CCPA: consumer rights for Californian residents
The California Consumer Privacy Act (CCPA) provides California residents with five core rights to data privacy and autonomy, and an additional private right of action of compensation in the event of data breaches.
The core CCPA rights consist of the –
- right to opt out
- right to notice (also known as right to be informed)
- right to disclosure
- right to deletion
- right to equal services and prices
What these rights concern is the personal information of Californian residents, defined in the CCPA as:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Take a look at what constitutes personal information in the CCPA here.
The CCPA rights carve out a place for consumers, i.e. California residents, in the giant ad tech market of data collection centered in and around Silicon Valley, wherein they can assert ownership over the data already collected and control what data can be collected in the future.
Let’s have a look at each individual CCPA right and what consequences they have for consumers and businesses.
CCPA: right to opt out (1798.120)
Under this CCPA consumer right, California residents have the right to request that a business stops selling their personal information to third parties.
Sale is defined broadly in the CCPA to include “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating” the personal information of California residents.
Businesses who “sell” the personal information of more than fifty thousand California residents per year will be obligated to comply with the CCPA – regardless where in the world the business is located.
If a business is able to verify the request as coming from the consumer in question, they are obligated to stop any further sales of that consumer’s personal information to third parties.
To comply with the right to opt out, businesses must feature on their website a Do Not Sell My Personal Information link for consumers to easily exercise this right.
A business is prohibited from asking a consumer to create an account in order to exercise their right to opt out of data sales, however, businesses might be able to require consumers who already have an account with the business to direct the request through their account.
Minors under the age of 13 have additional CCPA rights here, as businesses are required to obtain the opt in from parents or legal guardians before any collection or sale is allowed of their personal information.
If the consumer is between the age of 13 and 15, the consumers themselves can opt in and business are prohibited from collecting or selling their personal information before they have done so.
Take a deeper look at how to achieve CCPA compliance here.
CCPA: right to notice (1798.100.b)
Under this CCPA consumer right, businesses are obligated to inform their customers at or before the point of collection of what categories of personal information they are collecting, including the purpose of the collection.
This means that California residents have the right to know what a business collects, and how and why they use the personal information collected.
Businesses must give consumers notice every time they begin collecting new forms of personal information (new categories) and if they start collecting personal information for new purposes.
Another part of this CCPA right includes Californian residents right to know and be informed about their CCPA rights.
This means that businesses must “disclose the consumer’s right to request deletion.”
CCPA: rights to disclosure (1798.110)
Under this CCPA consumer right, California residents have the right to request that a business disclose what personal information they have collected on them in the past twelve months.
Upon the receipt of a verifiable request, a business must disclose to the consumer the categories of personal information collected, the categories of sources from which the personal information is collected, the purpose of collection, the categories of third parties with whom the data has been shared, and the specific pieces of personal information collected.
As a part of this CCPA right, consumers have a right to get a free copy of their personal information disclosed in a readily usable and readable format (known as data portability).
California residents also have the right to have at least two ways to requests disclosure of their personal information, including a toll-free telephone number or a link/e-mail on the business’ website.
CCPA: right to deletion (1798.105)
Under this CCPA consumer right, California residents can request that a business delete the personal information it has collected on them in the past twelve months.
If the request made by the consumer can be verified, the business is legally required to delete the consumer’s personal information from its records and direct any service providers to delete the data too.
There are certain exceptions to this CCPA deletion right, e.g. if the personal information is necessary for a business to detect security incidents, exercise free speech, engage in public or peer-reviewed studies or comply with legal obligations.
CCPA: right to equal services and prices
Under this CCPA consumer right, California residents are protected against any discrimination that a business might subject them to based on the exercising of their CCPA rights.
This means that if a consumer decides to exercise their right to opt out of having their personal information sold by a business to third parties, the consumer is simultaneously protected by the CCPA rights from getting lower quality services or higher prices from that business because of their decision to opt out.
However, the CCPA does allow businesses to offer financial incentives for goods and services if the differences are reasonably related to the value provided to the business by the consumer’s data.
Cookiebot CMP and CCPA compliance
Cookiebot CMP is a software-as-a-service that scans your website and reveals all cookies and similar tracking technology (both first and third party), so you can know exactly what personal information you collect and “sell” (i.e. make available, disclose or transfer) to third parties.
Once scanned, Cookiebot CMP enables the pausing of all cookies until the end-users have given their consent to which they will allow activated.
This way, your business can meet the strong European standards under the GDPR.
Simple configurations combined with geolocation features will change the software to suit the specific data privacy law you need compliance with, so that you can live up to the GDPR towards your users from the EU, and to the CCPA towards consumers from California.
What are the CCPA rights?
The CCPA empowers California residents with the right to opt out of third-party data sales, the right to be informed of data collection and rights, the right to have collected data disclosed, the right to have collected data deleted, and the right to equal services and prices.
What is personal information under the CCPA?
Personal information under the CCPA is any kind of information that can directly or indirectly identify an individual. This includes anything from names, postal addresses, social security numbers to health data, location data and IP addresses, cookies, search and browser history.
Who is liable under the CCPA?
Companies who fall under the CCPA’s definition of business is required to comply with the CCPA. The CCPA defines a business as a company or for-profit organization that have an annual gross revenue exceeding $25 million or derive 50% or more of its annual revenues from selling consumers’ personal information or buys, receives, sells or shares the personal information of more than 50.000 California residents, households or devices a year.
How to make your website CCPA compliant?
Your website must enable users to exercise their CCPA rights, e.g. you must inform users about your personal information collection practices, inform them how to request disclosure and deletion, and have a clear Do Not Sell My Personal Information link on the website that users can use to opt out of having their data sold to or shared with third-parties.