California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is now in effect. If you are a resident of California, you now have the right to:
- Ask a business what they know about you, your devices and your children.
- Opt-out of the sale of your personal information.
- Ask a business to delete your personal information.
- Sue a business if it fails to implement reasonable security measures and your personal information is compromised in a data breach.
Note: Under the CCPA, a business is any entity that either:
- Has annual gross revenue in excess of $25M; or,
- Collects the personal information of 50,000 consumers; or,
- Derives 50% or more of its revenue from selling consumers’ personal information.
- The business does NOT need to be located in California.
Right to Know What Personal Information a Business Has Collected About You
- The categories of personal information a business has collected about you.
- The specific pieces of personal information a business has collected about you.
- Whether a business has sold your personal information and, if so, the categories of third parties to whom it has sold your personal information.
- Whether a business has disclosed your person information for a business purpose and, if so, the categories of service providers to whom it has disclosed your personal information
Some things to know:
- You may make the request to each business twice a year, free of charge.
- Some businesses provide a form on their website to submit these requests. If you have an account with a business, that business may require you to file your request through the account. However, if you do not have an account, a business cannot require you to create one in order to file a right to know request. Instead, you can contact a business directly (a sample letter is attached below).
- A business has 45 days to respond to your request, although this may be extended for another 45 days for a total of 90 days.
- A business is allowed to ask you for additional information to verify your request. However, they are not allowed to use that information for purposes other than verifying your request.
- A business should respond with:
- The categories of personal information it has collected about you, and
- The specific pieces of information it has collect about you.
A business may respond with only the categories if it cannot verify your request, however it must tell you what additional information it needs in order to verify your request for the specific pieces of personal information.
Right to Opt-Out of the Sale of Your Personal Information
If a business sells your personal information, you may opt-out of the sale of your information. A business that sells personal information must provide two ways for a consumer to opt-out including through a link on their homepage or mobile app that says “do not sell my personal information” or “do not sell my info.” If you do opt-out, the business is prohibited from selling your personal information.
Some things to know:
- Under regulations issued by the California Attorney General, businesses must respond, “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.”
- Although a business cannot discriminate against you, it can offer you financial incentives to sell your personal information based on the value of that information to the business.
- The CCPA expands the definition of sell to include “sharing for valuable consideration.” This means that if a business allows third parties to track your personal information on their web site, this is considered selling under the CCPA and you are entitled to opt-out.
- Even if you do not have a direct relationship with a business or if you do not have an account with that business, you may still opt-out of the sale of your personal information. A business is prohibited from requiring you to create an account in order to opt-out.
- Even if you do opt-out, a business may still share your personal information with service providers to perform business purposes. However, the service providers are prohibited from further using your personal information other than for that business purpose.
- You may designate an agent to opt-out on your behalf.
How to Request That a Business Deletes Your Personal Information
Under the CCPA, a consumer has the right to request that a business deletes their personal information. Once a business verifies your request, it must delete your personal information.
Some things to know:
- There are exceptions to your right to delete your personal information. If a business denies your request, the business must tell you why it refused your request to delete your personal information.
- You do not need to have a direct relationship with the business in order to request that business delete your personal information.
- If a business requires you to provide additional information to verify your identity, it is not allowed to use that information for any other purpose.
- Even if a business does not sell personal information but only collects personal information, it must respond to your request to delete your personal information.
- A business is not allowed to charge you for deleting your personal information.
- A business must provide two or more methods for you to request that your personal information is deleted
- Text of the California Consumer Protection Act (CCPA)
- California Consumer Privacy Act Regulations
- Office of the California Attorney General: California Consumer Privacy Act
- How to File a Right to Know Request on Behalf of a Minor through Common Sense Kids Action
- How to Report a Data Breach to the California Secretary of State’s website
- EPIC analysis of California’s Proposition 24, the California Privacy Rights Act of 2020