Skip to main content

CCPA/CPRA

16 min read

6 Key CCPA Rights Every Consumer Should Know

By Safna December 6, 2024

6 Key CCPA Rights Every Consumer Should Know

Data privacy is fast becoming a core element of exceptional customer service. It is no longer just about giving great products but also giving control over their personal information. The California Consumer Privacy Act brings this into focus by granting privacy rights to consumers. Read on to understand the CCPA rights and how to exercise them.

Who is covered by CCPA?

The California Consumer Privacy Act applies to all for-profit businesses meeting the following threshold.

  • Raised an annual revenue of $25 million last year
  • Buys/sells/shares personal information of 100,000+ Californians annually
  • Derives 50% or more of the annual turnover from selling or sharing consumer information 

All the entities meeting one or more of the above criteria must honour consumer rights.

Who is a consumer under CCPA?

A consumer under the California Consumer Privacy Act is a Californian resident regardless of how they are identified, including by a unique identifier. 

Anyone who has been in California other than for a short time visit or for transit is considered a Californian. This also holds true for California residents who leave the state for a temporary or transit-related reason. Section 17014 of Title 18 of the California Code outlines this.

Every California resident has the right to exercise CCPA rights. However, note that there are companies that do not exclude non-Californians from exercising CCPA rights such as deletion, correction or access.

Key CCPA rights for consumers

The California Consumer Privacy Act came into effect in 2020 with 4 key rights for consumers- The right to know, delete, opt-out and non-discrimination. 

Later on, when the California voters approved the amendment to the CCPA which is the California Privacy Rights Act (CPRA), it expanded the CCPA by adding two new rights: the right to limit and the right to correct.

CCPA-rights-infographic

Let us sift through the key CCPA rights in this section.

#1 Right to delete

The right to delete is like your personal shift+delete for the digital world. It allows consumers to request businesses to erase any personal data they collected from them.

Businesses could deny a deletion request if the personal data was collected from other sources

On receiving such requests, businesses should also ask the third parties or service providers with whom they may have shared the data to delete it from their records.

However, businesses are still allowed to keep records of the deletion request under certain lawful circumstances, but only if they are kept confidential.

Businesses are required to respond to such requests within 45 days unless it is necessary to extend the response period by an additional 45 days.

Businesses that the California privacy law covers must provide at least two designated methods for consumers to exercise their CCPA rights including the right to delete. 

The consumer request methods can be:

  • Toll-free number (mandatory)
  • Email address
  • Website form/ a mechanism available on the website (mandatory for businesses with a website)
  • Hard copy form

If a business operates exclusively online and has a direct relationship with the customers, it needs to provide only an email address as a consumer request mechanism.

#2 Right to know/access

The right to know is like a receipt of your data. It informs consumers about what personal data was collected, how and why it was collected, what was shared or sold, and with whom it was shared or sold.

The law also requires businesses to let consumers know that they have a right to access specific pieces of information that they have collected.

What information can be requested?

Consumers can request to know or access the following in a portable format.

  • Categories of personal information collected by the business
  • Specific pieces of personal information collected by the business
  • Categories of sources from which the data was collected
  • The purposes for collecting, selling or sharing personal information
  • Categories of third parties with whom the data is disclosed for business purposes
  • Categories of third parties with whom the data is sold or shared
  • Categories of personal data disclosed, sold or shared

If a business does not disclose, share, or sell personal data, that should also be informed.

Once a request to know/access is received, businesses must fulfil them within 45 days, or a maximum of 90 days if there are reasonable grounds.

In addition to the duty to provide information upon request, businesses must conspicuously provide a CCPA privacy policy.

#3 Right to correct

The CPRA amendments have introduced the right for consumers to request businesses to correct any inaccuracies found in their personal data. It is similar to the right to rectification under the General Data Protection Regulation.

This is an important right as most of the decision-making processes are influenced by algorithms relying on data. Thus, having inaccuracies can lead to unfair outcomes. 

Misplaced denial is a key example. Incorrect records of your current salary or credit histories can have a negative impact on getting your loans approved.

The response period for the right to correct is the same as all other rights- 45 days, extendable to 90 days if necessary.

#4 Right to opt-out

When the GDPR introduced the need for consent (opt-in) to process personal data, California decided upon an opt-out model. 

This means, businesses can still sell or share personal data unless consumers explicitly direct them not to. This process is called the opt-out.

Consumers can opt out of the sale of personal information using the ā€œDo not sell my personal informationā€ link that businesses are required to provide. For brick-and-mortar businesses, there should be other offline methods to exercise opt-out, such as paper forms.

The methods to exercise opt-out rights should be available in every manner a business collects consumers’ personal information.

Once the opt-out is exercised, businesses should wait for 12 months before seeking consent again.

However, when it comes to children below 16 years, there is a deviation from the general opt-out rules. For them, the opt-in rule applies. 

Therefore, consent is necessary to process the personal data of minors under 16. Here is a breakdown.

  • Children between 13-16 years of age: They can give consent to processing personal data without involving a guardian.
  • Children below 13 years: Consent is to be given by a parent or guardian.

Businesses must respond to the opt-out request as soon as possible or within 15 working days.

CCPA also require businesses to honour global opt-out signals.

Lead at CCPA compliance with CookieYes

  • Customisable opt-out & opt-in banners
  • Geo-target features
  • Recognise global opt-outs
  • Add a ā€œDo not sell/share my informationā€ link
  • IAB TCF v2.2 compliant & Google CMP gold partner
  • Global privacy compliance
  • Trusted manuals and technical support
  • Easy-to-implement
  • Step-by-step video tutorials

#5 Right to limit

Consumers have the right to limit the use or disclosure of sensitive personal information by businesses. Because this type of information can lead to greater harm and discrimination if compromised, it necessitates a higher level of caution.

Sensitive information under CCPA includes personal information revealing

  • Driverā€™s license, state ID, passport or social security number
  • Login credentials or financial information including card numbers with their passwords
  • Precise geolocation data
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Citizenship or immigration status
  • Union membership
  • Email, or text message contents unless the business is the intended recipient
  • Genetic data
  • Biometric information used for identification purposes
  • Health information
  • Sex life or sexual orientation

Note that, publicly available sensitive information is excluded from the protection.

Individuals can exercise the right to limit the sale or sharing of their personal information through a prominent link labelled “Limit the sale or sharing of my personal informationā€ on a businessā€™s website. Businesses must comply with the request immediately or within 15 business days.

For offline businesses, alternative methods should be available for customers to exercise this rights. 

If a business does not handle sensitive personal information, it is important to communicate that clearly to its customers.

#6 Right to non-discrimination/non-retaliation

The right to non-retaliation ensures fair treatment of consumers regardless of their privacy preferences. 

According to this right, businesses cannot deny goods or services, charge a different price, impose penalties, or vary the quality of the product or service.

Businesses can vary the quality or prices if such difference is based on the value provided by the consumer data. They can also offer financial incentives for collecting, storing or selling personal information.

How to exercise your CCPA rights?

Facilitating convenient consumer request mechanisms is a key component of CCPA compliance. Therefore, half of the equation is done. 

Follow these practical steps to make the most of your consumer rights.

Identify the business & designated mechanism

The initial step is to identify the company where you want to submit a consumer request. If it is available online, go to its website homepage. Look for the privacy policy or similar section- this is usually where you will find instructions on how to exercise your rights. 

In this example from Costco, you can see a dedicated policy labelled ā€œYour privacy rightsā€.

If it is an opt-out or limit request, look for CCPA links that are mostly seen on the footer of a website such as the ā€œDo not sell or share my personal informationā€ in the below example.

Submit a verified request

Once you have identified the designated method, proceed to make the request. This can be done by filling out an online form, calling a toll-free number or sending an email to the specified address. 

Before submitting your request, you would have to verify your identity by answering some questions. Here is an example from Costco.

Monitor response

Businesses typically have 45 days to respond to a consumer request. Keep an eye out for updates on progress or extensions.

Common challenges or misconceptions

What are some common misconceptions that consumers might have about exercising their consumer rights? Let us find out.

Complex processes or confusing terminology

Many consumers might think of exercising their rights as a complex multi-step process. However, businesses have a legal obligation to provide simple ways to submit these requests. 

In case there are doubts, feel free to send an email or reach out to their support.

Delayed response

If businesses are faced with a large volume of requests or if a particular request requires significant time to process, they may extend their response time to as long as 90 days. 

You may follow up on your request or ask for clarification if you were not notified of the delay.

If your request is not completed in a reasonable time, you can file a consumer complaint with the California Attorney General.

Only online companies are covered

The CCPA is not just applicable to online businesses. Therefore, even offline businesses should have proper setups for submitting consumer requests.

You can try contacting them directly via phone or email. Alternatively, feel free to visit the shop in person and ask for the request form.

FAQ on CCPA rights

How many key rights does CCPA grant to California consumers?

CCPA grants 6 key rights to Californians namely the right to know, delete, correct, opt-out from the sale or sharing of personal information, limit the use and disclosure of sensitive information, and non-discrimination.

What are the benefits of CCPA to California residents?

The CCPA offers transparency, control and security by expressly requiring businesses to limit data collection and its uses, implement data security measures, honour consumer rights, provide privacy policies and be conscious while choosing data processors.

Who enforces CCPA?

The California Attorney General and the California Privacy Protection Agency (CPPA) are responsible for enforcing the CCPA.

When can I exercise a private right of action?

The private right of action under CCPA is limited and can only be exercised when there is a data breach such as the disclosure or theft of email addresses along with passwords.

Photo of Safna

Safna

Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.

Keep reading

Featured image of 7 Steps to Enhance Compliance Management for Your Business

Privacy Laws

7 Steps to Enhance Compliance Management for Your Business

Have you thought about compliance as a growth driver? For most businesses, it is just …

Read more
Featured image of Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Consent

Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Onetrust and CookieYes to find the one that best suits your business's consent management needs.

Read more
Featured image of Iubenda vs Osano vs CookieYes: Which One Is The Best?

Iubenda vs Osano vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Iubenda, and CookieYes to find the one that best suits your business's consent management needs.

Read more

Show all articles