We heard a lot about data protection and privacy laws throughout 2019, mostly GDPR and CCPA. Leaving aside the significant differences in the territorial reach of these regulations—and differences in their approach—both serve the same purpose of protecting individuals and empowering them with control of their data.
This piece focuses solely on the CCPA regulations; particularly the rights granted to consumers in California; the 5th largest economy in the world. Contact us, at firstname.lastname@example.org, with any questions you may have about privacy, the rights granted to individuals or the obligations imposed upon organizations processing personal information.
1. Right to know
Consumers have the right to be aware of:
- What Personally Identifiable Information (PII) is collected—what and why is sold and used to conduct business, all presented in a clear language devoid of legal jargon.
- What their California Consumer Privacy Act (CCPA) rights are and how to exercise them.
- What information is needed to verify their identity.
- How to engage authorized agents to facilitate their requests.
- What are the material terms of any financial incentives offered in exchange for a business’ ability to sell their PII—including the discount offered, the value of their PII and calculation used to determine such value.
- When a transaction requires the sale of their PII as a condition for completing a transaction after previously having opted-out of the sale of such information.
2. Right to access
Consumers have the right to access:
- The categories of Personally Identifiable Information processed about them, the sources of PII and the categories of third parties with whom PII has been shared.
- The discrete PII processed by a business about them and their household.
3. Right of choice
Consumers have the right of choice to:
- Withhold the explicit consent needed before the Personally Identifiable Information associated with an individual of 16 years of age can be lawfully sold.
- Withhold their explicit consent before the PII associated with their child under 13 years of age can be lawfully sold.
- Withhold their explicit consent before previously collected PII can be used for a new purpose.
- Opt out of having their PII lawfully sold by a business.
4. Right to request
Consumers have the right to request that their PII be deleted by a business and expect the business to forward their request to any third party with whom it has shared such information since the time their request was received but before it was processed.
5. Right to receive
Consumers have the right to receive equal terms and treatment as other consumers who have not exercised their CCPA rights, or otherwise not be discriminated against for exercising their CCPA rights.
6. Right of representation
Consumers have the right of representation and may engage an authorized agent to help them facilitate their rights under CCPA: to know if their PII is processed, and to delete or prevent the sale of such information.
7. Right of redress
Consumers have the right of redress. They may sue a business who fails to implement appropriate security controls and, subsequently, breaches their unencrypted or unredacted PII.
If you would like to recap the principles of data security and privacy, you can read our previous article, Privacy and Security are not the same.