California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is now in effect. If you are a resident of California, you now have the right to:
- Ask a business what they know about you, your devices and your children.
- Opt-out of the sale of your personal information.
- Ask a business to delete your personal information.
- Sue a business if it fails to implement reasonable security measures and your personal information is compromised in a data breach.
Right to Know What Personal Information a Business Has Collected About You
If you are a California resident, under the CCPA you may ask a business (see note) to tell you:
- The categories of personal information a business has collected about you.
- The specific pieces of personal information a business has collected about you.
- Whether a business has sold your personal information and, if so, the categories of third parties to whom it has sold your personal information.
- Whether a business has disclosed your person information for a business purpose and, if so, the categories of service providers to whom it has disclosed your personal information
Note: Under the CCPA, a business is any entity that either:
- Has annual gross revenue in excess of $25M; or,
- Collects the personal information of 50,000 consumers; or,
- Derives 50% or more of its revenue from selling consumers' personal information.
- The business does NOT need to be located in California.
Some things to know:
- You may make the request to each business twice a year, free of charge.
- Some businesses provide a form on their website to submit these requests. If you have an account with a business, that business may require you to file your request through the account. However, if you do not have an account, a business cannot require you to create one in order to file a right to know request. Instead, you can contact a business directly (a sample letter is attached below).
- A business has 45 days to respond to your request, although this may be extended for another 45 days for a total of 90 days.
- A business is allowed to ask you for additional information to verify your request. However, they are not allowed to use that information for purposes other than verifying your request.
- A business should respond with:
- The categories of personal information it has collected about you, and
- The specific pieces of information it has collect about you.
Sample form:
Dear Privacy Compliance Officer,
My name is [insert name]. I reside in California and am exercising my data access right under the California Consumer Privacy Act to see a copy of the categories and the specific pieces of personal information that [insert name of company here] has collected about me.
I request to see a copy of any and all of the records you have pertaining to me including but not limited to:
- Specific pieces of personal information that you have collected about me including all information or content provided or posted by me, any information you have collected about me, or any personal information you have obtained or acquired about me from a third party business or service provider.
- Any inferences you have made about me.
- Categories of personal information you have collected about me pursuant to the enumerated list of categories in 1798.140(o);
- Categories of sources from which my personal information is collected;
- Categories of personal information that you have sold or disclosed for a business purpose about me by each category of personal information enumerated in 1798.140(o);
- Categories of third parties to whom my personal information was sold or disclosed for a business purpose; and
- The business or commercial purpose for collecting or selling my personal information.
My email address is [insert email address] phone number is [insert phone number].
If you need any more information from me, please let me know as soon as possible. If you cannot comply with my request--either in whole or in part--please state the reason why you cannot comply. If my request is incomplete, please provide me with specific instructions on how to complete my request.
Sincerely,
[insert name]
[insert date]
Right to Opt-Out of the Sale of Your Personal Information
If a business sells your personal information, you may opt-out of the sale of your information. A business that sells personal information must provide two ways for a consumer to opt-out including through a link on their homepage or mobile app that says "do not sell my personal information" or "do not sell my info." If you do opt-out, the business is prohibited from selling your personal information.
Some things to know:
- Although the regulations are not final, the Attorney General has issued guidelines counseling businesses to respond, "as soon as feasibly possible, but no later than 15 days from the date the business receives the request."
- Although a business cannot discriminate against you, it can offer you financial incentives to sell your personal information based on the value of that information to the business.
- The CCPA expands the definition of sell to include "sharing for valuable consideration." This means that if a business allows third parties to track your personal information on their web site, this is considered selling under the CCPA and you are entitled to opt-out.
- Even if you do not have a direct relationship with a business or if you do not have an account with that business, you may still opt-out of the sale of your personal information. A business is prohibited from requiring you to create an account in order to opt-out.
- Even if you do opt-out, a business may still share your personal information with service providers to perform business purposes. However, the service providers are prohibited from further using your personal information other than for that business purpose.
- You may designate an agent to opt-out on your behalf.
How to Request That a Business Deletes Your Personal Information
Under the CCPA, a consumer has the right to request that a business deletes their personal information. Once a business verifies your request, it must delete your personal information.
Some things to know:
- There are exceptions to your right to delete your personal information. If a business denies your request, the business must tell you why it refused your request to delete your personal information.
- You do not need to have a direct relationship with the business in order to request that business delete your personal information.
- If a business requires you to provide additional information to verify your identity, it is not allowed to use that information for any other purpose.
- Even if a business does not sell personal information but only collects personal information, it must respond to your request to delete your personal information.
- A business is not allowed to charge you for deleting your personal information.
- A business must provide two or more methods for you to request that your personal information is deleted
Sample form:
Dear Privacy Compliance Officer,
My name is [insert name]. I reside in California and am exercising my right to delete my personal information under the California Consumer Privacy Act. I request that [insert name of company here] deletes all of the information it has collected about me, whether directly from me, through a third party, or through a service provider.
My email address is [insert email address] phone number is [insert phone number].
If you need any more information from me, please let me know as soon as possible. If you cannot comply with my request--either in whole or in part--please state the reason why you cannot comply. If part of my information is subject to an exception, please delete all information that is not subject to an exception. If my request is incomplete, please provide me with specific instructions on how to complete my request.
Sincerely,
[insert name]
[insert date]
Additional Resources
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.