798.100:

California Legislative Info: CCPA Section 1798 100 - Right to access

So, how do you comply with this access right? By including certain clauses in your Privacy Policy. It's helpful to look at an example of a real Privacy Policy to see how this works.

Access Rights: How to Comply in Your Privacy Policy

The good news is that you don't need lengthy, complicated clauses in your Privacy Policy to comply with a right of access.

Here's an example from Cancer Research UK. It may be a charity, but it's an example of a very clear and concise access clause that's simple to understand and straightforward in its terms. Clarity and user-friendliness are key to complying with the CCPA:

Cancer Research UK Privacy Statement: Right to access your personal information clause

Cancer Research UK's clause tells people that:

  • They have a right to access the information held on them
  • They can ask for a copy of the personal data stored on them
  • There are at least two ways the individual can contact the company to access the data

In terms of legal exceptions, there are very few instances where a company can legally withhold information from a user. The exception typically only applies when, for example, you're storing the data to handle a complaint or lawsuit, or the consumer makes numerous repetitive demands to see their data within a short space of time.

Here's a commercial example, from BMW. You'll note that again, it's a short clause, but there's more information on what specific rights of access consumers have. Contact details are a little further down the page, which is still CCPA-compliant:

BMW Legal Notice: Right to information clause

Top tip: Include a simple clause that tells customers exactly how they can contact you to find out what information you store on them, and why.

CCPA Consumer Right #2: Knowledge

CCPA Consumer Right 2: Knowledge

Just as important as the right of access is the right to know that a business collects personal information in the first place, and why this collection is necessary. You may see this right also referred to as the right of notice, and it means the same thing.

Essentially, consumers have a right to know:

  • What categories of personal information you plan on collecting from them
  • Why the collection is necessary
  • Who you intend to share the personal information with, and why
  • How they can opt out of anything other than essential data collection (that includes, for example, collecting personal data to complete a transaction and arrange goods delivery)

It's important to note that consumers should be told about these rights before the information is collected. It's also worth noting that the consumer must be re-informed if you plan on changing the amount of data you collect or if you want to change who you're sharing it with.

Here's how you can break these rights down in a clear but comprehensive Privacy Policy clause.

Right to Knowledge: How to Comply in Your Privacy Policy

First, you should give consumers access to your Privacy Policy as soon as they land on your site, before you collect any personal information. You can do this through a pop-up notice, but you at least need to have a static link, usually in the website footer.

Here's an example from Waterstones, where a pop-up notice lets users know the Privacy Policy was recently updated and links to the Policy:

Waterstones Cookie Notice with Privacy Policy link

The Privacy Policy is also linked in the website footer:

Waterstones website footer with Privacy Policy link highlighted

The Privacy Policy sets out, in detail, what personal information Waterstones collects, and how it is used. You'll see that Waterstones uses bullet points and short paragraphs to make it easy for consumers to read the clauses.

First, the types of personal information collected are broken down:

Waterstones Privacy Policy: Personal information collected clause

Then it's explained why this information is collected:

Waterstones Privacy Policy: Why personal information is collected clause

Next, the categories of third parties to whom the personal data is disclosed, and why, is included:

Waterstones Privacy Policy: Who we share personal information with and Legal basis clauses

Top tip: Always give clear and concise explanations for why you collect data and what data you collect. Make this obvious from the moment the consumer lands on your page by using a pop-up box, or at least a link to your Privacy Policy in your website footer.

CCPA Consumer Right 3: Consent

Under the CCPA, every consumer has the right to object to you selling their data to any third party, for any purpose. Moreover, if a consumer tells you that you can't sell their data, you can't ask them for their consent again for at least 12 months from the day they give you their objection.

You can read about this right in Section 1798.120 of the CCPA:

California Legislative Info: CCPA Section 1798 120 - Do not sell personal information section

It's common for businesses who do not sell personal data to third parties to also disclose this in their Privacy Policy.

Here's an example from AVG which is specifically targeted at Californians:

AVG Privacy Policy: Categories of third parties with whom the business shares personal information clause

Top tip: If you plan on selling customer personal data, you must obtain their consent before doing so. If you don't sell customer personal data, which nowadays is the more common position, it's good to highlight this so that customers know they can trust you with their data.

CCPA Consumer Right #4: Equality

CCPA Consumer Right #4: Equality

At the heart of consumer rights under the CCPA is the right to non-discrimination. In other words, you can't discriminate against a consumer for refusing to consent to marketing or other non-essential data collection, including Google analytics.

Examples of discrimination would include:

  • Refusing services
  • Offering discounts or other incentives to customers just because they consent to marketing
  • Providing a lesser level of service or lesser quality goods

Here's an example from a Privacy Policy to show you how this clause works in action.

Right to Non-Discrimination: How to Comply in Your Privacy Policy

You don't need to include a lengthy clause for non-discrimination. It's sufficient if you mention that you don't discriminate against customers for exercising their rights, such as in this Privacy Policy clause from Converse:

Converse Privacy Policy: Managing your personal data clause

Top tip: Use short sentences and clear, unambiguous language when you're drafting these clauses.

CCPA Consumer Right #5: Deletion

Every consumer has the right to be forgotten by your business. A consumer can request that you delete information they provided to you at any time. You don't have to delete data in limited circumstances, including:

  • You've identified a security incident
  • You're raising or defending a legal claim

Let's see how this works in AVG's Privacy Policy.

Right to Deletion: How to Comply in Your Privacy Policy

AVG sets out a very brief but effective clause in its Policy that addresses the right to be forgotten. Note how it explains that the company is entitled to keep the data if it's necessary to protect its interests, such as in court proceedings:

AVG Privacy Policy: Right to erasure clause

This is a simple yet great clause because it protects AVG's right to keep the data without infringing on the consumer's right to deletion.

Top tip: Ensure that consumers know they can request erasure of their personal data at any time, but there are times when you can't comply with this request. This reduces the chance of confusion for the consumer.

Conclusion

To summarize, the CCPA affords Californian consumers many new rights over their personal data. These rights include the right to:

  • Fair and equal treatment, regardless of whether they consent to marketing
  • Know what personal data a business holds on them, and for what purpose
  • Know who a business shares this data with, and why
  • Request their data is deleted
  • Refuse consent to marketing, and to opt-out from having their data sold to third parties

Consumers can ask to see the personal data you hold on them at any time, and in most cases, you must comply with their request.

You can comply with your responsibilities under the CCPA by drafting and publishing a CCPA-compliant Privacy Policy and placing a link to this Policy in a pop-up when the customer lands on your page, and by leaving a link to the Policy in your website footer that can be accessed at any time.

Last updated on 20 April 2020

Article categories

Jennifer L.

Legal writer.