California Consumer Privacy Act Faq
DISCLAIMER: The following information is not meant to be a substitute for the language in the CCPA itself and is not provided as legal advice regarding interpretation of the law. It is meant only to act as a general guide to some of the provisions of the CCPA. Please refer specifically to the language of the law found here to answer your questions definitively or consult your personal attorney.
ccpa frequently asked questions
“I’m a citizen of California. Does this law give me rights over the commercial use of my personal data?”
Yes. If you are a citizen of the state of California, the CCPA gives you certain rights to view and control information about you when it is used commercially by companies.
“What is meant by ‘commercial use’?”
Commercial use is specifically defined in the CCPA and, in general, covers the collection and use of your personal information by companies that are being paid to supply your data. A clear-cut example of commercial use would be when a business collects or possesses your personal data and then uses it to contact you to sell a product or service. There are many exceptions. For example, “commercial purposes do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.” In other words, your personal information may be used without your permission by candidates running for office or others communicating with you for political purposes. Other exceptions include the use of your personal information in one-time transactions with a business or to fulfill other legal requirements. Obviously, the law does not apply if you have given a company the right to use your personal data in the way the company is using it.
“If a company is using my personal data commercially and without my permission, what rights do I have?”
You have a number of rights. First you have the right to see a copy of your personal information possessed by the company. You then have the right to ask to have certain parts of it corrected if you believe them to be incorrect or to have your personal data excluded from the company’s database and no longer used commercially. You also have the right to know whether your personal information is being sold and to what categories of end users.
“How do I go about exercising those rights?”
Every company utilizing your personal data for commercial purposes must be responsive to your requests by offering, at a minimum, a toll-free number and a website making it easy for you to request a copy of your personal information. To protect your personal information from those who might impersonate you when they ask for it, you’ll need to provide proof of your personal identity. The California Attorney General will publish rules for the documentation you’ll need to provide but a copy of photo ID will probably be sufficient. Once the company has received your request and confirmed your identity, it has up to 45 days to respond to that request. If, due to the complexity of responding to a large number of requests, the company cannot supply your information within 45 days, it must inform you of that and can then take an additional 90 days to supply the information.
“Do I have the right to sue a company over their use of my data?”
The law gives you the right to sue the company if it does not respond to your request to view or delete your information. It also gives you the right to sue if there is a security breach that results in the release of your commercially-used personal information. However, in order to act on that latter right, you must first contact the company and notify it of the breach, provide evidence and then give the company 30 days to fix the problem and confirm to you that it has been corrected. You may only proceed with a lawsuit under the CCPA if the company fails to correct its systems that led to the breach within this time frame.
Your Rights Under the California Consumer Privacy Act of 2018
Preamble to Bill
“This bill would enact the California Consumer Privacy Act of 2018. Beginning January 1, 2020, the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified. The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The bill would require a business to provide this information in response to a verifiable consumer request. The bill would authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. The bill would authorize businesses to offer financial incentives for collection of personal information. The bill would prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in. The bill would prescribe requirements for receiving, processing, and satisfying these requests from consumers. The bill would prescribe various definitions for its purposes and would define “personal information” with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information. The bill would prohibit the provisions described above from restricting the ability of the business to comply with federal, state, or local laws, among other things.”