Understanding Individual Rights under the California Consumer Privacy Act (CCPA)
On 28th June 2018, the State of California enacted Bill AB-375, a sweeping new privacy bill known as the California Consumer Privacy Act (CCPA). On August 31, 2018, the Legislature passed SB-1121, the first round of expected amendments. SB-1121 delays enforcement of the CCPA and makes other modest amendments. While further amendments are expected, the provisions of the law will become operative on January 1, 2020.
For U.S. companies especially, this law is becoming a compelling event to invest heavily in privacy management throughout the organization. Given the new individual rights within the law (right to request information; right of deletion; right to opt-out and obligations to inform), along with a private right of action, the risk of non-compliance is significant. In this blog, we outline the provisions of the law dealing with individual rights.
The CCPA provides consumers with the right to request the categories of personal information, and the specific pieces of personal information, that the business has collected about the specific consumer, and a business must notify consumers of this fact. Upon receipt of a verifiable consumer request, organizations will have the obligation to provide consumers with details regarding how their data is processed.
Consumers have the right to know the categories of personal information collected, the sources of those categories, business or commercial purposes for collecting or selling personal information, the third parties with whom the data is shared, and the specific pieces of personal information collected.
The CCPA will also prohibit third parties from selling a consumer’s personal information which has been sold to the third party by a business unless the consumer has received explicit notice and an opportunity to opt out.
Under the CCPA, information provided in response to an access request may be delivered by mail or electronically, and if provided electronically, must be “in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance.” As such, the CCPA requires the portability of all personal information.
The CCPA creates a right for consumers to request that a business delete any personal information about the consumer that the business collected from the consumer, and businesses must provide notice of this right in their online privacy notice. This deletion extends to service providers as well.
The CCPA provides consumers with the right, at any time, to opt out of a business’s sale of a consumer’s personal information to third parties. At any time, consumers can request that a business not sell their personal information to a third party. A clear and conspicuous link on the business’s webpage must say, “Do Not Sell My Personal Information.” This link should direct consumers to an opt-out option.
Obligation to Inform Consumers
At or before the collection of personal data, businesses will have the obligation to inform consumers of the categories of personal information to be collected and the purposes of its use. Additionally, consumers must be informed about the right to deletion and the right to opt-out of the sale of their personal information.
The CCPA requires businesses to make at least two methods available for exercising their access rights, including, at a minimum, a toll-free telephone number and a website (if the business maintains an Internet Web site). Requests should be free of charge and must be addressed within 45 days of receipt. Businesses must respond in writing and include the information from the 12-month period preceding the receipt of the request. If the consumer has an account with the business, the information should be provided through that account.
Nymity has a number of resources to help the Privacy Office comply with the CCPA and has published a CCPA Compliance Toolkit. The Toolkit equips privacy officers with the resources necessary to understand, assess, and develop a plan to achieve demonstrable compliance. For multi-jurisdictional companies, the CCPA represents one more law to comply with. This Toolkit will help organizations that have been focusing on GDPR compliance initiatives to leverage that work for their CCPA compliance initiatives.
Nymity also enables companies to monitor and manage Data Subject Requests efficiently and confidently with the new Data Subject Requests Management Solution. The solution helps ensure companies that they meet their legal obligations, while taking the guesswork out of preparing responses which saves time and money. The solution includes customizable response templates that are pre-configured based on jurisdiction.
The DSR Solution also equips companies with the tools to provide demonstrable accountability and compliance. Robust reporting ensures that companies will always be regulator ready, as reports are dynamically updated based on changing regulatory expectations enabling the capability to demonstrate the right compliance for their jurisdiction.
Check it here for more information or to request a demo.