Officially passed in 2018, The California Consumer Privacy Act (CCPA) represents a new set of privacy rights granted to California consumers, which aim to provide individuals with more control over personal information, in addition to more transparency about the use and sale of their data. These rights include the right to know what personal data is being used and how it is shared, the right to delete personal data wherever lawful or reasonable, the right to opt-out of the for-profit sale of their data to third-parties (with exceptions), and the right to non-discrimination regarding their choice to exercise the above rights. The CCPA is relevant and applicable to most businesses or organizations, including data brokers, that deal with consumers in the state of California.
The CCPA is a significant development in U.S. privacy law regarding personal data, as the expansion of the tech industry has more consumers worried over data breaches and the sale of their personal information to potentially nefarious actors. The law applies to all for-profit businesses or data brokers that “have a gross annual revenue of over $25 million; buy, receive, or sell the personal information of 50,000 or more California households, residents, or devices; or derive 50% or more of their annual revenue from selling California residents personal information.” (OAG, CA) Such businesses must now give more detailed and prominent explanations about their privacy practices, and may be obligated to respond to requests for access to their data processing activities. Non-profit organizations or government agencies are not subject to these regulations. The CCPA covers most personal data, including name, social security, browser history, purchasing records, geolocation data, and other personal information related to private preferences established through online activities. It does not, however, cover publicly available information associated with government records.
Because the privacy rights covered by the CCPA are new, their practical applications are varied in terms of reliability. For example, directions on how to submit a “request to know” will not be uniform across all businesses and organizations. Still, they are required to provide at least two options for submitting a request, and organizations in full compliance with the CCPA, especially if they operate a website, will be forthcoming about how to submit a request. (A common method is through an email account created specifically for this purpose.) After a request to know has been submitted, the organization has 45 days to respond, but may take up to 90 days if they notify the consumer. Requests to delete information are managed similarly, and adhere to the same deadlines. If a consumer is clearly within their rights designated by the CCPA, a request should typically be granted. The most common reason either request would be denied is if the organization cannot verify the identity of the requester, but other unique exemptions do exist within the legislation.
The right to opt-out of the sale of personal information is regulated in a slightly different manner. Organizations in the business of selling data are required to post an unambiguous “Do Not Sell My Personal Information” link on their websites, and must not require a consumer to sign up for an account in order to make this request. Requests to opt-out will only be denied if the sale represents a legal obligation for the organization, or if the information is exempt in the legislation, such as medical documentation or credit reporting.
The right to non-discrimination under the CCPA simply states that an organization cannot deny a consumer access to their goods and services in response to a consumer exercising their rights. Unless the sale of a consumer’s data is a necessary component to their service, that is, the transaction cannot be completed without it, the organization is obligated to serve the consumer. Organizations are, however, allowed to offer special promotions and discounts in exchange for a consumer’s participation in their data collection programs, but only “if the financial incentive offered is reasonably related to the value of your personal information.”
OAG CA - https://oag.ca.gov/privacy/ccpa