Data Privacy in California: Consumer Rights Under The California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. Is your business prepared and in compliance with the new law?
In Part One of our CCPA series, we provided an overview of the law, and in this Part Two of the series, we review the rights granted to California residents under the CCPA and the corresponding obligations for businesses. The business regulations under these rights and obligations are expansive, and the proposed regulations from the Attorney General’s office may provide additional requirements. Accordingly, we cannot cover or discuss in full detail here all of the rights, obligations, and requirements that may impact your organization, so always consult counsel with any specific questions relating to your particular business and practices.
Rights granted to consumers under the CCPA
The CCPA grants California residents unprecedented rights that are intended to give consumers a greater ability to control their personal data among the proliferation of companies profiting from data consumers may not even realize they have disclosed and/or consented to the disclosure of. Businesses, in turn, have obligations to consumers under the CCPA that correspond to these rights.
Consumer rights in the CCPA can be formulated in slightly different ways, but generally can be divided into the following categories:
The Right to Notice
Probably the most obvious and fundamental right that consumers have under the CCPA is the right to notice, and folded into this concept is the right to know what data is being collected from consumers and the purposes of that collection. Consumers can expect to receive a deluge of notifications in the New Year.
The CCPA sets forth specific disclosures that businesses must include in their notices of collection. For example, under the CCPA, businesses must inform consumers at or before the point of collection what categories of personal information will be collected and the purpose for which these categories and information will be used. If a business was to collect additional categories, or collect personal information for a new purpose, they must also provide new notice of such collection and its purpose. This requires ongoing efforts to identify changes in collection or use of previously collected personal information.
An organization that does not collect information directly from consumers generally does not need to provide such a notice, but before it can sell a consumer’s personal information, it must inform the consumer that it is going to do so or verify with the source of the consumer information that notice was given. The right to know categories of third parties also applies—i.e., third parties must also give consumers explicit notice and an opportunity to opt out before re-selling personal information that the third party acquired from another organization.
The CCPA also sets forth specific disclosures that businesses must include in their privacy policies, including descriptions of consumer rights and how to exercise them.
1. The Right To Access
A corollary to the right to notice is the right to access. Under the CCPA, consumers have the right to request that a business disclose the categories of personal information collected, the categories of sources from which personal information is collected, the business or commercial purpose of the collection, the categories of third parties with whom the business shares personal information; and the specific pieces of personal information the business holds about a consumer. If a business sells personal information or discloses it for business purposes, consumers have the right to request the categories of information being sold or disclosed to other parties. In most instances, consumers are limited to two requests for data access information under the CCPA per year per organization and for a period of no more than the prior twelve months.
Under the Attorney General’s proposed regulations, businesses must acknowledge receipt of the requests for data (or deletion, below) within ten (10) days of the request. Businesses would then have forty-five (45) days to respond to requests for data access or provide notice that it will take longer (up to 90 days) and an explanation for the extended response period. Businesses would also be required to provide the data free of charge, unless it is manifestly unfounded or excessive. However, certain information may be exempt. For example, the Attorney General’s proposed regulations specify that businesses are not required to provide information that would create a substantial or unreasonable security risk, and do not have to disclose certain sensitive information (like a social security number).
Businesses are also required to (1) verify the identity of the consumer making the request, (2) not release information to other parties claiming to be a consumer, and (3) ensure that any information transmitted to the consumer is done in a reasonably secure way.
2. The (Qualified) Right To Request Deletion.
Consumers have the right to request deletion of personal information collected by a business, provided the consumer makes the request to the business that actually collected the information from the consumer. There are some limited exceptions to this right. For example, businesses do not need to delete information if the business needs the consumer’s personal information for a reason related to the business, such as providing goods or services to the consumer, complying with other legal requirements, detecting security incidents, conducting research, exercising free speech, protecting or defending against legal claims, or for internal operations the consumer might reasonably expect.
The parameters, limitations, and application of many of these exceptions are vague and fact specific to your business, including in particular with respect to a consumer’s reasonable expectation. For example, in determining whether a particular exception applies, businesses will have to determine the expectations of their particular consumers, how to handle the fact that personal information may be replicated many times and used for different purposes, and consider who and how the organization will make decisions regarding CCPA requests and whether any exceptions apply. Accordingly, businesses should consult legal counsel for assistance in determining whether and to what extent a particular exception applies.
3. The Right To Opt-Out
Consumers also have the right—at any time—to direct businesses that sell personal information about the consumer to third parties to stop the sale of their personal information. If a consumer is a minor, the CCPA conversely provides for a right to opt in to the sale of data (exercised by the minor if the consumer is between 13 and 16 years of age, or by the minor’s parent or guardian if the consumer is under 13 years old). Businesses must wait at least 12 months before asking consumers to opt back in after a consumer has chosen to opt-out.
“Sale” in the context of consumer personal information is defined very broadly under the CCPA. Businesses should undertake a careful evaluation of what consumer information they are disclosing to third parties, and whether any of it could qualify as a “sale” under the CCPA so that a right to opt out is provided in their notices and privacy policies.
4. The Right To Equal Treatment/Nondiscrimination
The CCPA prohibits businesses from discriminating against consumers by denying goods or services, charging a different price or rate for goods or services, providing a different level or quality of goods or services, or suggesting that they will do any of these things based upon a consumer’s exercise of any CCPA rights. Consumers that exercise their rights under the CCPA must be treated equally and have a right to equal services and prices.
However, the right to equal services and prices does not place any restrictions on an organization’s ability to collect information or deny service if a consumer does not want to participate in collection; it only applies once the consumer exercises specific CCPA rights.
The Proposed Attorney General Regulations
On October 10, 2019, the Attorney General’s office released a draft of the proposed regulations to attempt to answer some of the many questions surrounding the CCPA and clarify businesses’ obligations. However, critics of the regulations have argued that the proposed regulations only add to the confusion of the CCPA, not help it. The proposed regulations are currently in the comments stage, which ends on December 6, 2019, and final regulations are expected by July 1, 2020, at the latest.
The draft regulations cover a lot of ground, but selected highlights include provisions that seek to clarify notice requirements (including providing a notice of financial incentive for consumers that could choose to opt-in to share information in order to receive financial benefit or a favorable price service difference), require that businesses use “reasonable security measures” when providing personal information to consumers, prohibit businesses from disclosing certain sensitive identifying information, provide detail on the opt-out procedure and shortened timelines for businesses to respond under certain circumstances, and set forth methods for verifying consumer requests.
Contact the attorneys at Atkinson Andelson Loya Ruud & Romo to help you navigate the very complex regulations of the CCPA and ensure your business is ready and CCPA-compliant. If your business is faced with a CCPA enforcement action or lawsuit in the New Year, AALRR has a team of data privacy litigators well-versed in the CCPA and related law ready to step in and defend you.
More to come—stay tuned for Part Three of this series, where we will be discussing exceptions to the CCPA.
The authors will also be presenting on the CCPA at the San Gabriel Valley Economic Partnership Power Lunch on November 14, 2019. If you are interested in attending, you may register online with the San Gabriel Valley Economic Partnership here.
This AALRR publication is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR presentation does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process.
© 2019 Atkinson, Andelson, Loya, Ruud & Romo