Home » CCPA

Consumer Rights Under the CCPA

The CCPA guarantees a number of consumer rights, and businesses need to take steps to ensure compliance. Most of the rights are explicitly enumerated within the text of the CCPA. However, some are implicitly contained with the text. Even though the CCPA is a California law, the consumer rights contained in the CCPA apply to many Tennessee businesses.

Contents
  1. Right to Notice
  2. Right OF DISCLOSURE (RIGHT OF Access)
  3. Additional Disclosures When Businesses Sell Information to a Third Party
  4. Right to Delete
  5. Right to Opt-Out
  6. Right to Opt-In
  7. Right Not to Be Discriminated

Right to Notice

This is perhaps the most significant “implicit” right within the CCPA. The CCPA requires that a business must properly notify a consumer about the categories of information it will collect and the purposes for which the information will be used. This notification must occur before a business collects any personal information from the consumer.

Right OF DISCLOSURE (RIGHT OF Access)

First, consumers have the right to request a business disclose the information it has on the consumer. Upon verifiable request by a consumer, a business must take steps to disclose and deliver the personal information it collects, free of charge. Specifically, the consumer has the right to request that a business that collects personal information disclose:

  1. the categories of personal information collected;
  2. the sources from which the information was collected;
  3. the business or commercial purpose for collecting or selling the information;
  4. categories of third parties with whom the business shares the information;
  5. the specific pieces of personal information the business collected about the consumer.

This information can be delivered to the consumer by electronically, or by mail. However, if it is provided electronically, it must be provided in a portable and a readily usable format that allows the consumer to transmit the personal information to another entity without issue – to the extent feasible.

There are limitations to this right. For one, a business does not have to provide this information to a consumer more than twice in a 12-month period. Likewise, a business does not have to retain personal information that is collected for a single one-time transaction if the information is not sold or retained by the business, or to re-identify or otherwise link information that is not maintained in a manner that would be considered personal information.

Additional Disclosures When Businesses Sell Information to a Third Party

While the above applies to businesses that collect a consumer’s personal information, there are additional rights to disclosure under the CCPA when the business sells consumer’s information to third parties, or otherwise discloses a consumer’s information for business purposes. In these cases, the business, upon request, must also disclose to the consumer:

  1. The categories of personal information that the business collected about the consumer;
  2. The categories of personal information that the business sold about the consumer;
  3. The categories of third parties to whom the personal information was sold;
  4. The categories of personal information for each category of third parties the information was sold;
  5. The categories of personal information that the business disclosed about the consumer for a business purpose. (or the fact that it has not done so)

If a business sells personal information to a third party, then that third party can not sell the information unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out.

Right to Delete

The consumer has the right to request that a business delete any personal information about the consumer the business has collected. Upon receipt of a verifiable request, the business must:

  1. Delete the information; and
  2. Direct any service providers to delete the information from its records;
  3. Unless either needs the information to:
    1. Compute the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;
    2. Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
    3. Debug to identify and repair errors existing intended functionality;
    4. Exercise free speech, ensure the right of another consumer to exercise his/her right of free speech, or exercise another right provided for by law;
    5. Comply with the California Electronic Communications Privacy Act;
    6. Engage in public or peer-received scientific, historical, or statistical research in the public interest;
    7. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;
    8. Comply with a legal obligation;
    9. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

Right to Opt-Out

Under the CCPA, consumer also have the right to opt out of the sale of personal information by a business. Businesses must provide a clear and conspicuous link on the their homepage, titled “Do Not Sell My Personal Information” to allow a consumer to opt-out of the sale of their personal information. This form must be reasonably accessible. Accordingly, businesses can not require consumers to create an account to opt out. If a consumer has elected to opt-out, a business must wait at least 12 months before they can request the consumer allow them to sell the personal information.

Right to Opt-In

In addition to the right to opt-out, there also exists a right to opt-in. This right applies with younger consumers. A business can not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age. However, if the consumer is at least 13 years old (but still less than 16), a business can sell their information if the consumer affirmatively authorizes the sale. Additionally, if the consumer is less than 13 years old, a business can sell their information if the consumer’s parent or guardian affirmatively authorizes the sale.

Disregarding these opt-in/opt-out distinctions can lead to adverse consequences for the business. Any business that willfully disregards the consumer’s age is deemed to have had actual knowledge of the consumer’s age.

Right Not to Be Discriminated

Businesses are prohibited from discriminating against a consumer for exercising rights under the CCPA, including but not limited to, by:

  1. Denying goods or services to the consumer;
  2. Charging different prices or rates for goods or services, including the use of discounts or other benefits or imposing penalties;
  3. Providing a different level or quality of goods or services to the consumer; or
  4. Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

This prohibition does not prohibit a business from charging a consumer a different price, rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. Additionally, Businesses may offer financial incentives, including payments to consumers as compensation, for the collection of information, the sale of personal information, or the deletion of information. Similarly, these incentives may differ in price, rate, level, or quality of goods or services may vary if the difference is directly related to the value provided to the business by the consumer’s data. If a business offers financial incentives it must notify customers of them, and can only enter a consumer into a financial incentive program if the consumer gives the business prior opt-in consent that clearly describes the material terms of the financial incentive program. This consent may be revoked by the consumer at any time.

To ensure consumers can exercise their rights under the CCPA, the business must also ensure it has protocols in place to respond to requests under these rights within 45 days of receiving the request (unless extended with notice to the customer). These protocols include providing consumers with at least two designated methods for submitting requests for information. At a minimum, businesses must provide a toll-free telephone number. If the business has a Website, then they must also provide a Website address where they can submit a form However, a business that operates exclusively online and has a direct relationship with a consumer is only required to provide an email address for submitting requests. This information must be disclosed in the business’s online privacy policy or in any California-specific description of consumers’ privacy rights, and must be updated at least once every 12 months. A business may take appropriate steps to verify requests, but time for verification does not automatically extend the 45 day window.

Davidson Lentz

Davidson is an attorney in the Nashville office of Lewis Thomason, where he practices in the areas of cyber-security law, data privacy law, business and commercial law, and general civil litigation. Davidson worked as a contractor for Amazon before returning to law school.

TN Cyber Law