First signed into law in 2018, the California Consumer Privacy Act (CCPA) was the first comprehensive consumer data privacy law to be enacted in the U.S. The law created an array of consumer privacy rights and business obligations regarding the collection and sale of personal information.
The CCPA was significantly amended and expanded in 2020, when California voters approved by ballot measure the California Privacy Rights Act (CPRA), sometimes referred to as “CCPA 2.0.” The two California consumer privacy laws have already had a profound impact on how businesses handle consumer data in the country’s most populous state – and largest economy.
[Consumer rights: CCPA v. CPRA – download this flowchart for an at-a-glance look at the amendments and additions to California data privacy rights.]
What data privacy rights do consumers have in California?
The CCPA created six specific rights for consumers:
- The right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom. This includes the right to access specific pieces of personal information as well as the right to data portability (receive the personal information in a transmittable format).
- The right to delete personal information collected from the consumer.
- The right to opt out of the sale of personal information (if applicable).
- The right to opt in to the sale of personal information of consumers under the age of 16 (if applicable).
- The right to nondiscriminatory treatment for exercising any rights.
- The right to initiate a private cause of action for data breaches.
The CPRA created two additional rights:
- The right to correct inaccurate personal information.
- The right to limit use and disclosure of sensitive personal information.
In addition to establishing two additional consumer data rights, the CPRA amended certain rights first created in the CCPA:
- Expanded the right to know to include personal information shared by the business.
- Expanded the right to opt out to encompass the sharing of personal information.
- Strikes the right to opt in, but still requires consumers under the age of 16 to “affirmatively authorize” the sale or sharing of personal information.
When can consumers ask businesses to delete their personal information under the CCPA?
The CCPA establishes a consumer’s right to request that a business delete any personal information collected from them and requires businesses to inform consumers of this right. Any business that receives such a request from a consumer must delete, and direct any third-party service providers to delete, the consumer’s personal information from its records.
However, this right is not absolute. A business or service provider is not required to comply with a consumer’s request for deletion under certain circumstances, including where the consumer’s personal information is needed to:
- Complete the transaction for which the personal information was collected.
- Provide a good or service requested by the consumer.
- Detect security incidents.
- Debug or repair errors that impair functionality.
- Exercise free speech.
What obligations do businesses have to facilitate consumer requests to disclose or delete personal information under the CCPA?
The CCPA gives consumers certain basic rights, such as the right to request disclosure or deletion of personal data. In general, covered businesses must make available to consumers at least two methods for submitting requests, including, at a minimum, a toll-free telephone number.
Online-only businesses that have a direct relationship with the consumer must provide only an email address for submitting requests. If the business maintains a website, it must make the website available to consumers to submit requests.
What are the nondiscrimination provisions of the CCPA?
Covered businesses are prohibited from discriminating against consumers for exercising their rights under the CCPA. Because a consumer exercises his or her CCPA rights, businesses cannot:
- Deny goods or services to the consumer.
- Charge the consumer different prices or rates for goods or services.
- Provide different levels or quality of goods or services to the consumer.
- Suggest that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
However, a business may charge a consumer a different price or rate – or provide a different level of goods or services to the consumer – if that difference is reasonably related to the value provided to the business by the consumer’s data. Businesses also may offer financial incentives for the collection, sale, or deletion of personal data, provided consumers are notified about the financial incentives and those incentive practices are not “unjust, unreasonable, coercive, or usurious in nature.”
Can consumers file suit for personal data breach under the CCPA?
Consumers may bring a civil action if their nonencrypted and nonredacted personal information (as defined under California’s “reasonable security” law) is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’ failure to implement and maintain reasonable security procedures and practices.
How long do businesses have to rectify damages from a breach?
If pursuing statutory damages, a consumer first must provide 30 days’ written notice to the business identifying the provisions allegedly violated and give the business 30 days to cure the violation. If the violation is cured within 30 days and the business provides the consumer with a written statement indicating that the violation is cured and that no future violations will occur, then no action for damages may be initiated. But if a business subsequently violates the law in breach of its written statement, the consumer may initiate an action to enforce the written statement and pursue statutory damages.
Navigate consumer data privacy laws and requirements with confidence
As the first consumer data privacy laws of its kind in the U.S., the CCPA and CPRA are likely to be a model for other states considering similar legislation. Provide sound counsel to your clients and stakeholders on the changing landscape of data privacy and security laws with the latest news and analysis, Practical Guidance, and more from Bloomberg Law. Request a demo to get started.