To get a better browsing experience, please use Google Chrome.Download Chrome
Free TrialAsk for Price
  • HOME
  • Products
  • Solutions
  • Customers
  • Knowledge Hub
  • About Us
  • Demo


CCPA Series 2: How to Interpret CCPA Consumer Rights?

Aug 2, 2023

1. The Right to Know

Consumers have the right to require companies to inform them of the type of personal information they collect, the source of the information, the specific content, purpose, and third-party processing agencies. Enterprises should clearly inform consumers of the above information in their privacy clauses, otherwise their collection of consumers' personal information will be considered non-compliant.

2. Access Rights

Consumers have the right to request companies to provide free of charge the personal information they have collected and processed. This means that consumers can obtain their own personal data processed by enterprises, and self-manage and reuse personal data in an easy way. The right of access strengthens the use and control of personal information by information subjects, facilitates information circulation and sharing, and breaks the platform's data monopoly.
CCPA stipulates that consumers need to send requests to enterprises to obtain personal information, and enterprises can only send them to consumers by mail or electronic means after verifying consumers' requests. In addition, businesses should send personal information in a portable, easy-to-consume format that doesn't create barriers to secondary use by consumers. The implementation of access rights can bring many conveniences to real life. For example, during the epidemic, residents were required to apply for a local health code when traveling across provinces due to territorial control requirements. During this period, personal information was often filled in repeatedly, causing inconvenience to the user experience. If residents can download their personal health information after applying for a health code for the first time and filling in their personal information, then when re-applying for a health code, they can import the downloaded personal information into the new system after simple authorization without having to fill in repeatedly. It is worth noting that although consumers have the right to request companies to provide personal information free of charge, CCPA also stipulates that consumers can only make two applications per year. This limit on the number of times effectively prevents consumers from abusing access rights and putting excessive compliance pressure on companies.

3. Right to Delete

Section 1798.105 of the CCPA states that "a consumer has the right to request that a business delete any personal information it has collected about that consumer." Enterprises should also clearly inform consumers that they have the right to delete. When an enterprise receives a consumer's request to delete personal information, it should delete the personal information after verification, and request other data service providers to delete the relevant information at the same time. Businesses have the right to deny a consumer’s deletion request under certain circumstances, including:
(1) Consumers’ personal information must be collected for normal transactions or contract performance between enterprises and consumers;
(2) Diagnose security incidents;
(3) Fixing loopholes;
(4) Guarantee freedom of speech;
(5) Comply with the California Electronic Communications Privacy Act;
(6) Research conducted in the public interest;
(7) Only for the internal use of the enterprise that meets the reasonable expectations of consumers;
(8) Comply with other legal obligations;
(9)The legal use of consumers' personal information within other enterprises. The introduction of the right to delete can effectively regulate the information collection behavior of enterprises and strengthen consumers' control over personal information. After the CCPA was officially implemented, major Internet companies also began to deal with users' deletion requests in accordance with the regulations. Take Roblox, a Metaverse company, as an example. After the official implementation of CCPA, Roblox received a total of 145 deletion requests from consumers in 2020, of which only 38 were valid requests, 3 requests were rejected, and the remaining hundreds of requests were not accepted. Adoption may be due to inability to verify consumer information.

4. Right to Choose

Consumers have the right to ask businesses not to sell their personal information at any time. Enterprises should fulfill their obligation of notification and provide the "Do Not Sell My Personal Information" option in a conspicuous place on their platform, which is also known as "Opt-out". On the premise of giving reasonable notification, as long as the consumer does not refuse, the company will tacitly agree that the consumer agrees to sell his personal information.
Blizzard Entertainment’s “Do Not Sell My Personal Information” source: Blizzard Entertainment’s official website Corresponding to the “opt-out right”, there is also the “opt-in” for minors under the age of 16. Information of minors is strictly protected in the United States. The CCPA clearly stipulates that "any behavior of an enterprise that deliberately ignores a consumer's age shall be deemed to have clearly known the consumer's age." For the personal information of minors (under the age of 16), companies should obtain the explicit consent of the consumers themselves (consumers between the ages of 13 and 16) or their parents and guardians (for consumers under the age of 13) before selling their personal information.

5. The Right to Fair Dealing

Businesses must not discriminate against consumers for exercising their rights under the CCPA, including:
(1) Refusing to provide goods or services to consumers;
(2) Charging different prices or rates for goods or services, including by granting different discounts, other benefits or penalties;
(3) Provide consumers with goods or services of different grades or qualities;
(4)Implications that consumers will receive goods or services at different prices or rates, or that consumers will be provided with goods or services of a different level or quality. But the CCPA also provides some exemptions. For example, when the quality of services or goods provided by an enterprise is directly linked to the personal information it collects, the enterprise may provide goods or services of different prices or qualities. Businesses can also provide financial incentives for the collection, sale or deletion of personal information, including payment of compensation to consumers. On the basis of protecting the rights of consumers, CCPA also fully affirms the economic value of data flow and advocates the reasonable use of personal information under legal circumstances.

6. Personal Litigation Rights

right to bring individual lawsuits. Section 1798.150 of the CCPA provides that “a consumer may bring a civil action for unauthorized access and disclosure, theft, or disclosure because of a business’s breach of duty to protect personal information by failing to implement and maintain reasonable security measures and practices commensurate with the nature of the information.” Consumers can recover damages ranging from $100 to $750 per security incident, as well as other legal remedies such as an injunctive order. However, the CCPA also imposes a higher threshold on the individual's right to sue, and has a limited role in the implementation of personal information protection law enforcement. The CCPA's private litigation right is only for data leakage accidents, and consumers can file personal lawsuits only when the company causes personal data leakage of consumers due to its own reasons.
Individual rights of action do not support non-compliance that has not yet caused damage to the enterprise. For example, regarding the fact that a company does not set the "Do Not Sell My Personal Information" option in a conspicuous position on its website, although it is not compliant, it does not cause serious consequences such as privacy data leakage, so it does not meet the conditions of a personal lawsuit. So far, California courts have received more than 150 individual lawsuits accusing companies of non-compliance with privacy protection, but none of the cases have been successfully accepted.

7. Compliance Suggestions

CCPA strengthens the six rights that consumers have in the field of privacy data protection, and puts forward specific operational regulations on how to protect consumers' personal information.
Enterprises should fulfill their duty of reminder in their privacy clauses and explain their rights to consumers in an easy-to-understand manner. At the same time, enterprises should allocate special personnel to deal with various requests from consumers within the specified time, and do a good job in keeping corresponding records.

Live Chat