California’s new consumer privacy law uncovered, Part 3

In this third part of our four-part series on California’s Consumer Privacy Act (the “Act”), which is effective January 1, 2020, we discuss Covered Businesses’ obligations to consumers in relation to the new consumer data privacy rights under the Act.

The Act creates five data privacy rights for consumers in relation their Personal Information (“PI”):[1]

1. the right to know what PI is being collected;

2. the right to access their PI that is collected by a business;

3. the right to delete their PI;

4. the right to opt out of the sale of their PI;

5. the right to equal service.

1.     The Right to Know

A consumer has the right to know what information Covered Businesses collect about them. Under the Act, a consumer can request that a business that collects a consumer’s PI disclose to that consumer the categories and specific pieces of PI the business has collected about them. A consumer also has the right to request that businesses that disclose or sell PI provide information regarding such practices.

In turn, Covered Businesses have several affirmative obligations to consumers to effectuate the right to know.

First, a Covered Business must disclose, through its online privacy policy or, if the business does not maintain those policies, elsewhere on its website (and update that information at least once every 12 months), the following:

• At or before the time of collection, the PI the business will collect about its consumers and the purposes for which such data will be used;

• The categories of consumer’s PI that were actually collected in the preceding 12 months;

• The categories of consumer’s PI that were sold or disclosed for business purposes in the preceding 12 months; and

• How a consumer can exercise his or her right to know about the collection and sale or other disclosure of their PI.

A business is not obligated to provide this information to the same consumer more than twice in a 12-month period.

Covered Businesses must also respond to verifiable consumer requests with individualized disclosures about the business’s collection, sale or disclosure of the PI of the consumer making the request.[2] A business must make available to consumers at least two methods for submitting such requests for information, including a toll-free telephone number and, if the business maintains a website, a website address. 

Upon receipt of a verifiable consumer request, the business must disclose:

• The categories of PI that the business collected about the consumer;

• The categories of PI that the business sold about the consumer and the categories of third parties to whom the PI was sold;

• The categories of PI that the business disclosed about the consumer for a business purpose;[3] and

• The business purpose for collecting or selling the PI.

If the consumer’s request relates only to the sale of PI, as opposed to the collection of PI, the business need not disclose the source(s) of the PI.

The business’s disclosure of the above information in response to a verifiable request must be free of charge and delivered within 45 days of receiving the consumer’s request. The disclosure shall cover the 12-month period preceding the business’s receipt of the request and shall be delivered in writing in a readily usable format that allows the consumer to transmit the information from one entity to another without hindrance. The disclosure must be delivered through the consumer’s account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business.[4]

2.     The Right to Access

The Act also provides consumers the right to access the PI that is collected by a Covered Business. A consumer can request a copy of the specific PI that a business retains about him or her to be delivered by mail or electronically, free of charge. If provided electronically, the information must be portable, and if technically feasible, in a readily useable format that allows the consumer to transmit the information to another entity without hindrance. The business is obligated to respond to no more than two right-to-access requests in a 12-month period.

The right to access does not apply to information collected in a single transaction, as long as the information is not sold or retained for the purpose of linking it to PI.

3.     The Right to Deletion

A business must honor a verifiable consumer request for deletion of any PI that the business has collected from the consumer. The business must delete the PI from its business servers and service providers. However, the deletion right does not apply when the business needs the PI to:

• Complete the transaction for which the business collected the PI, or provide a good or service requested by the consumer, or otherwise perform a contract between the business and the consumer;

• Detect and maintain data security;

• Debug to identify and repair errors;

• Exercise a legal right, including the right to exercise free speech by the business or another consumer;

• Comply with the California Electronic Communications Privacy Act;

• Engage in public or peer reviewed scientific, historical, or statistical research in the public interest when deletion would render it impossible or seriously impair the achievement of such research; or

• Comply with legal obligations

Businesses can maintain PI for internal use, as long as that use is compatible with the context in which the PI was provided, or it is reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business, subject to the business clearly advising the consumer at the time their PI is collected of its potential uses.

4.     The Right to Opt Out

The Act enables consumers to opt out of the sale of their PI. A consumer can direct a business that sell PI about the consumer not to sell the consumer’s PI. Once a consumer opts out, the business must honor the opt-out request for at least 12 months, but subsequently may sell the consumer’s PI if the consumer provides his or her express permission.

The Act also regulates the sale of PI collected from underage consumers. If the business has actual knowledge that the consumer is under 16 years old, the business may not collect his or her PI unless the consumer has affirmatively authorized the sale of PI, or “opted in.” If the minor is under 13, a parent or legal guardian must authorize the sale of the minor’s PI. A business that willfully disregards the consumer’s age is deemed to have had actual knowledge of the consumer’s age.

The business must provide a clear and conspicuous link on its website homepage, titled “Do Not Sell My Personal Information,” that enables a consumer to opt out of the sale of the his or her PI.[5] The business must also describe the right and include a link to the opt-out page in their privacy policy, and ensure that all individuals responsible for handing consumer inquiries about privacy practices and CCPA compliance are informed of the opt-out requirements and how to assist consumer to exercise that right. A business cannot require a consumer to create an account in order to direct the business not to sell his or her PI.

5.     The Right to Equal Service

The Act prohibits discrimination against consumers who exercise their rights under the Act, including by:

• Denying goods or services to the consumer;

• Charging different prices for goods or services, including through the use of discounts or other benefits or imposing penalties;

• Providing a different level or quality of goods or services to the consumer; or

• Suggesting that the consumer will receive a different price for goods or services or a different quality.

A business may charge a consumer a different price, or provide a different level of quality of goods or services if that difference is reasonably related to the value provided to the consumer by the consumer’s PI. However, a business may offer financial incentives for the collection, sale, or deletion of PI if the consumer provides the business prior opt-in consent which clearly describes the material terms of the financial incentive program, which may be revoked at any time.

Under the Act, a Covered Business must ensure that all individuals responsible for handling consumer inquiries about the business’s compliance with the Act are informed of the Act’s requirements, and of how to direct consumers to exercise their rights under the Act.

[1] Please refer to Part 2 of this Series which discussed the definition of Personal Information under the Act.

[2] “Verifiable consumer request” means a request that is made by a consumer, but a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized to act on the consumer’s behalf, and that the business can reasonably verify to be the consumer about whom the business has collected PI.

[3] The Act defines “business purpose” to mean use that is reasonably necessary and proportionate to achieve the operational purpose for which the PI was collected or processed.

[4] The business cannot require that a consumer create an account in order to make a verifiable request.

[5] The business could post this link on its national website or California-specific webpage.

If you have any questions concerning whether the Act applies to your business and the consumer information it collects, uses, sells or discloses, please reach out to an MLG attorney to assist you.

Read the full series:

Part 1: Addresses businesses and consumers are covered under the CCPA.
Part 2: The CCPA’s expanded definition of “personal information”, and some of its limitations and exemptions.
Part 3: Covered Businesses’ obligations to consumers under the CCPA.
Part 4: The CCPA’s enforcement framework and penalties for violations.
Amendments: What you should know about the September 2018 Amendments to the CCPA.

Author: Caitie Emmett, Associate.

The Maier Law Group helps companies ensure that their policies and practices comply with the relevant workplace regulations.  Please contact us at info@maierlawgroup.com for more information.

This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly.