California — keeping with its tradition as a groundbreaker in privacy-related legislation in the US — has passed the strictest data privacy law in the nation, the California Consumer Privacy Act (CCPA), which will be enforceable January 1, 2020, onward.
Set to give consumers and users in California (hereafter referred to as “consumers”) greater control over their personal information, this law entitles consumers to five new rights, and imposes corresponding legal obligations on businesses that fall under the scope of the CCPA.
But what are these five rights, and what do they mean for consumers and businesses? Let’s untangle them below.
1. Right to Know
The CCPA empowers consumers by giving them the right to know not only what personal information a business collects about them, but also whether this information is shared with third parties.
This right is a core concept in privacy laws worldwide. Apart from the CCPA, it can also be seen in the EU’s General Data Protection Regulation, India’s Personal Data Protection Bill, and Brazil’s General Data Protection Law, among many others.
Practical Implications
If you’re a business:
In light of this right, you need to create or update your website’s privacy policy, and declare the following in it:
- Categories of personal information you collect from consumers (e.g., identifiers such as names and email addresses)
- Purpose of collecting this information (e.g., email marketing)
- Categories of sources of this information (e.g., the company’s website)
- Whether and why this information is shared with third parties (e.g., to process newsletter signups and to deliver newsletters)
- What type of third parties these are (e.g., marketing automation platforms like Mailchimp)
Once you’ve updated your privacy policy document, don’t close it just yet! You’ll need to make a few more updates, as you’ll find out later in this article.
If you’re a consumer:
To find out what personal information a business collects about you and what it does with this information, review the business’s privacy policy. If you can’t find one, you can file a complaint with the California Attorney General’s (CAG) office.
2. Right to Request Deletion
The text of the CCPA states, “It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information.” Indeed, in the digital age, simply participating in everyday activities entails the transfer of personal information.
To give consumers more control over their privacy, the CCPA gives consumers is the right to request a business delete any personal information it has collected from them.
Made famous by the GDPR as the right to “be forgotten,” the CCPA brings this privacy concept to the US for the first time.
Practical Implications
If you’re a business:
You need to write in your privacy policy what a consumer needs to do to have their personal information deleted from your system.
Note that the text of the CCPA specifically phrases this right as a right to request deletion, instead of as the right to deletion. This is because you may deny a consumer’s request on the basis of certain exceptions defined in the law.
Familiarize yourself with these exceptions, as you’re required to explain them to the consumer if you deny a request.
If you’re a consumer:
To find out how you can act on your right to request deletion, read the business’s privacy policy. If you can’t find this information or if the business doesn’t respond to you within 45 days, you may bring it to the attention of the CAG.
3. Right to Opt Out of Data Sale
The CCPA brings to consumers a rather unique right: the right to simply tell a business, “do not sell my personal information.”
Through this “Do Not Sell My Personal Information” (DNSMPI) provision, the law gives consumers the right to object to a business selling their personal information to a third party.
“Sell” here doesn’t mean what laypeople usually think it means, having much broader restrictions on how businesses handle data. The CCPA’s definitions of sell and selling includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” for a valuable gain (not necessarily monetary).
With Nevada also having a similar provision in its new privacy law, it’s only a matter of time before the DNSMPI clause becomes commonplace across the States.
Practical Implications
If you’re a business:
You need to include a link on your homepage titled “Do Not Sell My Personal Information.” Consumers must be able to find this link easily, so place it somewhere obvious, like in your website’s footer. You’ll also need to update your privacy policy to include instructions on the DNSMPI process and a DNSMPI link.
When acting on DNSMPI requests, keep in mind the broad definition of sell. Even using a free third-party service (e.g., social media widgets) may qualify as “selling” data if you gain “valuable consideration” in exchange for transferring consumer data to that service.
If you’re a consumer:
If you wish to opt out of the sale of your personal data, you’ll simply need to click on the DNSMPI link of a given website and follow the instructions. As with any other right, if you can’t find this link, you can complain to the CAG.
4. Right to Access
When the CCPA becomes enforceable, consumers will gain the right to access the personal information that a business holds about them.
That sounds somewhat similar to the right to know that we discussed earlier. So, what’s the difference?
While a business can comply with the right to know by simply stating the relevant information (i.e., what a business could or might collect) in their privacy policy, under the right to access, they must provide consumers with copies of the data.
In other words, the right to know pertains to data collection as (or before) it occurs, whereas the right to access pertains to the actual data collected after the fact.
The act of a consumer submitting a request to a business under the right to access is termed a Data Subject Access Request (DSAR).
Practical Implications
If you’re a business:
To facilitate the right to access, businesses have the following legal obligations:
- Make available at least two methods through which consumers can submit their DSARs, including
- Respond to each DSAR within 45 days (extendable for a “reasonable” and announced cause for an additional 45 days), at no cost to the consumer, and in the consumer’s chosen format (i.e., electronically or by mail).
- Explain in your privacy policy how to submit a DSAR.
– a toll-free telephone number;
– a website address (if your business has a website).
Your DSAR response should explain the following (at the very least):
- Whether your business has personal information about that consumer
- What categories of personal information you have about that consumer
- Why this information is necessary for your business
- Actual copies of the information
If you’re a consumer:
You (or someone you authorize to act on your behalf) can assert your right to access your personal information up to two times in any 12-month period from the same business.
Read a business’s privacy policy to figure out how to submit a DSAR, and if you can’t find this information — you guessed it — bring it to the CAG’s notice.
5. Right to Equal Services and Prices
In essence, this right means that a business can’t discriminate against consumers who opt out of the sale of their data (or act on any of their CCPA rights).
Under the CCPA, “discriminate” means:
a. Refusing to provide goods or services
b. Providing goods or services of different quality or price
c. Implying that you might do (a) or (b) should the consumer opt out
Practical Implications
If you’re a business:
As a business, while consumers asserting their CCPA rights may inconvenience you, you can’t discriminate against them by curtailing their service level or charging them a different price.
There is one exception: you may offer a different level of service or price “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
This exemption is rather vague — compliance professionals, consumers, and business owners will need to wait to see how it plays out.
If you’re a consumer:
This right empowers you to act on your CCPA rights without fear of a business retaliating against you.
Summary
With the GDPR in 2018 and the CCPA in 2020, privacy laws worldwide are tasking businesses with increased transparency, accountability, and user control, and affording consumers with more data rights than ever before.
Whether you’re a consumer or a business owner, understanding these rights is in your best interest. Now that you understand the implications of CCPA rights go ahead and prepare to act on your rights and obligations so that you have the essential updates and systems in place by January 1, 2020.
About the Author: Felix Sebastian
Felix Sebastian is the managing editor at Termly, where he helps business owners generate privacy policies and other important legal documents, implement best business practices, and comply with transnational privacy laws. He specializes in writing and curating compliance guides and law overviews for small business owners. Follow him at @AcademicEditor