This post does not reflect amendments to the California Consumer Privacy Act (CCPA) enacted on October 11, 2019. Check back for updates or follow this blog.

In our next two FAQ installments on the California Consumer Privacy Act of 2018 (“CaCPA” or “Act”), we will focus on the individual rights established by the CaCPA, including the right to:

  1. Know what personal information is being collected about the consumer
  2. Know whether the consumer’s personal information is sold or disclosed and to whom
  3. Say no to the sale of the consumer’s personal information
  4. Delete the consumer’s personal information
  5. Equal service and price, even when the consumer exercises any rights under the CaCPA

This installment focuses on the first three rights, and our next FAQ installment will focus on the remaining CaCPA rights as well as other material obligations under the CaCPA.

We will first break down the substance of each right and the obligations imposed on companies concerning such rights, and we will then explore the compliance steps a company may take to address the rights and the Act’s related obligations. To get the most out of this post, we recommend that you review our first set of FAQs and pay specific attention to our discussion of the definition of “personal information” under the Act. The scope of that definition impacts when and how a company should address these CaCPA rights.

If you would like to jump to our discussion on a particular right, just click on the right listed above and it will take you to that section. Otherwise, continue reading below.

(1) Right to know what personal information a company is collecting and obtain a copy of that information

What constitutes “collecting” of personal information?

Under the CaCPA, a business’s collection of personal information is defined to include “buying, renting, gathering, obtaining, receiving, or accessing . . . by any means.” CaCPA § 1798.140(e). This includes both: (1) actively gathering information about a consumer through forms or other means of communication; and (2) passively gathering information through any means, including “by observing the consumer’s behavior.” These passive collection efforts may comprise, for example, observing consumers’ habits in physical stores or tracking consumers’ online activities through the use of cookies and pixel tags. Essentially, many observations by businesses of consumers could fall under the definition of “collecting.”

What information does a business have to provide a consumer if he or she chooses to exercise this right?

Under Section 1798.110 of the Act, a consumer has the right to request the following from a business:

  • the categories and specific pieces of personal information the business has collected;
  • the sources from which the business collected the personal information;
  • the business or commercial purpose for collecting the personal information; and
  • the categories of third parties with whom the business shares the personal information.

The information must be disclosed and delivered free of charge. This information will inevitably affect data brokers and other third party data sources, since a businesses will be required to disclose the sources from which they collect the personal information, including by naming third parties—such as data brokers—from whom they purchased personal information.

How much time does a business have to respond to the request?  And in what format should the response be?

A business must respond through either mail or electronic delivery within 45 days of the consumer’s verifiable request. If the information is provided electronically, the information must be in a portable and easily usable format (such as a spreadsheet or .csv file) to allow ease of use by the consumer.

What is meant by “categories” and “specific pieces” of personal information?  How much detail is required in the disclosure to the individual?

The CaCPA gives some definitions of the specific pieces and categories of information, and it also points to California’s consumer data breach notification statute, Cal. Civ. Code § 1798.80(e).   However subdivision (e) is the definition of personal information for that section of the California code and does not actually specify categories of personal information.  Cal. Civ. Code § 1798.83, California’s “Shine the Light Law,” does identify various categories of personal information and it may be useful for businesses looking to identify and define the categories of personal information they process under the Act.

The CaCPA does indicate that these categories and specific pieces of personal information do not include information otherwise publicly available from federal, state or local government records.

Given that the CaCPA calls for the disclosure of both categories and specific pieces of personal information, the precise level of detail that must be disclosed is unclear.  The California Attorney General will likely provide guidance on this disclosure, particularly since the CaCPA states that the Attorney General should set forth any additional categories that would be relevant to consumers “in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.”

What steps must a consumer take to exercise this right?

A consumer that wishes to exercise this right must submit a “verifiable consumer request” to the business by providing sufficient information to allow the business to verify their identity. Businesses will not be required to respond unless the business can verify that: (1) the request is coming from the consumer or someone acting on the consumer’s legal behalf; and (2) the business has actually collected information on that consumer. Importantly, a business cannot require a consumer to create an account with the business in order to request this information.

The CaCPA provides that a request made via a consumer’s password protected account with the business is a verifiable consumer request. The CaCPA states that a verifiable consumer request is one that a “business can reasonably verify, pursuant to regulations adopted by the Attorney General.” CaCPA § 1798.140(y). Because businesses must be able to “reasonably verify” the request, businesses are clearly not required to take every step possible to verify the request, but rather are required to make a good faith effort.

However, the Act does not provide any additional guidance regarding what is “verifiable,” nor does it provide any indication of whether penalties would be imposed if a business, in good faith, releases a consumer’s information to the wrong individual.  Ultimately, the CaCPA defers the answering of all of these questions to the California Attorney General.  As such, we will have to keep an eye out for upcoming regulations and guidance from the AG.

Are there any exceptions?

There is some breathing room for businesses, in that a business only has to respond to two requests within a 12-month period per consumer. Additionally, a business is not required to disclose personal information it collects for single, one-time transactions with a consumer as long as the business doesn’t sell or retain the information and does not use that transactional information to identify consumers going forward. At this point, it is hard to determine what might constitute a “single, one-time transaction” (on the surface the description itself seems redundant).  If a consumer buys something once, and then comes back to buy something again, are they entitled this right? If a company sends the consumer a marketing email after the first transaction, has more than a “single, one-time transaction” occurred? To be determined.

What steps should businesses consider to address this right?

There are several steps businesses should consider to address this right and the requirements related to it in the Act, including:

  • identifying and inventorying the categories and specific types of personal information a business collects and shares, which is commonly achieved by data flow mapping;
  • updating privacy policies, disclosures and notices to adequately disclose their personal information collection practices, including the information listed above; and
  • implementing policies and procedures that provide an avenue for a consumer to request the information described above and enable the business to meet those requests, including a process for verifying identity. At a minimum, businesses must provide: (1) a toll free phone number and (2) a contact method provided on the businesses’ website, if the business has a website.

(2) Right to know whether their personal information is sold or disclosed, and to whom

How does the CaCPA define “sold” and “disclosed”?

”Selling” means selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating—through oral, electronic or any other means—a consumer’s personal information to another business “for monetary or other valuable consideration.” While the CaCPA does not further elaborate on the meaning of “other valuable consideration”, California law defines “consideration” as:

Any benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.

Given how broad the concept of “consideration” may be, non-monetary “benefits” resulting from disclosures may constitute a “sale” under the Act. In fact, in an apparent attempt to clarify some common disclosures, the Act lists certain activities that do not meet the definition of “sale”, including when a:

  • consumer directs or uses the business to disclose the personal information or deliberately and intentionally interacts with the third party (i.e., not simply hovering over or closing a piece of third party content) as long as that third party does not also sell the information in a manner inconsistent with the Act;
  • business shares the consumer’s personal information with a third party in order to effectuate the consumer’s request to opt out of selling;
  • business shares the consumer’s personal information to perform a business purpose, so long as the consumer has notice of this sharing and the third party only uses the consumer’s personal information to perform that business purpose; and
  • business transfers the consumer’s personal information as part of a merger, acquisition, or some other type of transaction where a third party assumes control of the business (subject to certain limitations, including situations where the third party materially alters how it uses or shares the personal information).

Overall, if this definition stands, businesses will have to analyze their transfers and sharing of personal information to determine whether they potentially constitute a “sale” under the Act.

Does the sharing of personal information between business affiliates constitute a “sale”?

The CaCPA only deems personal information to be sold or disclosed if it is transferred outside of the “business.” The CaCPA defines “business” to include the entity itself and any other entity that: (1) controls or is controlled by the business; and (2) shares common branding with the business. Thus, businesses may not need to disclose how they share personal information with parent companies, affiliates and subsidiaries to the extent those entities are under common control and branding.

Under the Act, an entity controls or is under control of the business if it has 50% voting rights, has control over the directors, or has “the power to exercise a controlling influence over the management of the company.” Cal. Civ. Code § 1798.140(c)(2). This is not the clearest definition, and having the power “to exercise a controlling influence over the management of the company” is certainly open to interpretation. The second requirement is that the two entities share “common branding”, which means “a shared name, servicemark, or trademark.” It is unclear at this point how extensively the branding has to be used by each company to be “common” (e.g., it could be enough that one product for each entity shares a name, but 99% of the other products do not share a name).

What is a “third party” under the Act?

Aside from the business—defined above —that is collecting the personal information of the consumer, the Act distinguishes between two types of entities: service providers and third parties. Service providers are processors that receive personal information from the business and process the data per the terms of a written contract with the business. Service providers are not permitted to retain, use or disclose the personal information for any purpose other than to meet the terms of the contract with the business. Consumers cannot opt out of the transfer of their personal information to service providers, only to third parties.

A third party is, therefore, any person or entity that receives a consumer’s personal information from the business that is not either: (a) part of the business (as defined above) or (b) a service provider.

What information does a business have to provide a consumer if he or she chooses to exercise this right?

Under Section 1798.115 of the Act, a consumer has the right to require a business to identify categories of:

  • personal information the business collects about the consumer;
  • personal information the business sold about the consumer;
  • third parties to whom the business sold the personal information, clearly delineating the category of personal information for each third party to whom the personal information was sold; and
  • personal information that the business disclosed about the consumer for a business purpose.

The business must provide this information covering the 12-months period starting on the day the business received the verifiable request.  Again, the information must be disclosed and delivered free of charge, and the consumer cannot be required to create an account with the business in order to exercise this right.

How much time does a business have to respond to the request?  And in what format should the response be?

A business must respond through either mail or electronic delivery within 45 days of the consumer’s verifiable request. If the information is provided electronically, the information must be in a portable and easily usable format (such as a spreadsheet or .csv file) to allow ease of use by consumers.

What steps should businesses consider to address this right? 

As with the first right discussed, there are several steps businesses should consider to address this right and the requirements related to it in the Act, including:

  • identifying and inventorying the categories and specific types of personal information a business collects and “sells”, which is commonly achieved through data flow mapping;
  • updating privacy policies, disclosures and notices to adequately disclose their personal information collection and sales practices, including the information listed above; and
  • implementing policies and procedures that provide an avenue for a consumer to request the information described above and enable the business to meet those requests, including a process for verifying identity.   At a minimum, businesses must provide: (1) a toll free phone number, and; (2) a contact method provided on the businesses’ website, if the businesses have a website.

(3) Right to opt out of the sale of personal information to third parties

What does “opt out” mean under the CaCPA?

Section 1798.120 of the CaCPA enables consumers to “opt out”, meaning that, at any time, a consumer can direct a business not to sell the consumer’s personal information. To exercise this right the consumer must follow the opt out process set forth in the Act, discussed below.

Can someone opt out on another consumer’s behalf?

Yes, under the Act, a consumer can authorize another person to opt out on his or her behalf, and businesses must abide by these requests. The person is not required to be the consumer’s legal guardian. That is, the person can be authorized solely for the purpose of opting out of the sale of the consumer’s information. Again, the Act defers to the California Attorney General to set forth regulations on how a business can verify the authorization.

What about the sale of children’s personal information?

If the business has actual knowledge that a consumer is less than 16 years of age, the business is not permitted to sell the personal information unless the consumer—or the consumer’s parent or guardian for a consumer under 13 years of age—has opted in to the sale of the personal information. The Act makes clear that a business’s willful disregard of the consumer’s age amounts to actual knowledge of that consumer’s age. The CaCPA refers to this restriction on the sale of children’s personal information as the “right to opt in.” Cal. Civ. Code § 1798.120(d).

Are businesses required to stop collecting a consumer’s personal information if the consumer opts out?

The CaCPA does not provide a mechanism for which consumers can opt out of the collection of their personal information. As such, it appears that businesses can likely keep collecting personal information on a consumer regardless of that consumer’s opt out status in relation to the sale of that information.

What steps must a consumer take to exercise this right?

The Act does not prescribe a method for consumers to opt out, but it does provide examples for how a consumer may opt out, including:

  • via the webpage “Do Not Sell My Personal Information”, discussed below; and
  • through a person authorized to opt out on the consumer’s behalf, discussed above.

The California Attorney General is required to adopt regulations establishing the procedures “[t]o facilitate and govern the submission of a request by a consumer to opt out.” As such the method for opting out will likely be expanded upon and clarified at a later date.

What steps should businesses consider to address this right?

As with the first two rights discussed, there are numerous steps businesses should consider to address this right and the requirements related to it in the Act, including:

  • identifying and inventorying the categories and specific types of personal information a business collects and “sells”, which is commonly achieved by data flow mapping;
  • creating a webpage titled “Do Not Sell My Personal Information”, which enables a consumer to opt out of the business’s sale of the consumer’s personal information without requiring the consumer to create an account with the business and/or developing other procedures to enable consumers to exercise their “opt out” right;
  • updating privacy policies (including California-specific descriptions of privacy rights), disclosures and notices to adequately explain the consumer’s right to opt out of the sale of personal information and to provide a link titled “Do Not Sell My Personal Information” linking to that page;
  • training personnel who will be handling opt out requests on the requirements of the Act; and
  • implementing policies, procedures and record keeping mechanisms to help: (1) ensure the consumer’s personal information is not sold after opting out; (2) verify the requests (or confirm the authorization of any third party making an opt out on behalf of another); (3) confirm the receipt of and effectuate any opt out; and (4) ensure the business does not ask the consumer to authorize the sale of personal information for at least 12 months after the consumer’s opt out.
Contributors

David Navetta

Alex Murchison

Posted by David Navetta

All Posts