The Regulations include examples and additional details on how businesses must notify consumers of their data rights, acceptable methods for consumers to submit their requests, and requirements for businesses to respond to those requests, including new timelines to give consumers notice that the business received their request.
Right to Know Requests
Consumers have the right to request to know information about any or all of the following business practices applicable to the 12-month period prior to the request:
- Categories of personal information collected about them (i.e., what is collected)
- The business or commercial purpose for which it was collected (i.e., how it will be used)
- Categories of sources from which the information was collected (i.e., where was it collected)
- Categories of personal information sold or disclosed for a business purpose about them (i.e., what is disclosed)
- Categories of third parties to whom the personal information was sold or disclosed (i.e., to whom is it disclosed)
- The business or commercial purpose for which it was sold or disclosed (i.e., why it was used)
When honoring these requests, a business must prepare an individualized response to the consumer and must not refer to the business’s general practices outlined in the privacy policy unless the response would be the same for all consumers. The 12-month period covered by a request runs from the date the business receives the request (regardless of the time required to verify).
Under the Regulations, businesses have 10 days to acknowledge receipt of a right to know request and to give more information about how the business will process the request, including a description of the verification process. Businesses have 45 days to respond to a right to know request (regardless of how long it takes to verify), and may extend that period by 45 days if it gives the individual notice of the extension and an explanation for the delay. A business is only required to honor a “verifiable consumer request.” If a business cannot verify the identity of a requestor, the business cannot deny the request. The business must inform the requestor that the business could not verify their identity.
Right to Access (or Copy)
Consumers have the right to request a copy of their personal information held by a business. Upon verifiable consumer request, the business must deliver, by mail or electronically, free of charge, the categories and specific pieces of personal information collected on the consumer covering the 12-month period preceding the request.
A business must use reasonable security measures when transmitting personal information to the consumer. If a business maintains a password-protected account with the consumer, it may use a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to, uses reasonable data security controls, and complies with the verification requirements in the Regulations (see Verifiable Requests section below).
Businesses can limit their responses to these requests to address risk of fraud or risk of security. Specifically, the Regulations prohibit businesses from providing a consumer with specific pieces of information if the disclosure creates substantial, articulable and unreasonable risk to the security of the personal information, the consumer’s account with the business or the security of the business’s systems or networks. Further, the business must not provide the Social Security number, driver license number or any government ID, financial account number, health insurance or medical ID number, account passwords, and security questions and answers in response to a request for specific pieces of information.
Under the Regulations, businesses have 10 days to acknowledge receipt of a right of access request and to give more information about how the business will process the request, including a description of the verification process. Businesses have 45 days to respond to a right of access request (regardless of how long it takes to verify), and may extend that period by 45 days if it gives the individual notice of the extension and an explanation for the delay.
If a business denies a request to access specific pieces of information, in whole or in part, because of a conflict with applicable law or an exception to the CCPA, the business must inform the requestor and explain the basis for the denial. If a business cannot verify the identity of a requestor, the business cannot deny the request. The business must inform the requestor that the business could not verify their identity.
Right to Deletion
Businesses must honor verifiable consumer requests to delete the consumer’s personal information from its records and direct all of its service providers to do the same, subject to several exceptions. Businesses must provide instructions for submitting a verifiable consumer request to delete and provide links to an online request form or portal for making the request. Businesses must also describe the process the business will use to verify the consumer request, including the information the consumer needs to provide.
The Regulations require businesses to provide two or more designated methods for submitting requests to delete. Acceptable methods explicitly mentioned in the Regulations include a toll-free phone number, a link or form available online through a business’s website, a designated e-mail address, a form submitted in person, and a form submitted through the mail. At least one of the methods used to receive right to delete requests must reflect the manner in which the business primarily interacts with the consumer. The Regulations provide the example of a business that has a website but primarily interacts with customers in person at the business’s retail location which should provide a form that can be submitted in person at a retail location. Under the Regulations, businesses have 10 days to acknowledge receipt of right to delete request and to give more information about how the business will process the request, including a description of the verification process. Businesses have 45 days to respond to a right to delete request (regardless of how long it takes to verify), and may extend that period by 45 days if it gives the individual notice of the extension and an explanation for the delay.
Consumer requests made through a password-protected account may be verified through the business’s existing authentication practices for the consumer’s account. However, the consumer must re-authenticate themselves before their personal information is deleted. When a consumer does not hold an account, the Regulations provide a risk-based scale for verification of the consumer in a right to delete request of either a reasonable degree of certainty or a reasonably high degree of certainty. The sliding scale is based on a business’s good faith assessment of the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. If a business is unable to verify the individual, the business must treat the request as an opt-out request instead of a deletion request.
A verified request to delete may be satisfied by permanently erasing personal information on a business’s systems with exception for backup systems, or by de-identifying or aggregating the consumer’s personal information. Personal information is considered de-identified when it cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer. Information that has been aggregated are data that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including using a device.
When responding to the consumer, businesses must disclose the method by which it complied with the consumer request. If consumers submit a deficient request to delete, the business can treat the request as if it was correct in form or the consumer can be provided additional direction and an opportunity to cure the defect.
When a business denies a deletion request, it must notify the consumer and provide the basis for rejecting the request. There are several exceptions to the right to deletion, including several scenarios where a business needs the consumer’s personal information for valid reasons such as:
(1) providing goods or services to the consumer
(2) identifying/resolving functionality or security issues
(3) complying with other legal obligations
(4) conducting legitimate research in the public interest
(5) protecting the exercise of free speech or another’s exercise of free speech
(6) using the information for internal purposes that the consumer should expect
Right to Opt-Out of Sale
As should be clear from the preceding section on Notices to Consumers, the CCPA model is largely one of opt-out rights, as opposed to mandating that everything from browser cookies onward requires an opt-in. Nonetheless, there are some ins and outs that can be more complicated.
Opting Out
The CCPA grants consumers the right to opt-out of having their personal information “sold” by a business and direct each covered business to include a clear statement of the right to opt out in the privacy notice presented to the consumer when personal information is being collected. The Regulations require businesses to give a “notice of right to opt-out”. The request to opt-out does not apply with respect to how an individual business uses the consumer’s information but rather whether that business will be permitted to “sell” the consumer’s information to third parties for that recipient’s own use and benefit.
The privacy policy content required by the Regulations mandates that each business selling personal information provide a hyperlink titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”. In the future, the AG’s office anticipates presenting a presumably standardized opt-out button or logo in lieu of the quoted wording above.
To exercise an opt-out request, a consumer would click the linked words, button, or logo that businesses must present either within their privacy policy or on a separate landing page (whether for website or mobile app), explaining how an individual may exercise an opt-out request. Beyond the clearly visible and ADA-accessible requirements of the privacy notice generally, the opt-out instructions must:
- Explain the consumer’s opt-out right;
- Present a webform for online requests or the offline method available from those businesses that do not operate a website;
- Instruct on any alternative methods to submit the request;
- Explain the proof required when a consumer request is submitted by an authorized agent; and
- Link to or provide the URL of the business’s main privacy policy.
Businesses are not required to provide the opt-out link if they do not sell or intend to sell consumer information and include a statement to that express effect in the privacy policy.
Opting In (or Back In)
Opt-in applies in two circumstances. First, when the business has actual knowledge that it collects or maintains the personal information of children under the age of 16, and second, when a consumer is opting in after previously having opted out. For the former, the opt-in applies with respect to the business’s intention to sell the minor’s personal information as further described below in the Special Rules for Minors section . Similarly, if the business targets consumers under 16 but has no intention of selling this information, there is no need to provide any subsequent opt-out notice. Finally, a consumer who has previously opted-out from the sale of their information or has previously not opted-in (such as those under 16 or their parent/legal guardian) has the right to communicate a request to opt-in.