- The right to request disclosure of your business’ data collection and sales practices in connection with the requesting consumer, including the categories of personal information you have collected, the source of the information, your use of the information and, if the information was disclosed or sold to third parties, the categories of personal information disclosed or sold to third parties and the categories of third parties to whom such information was disclosed or sold;
- The right to request a copy of the specific personal information collected about them during the 12 months before their request (together with right #1, a “personal information request”);
- The right to have such information deleted (with exceptions);
- The right to request that their personal information not be sold to third parties, if applicable; and
- The right not to be discriminated against because they exercised any of the new rights.
The CCPA requires covered businesses to make disclosures in their public-facing privacy policies and to update annually such disclosures, in addition to those disclosures already required by current law, in those policies starting January 1, 2020.
- A description of the new rights afforded California residents. The description should address all of the above new rights. It should also indicate that the consumer may only make a personal information request twice in a 12-month period, that the business will need to collect information from the requesting party so that it can verify their identity, and that the business will respond within 45 days of receiving a personal information request.
- A link to an opt-out page on the website. If a business provides access to or discloses personal information to a third party for monetary or other valuable consideration (a “sale” for purposes of the CCPA), then it must also provide a link, titled “Do Not Sell My Personal Information,” to a web page where the consumer can opt out of having his or her information sold. Note that the link must also appear in the footer of the website home page.
- Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with laws and other standards;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business;
- Debugging to identify and repair errors that impair existing intended functionality;
- Short-term, transient use, provided the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction;
- Undertaking internal research for technological development and demonstration; and
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the company, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
(For more information about CCPA and its ramifications, or for information about properly creating and orchestrating a crisis prevention plan around CCPA requests for information, please contact the authors.)
[i] Note the CCPA’s requirements do not apply to “medical information” subject to the California Confidentiality of Medical Information Act (CMIA) or to “protected health information” collected by covered entities and business associates under the HIPAA Privacy, Security and Breach Notification Rules. Moreover, providers of health care subject to CMIA and covered entities subject to HIPAA are not covered businesses under CCPA if they maintain all patient information in the same manner they maintain “medical information” or “protected health information” subject to CMIA and HIPAA, respectively. CCPA also exempts information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act as well as other exemptions. In contrast, the GDPR has no such carve out for health-related data.