Guide to the California Consumer Privacy Act: Protection for Your Personal Data

What Rights Do Californians Have in their Personal Information and Data?

As of January 1, 2020, California consumers have many new rights of privacy and rights in their personal information. This is due to the new California Consumer Privacy Act (CCPA). Some are calling it the “GDPR” of California (referencing the European data privacy law known as General Data Protection Regulation). Here’s the basics.

What is this new “Do Not Sell My Personal Information” button that many websites have now?

The CA Consumer Privacy Act requires companies to make it easy for consumers to opt out of the sale of their info, and delete the info they have. See below for more.

Do I have the right to know what information a business has about me and get it removed?

Starting January 2020, Californians have the following rights under the California Consumer Privacy Act:

  1. Right to know what “personal information” a business has about you (whether collected online OR offline). You have the right to know what information is collected, used, shared or sold, and how they got that information.
  2. Right to have companies delete that personal information. This is often referred to as the “right to be forgotten.”
  3. Right to opt-out or prohibit companies from selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
  4. If you exercise your rights under this law, the company may not discriminate against you in terms of price or services. That means they can’t charge you more or reduce your services.

Businesses must perform these obligations at no charge to the consumer. A consumer may not request information more than twice in a 12 month period.

What specifically do companies need to do to provide these rights to consumers?

Businesses must:

  • provide notice to consumers at or before data collection
  • create procedures to allow consumers to request to know what information the business has on them, to opt-out of sale of their information, and delete their information. For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app
  • treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request
  • respond to requests from consumers to know, delete, and opt-out within specific timeframes
  • verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business. If a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out
  • disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value
    of the personal information

How long must a business maintain records?

Businesses must maintain records of requests and how they responded for 24 months (2 years) in order to demonstrate their compliance.

Do the rules apply to all businesses and companies?

The rules do not apply to all businesses. They only apply to those either in California or doing business in California, and that meet any of the following:

  • Has gross annual revenues in excess of $25 million;
  • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or
  • Derives 50 percent or more of annual revenues from selling consumers’ personal information.

What does “personal information” mean?

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Personal information includes, but is not limited to, the following:

  • Identifiers such as a real name, alias, postal address, unique personal
    identifier, online identifier Internet Protocol (IP) address, email address, account
    name, social security number, driver’s license number, passport number,
    or other similar identifiers.
  • Characteristics of protected classifications under California or federal
    law.
  • Commercial information, including records of personal property,
    products or services purchased, obtained, or considered, or other purchasing
    or consuming histories or tendencies.
  • Biometric information.
  • Internet or other electronic network activity information, including,
    but not limited to, browsing history, search history, and information
    regarding a consumer’s interaction with an Internet Web site, application,
    or advertisement.
  • Geolocation data.
  • Audio, electronic, visual, thermal, olfactory, or similar information.
  • Professional or employment-related information.
  • Education information, defined as information that is not publicly
    available personally identifiable information as defined in the Family
    Educational Rights and Privacy Act120 U.S.C. section 1232g, 34 C.F.R.
    Part 99)
  • Inferences drawn from any of the information identified in this
    subdivision to create a profile about a consumer reflecting the consumer’s
    preferences, characteristics, psychological trends, preferences,
    predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

“Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information.

“Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. “Publicly available” does not include consumer information that is deidentified or aggregate consumer information

What happens if a company gets hacked and my information is stolen?

Under the California Consumer Privacy Act, you will be able to sue companies if a data breach leads to your unencrypted information being exposed or stolen. 2These rights come from the recently passed California Consumer Privacy Act (CCPA). AB 375 (2018)

Related Pages

See more about Consumer Rights

See more about Internet Law

See more about Privacy Law

See all Legal Guides.


Photo credit: Image by storyset on Freepik

References[+]

Share the Legal Info With Your Friends: