The AG Publishes Its FAQs on the CCPA

The attorney general's office has posted a set of FAQs and corresponding responses on its California Consumer Privacy Act (CCPA) site. While aimed at providing guidance to consumers about the CCPA, the FAQs can also serve as a quick reference for businesses regarding their CCPA compliance obligations. Below are the highlights.

• Right to Opt Out of Sale: California residents have the right to request that businesses stop selling their personal information (PI), which is an "opt-out request" that can be submitted via the "Do Not Sell My Personal Information" link that businesses must conspicuously provide on their websites and privacy policies. Businesses cannot require residents to create an account to submit opt-out requests, and if businesses ask for PI to complete these requests, they can only use such information to verify the consumers' identities. Upon receipt of an opt-out request, a business must stop all sales of the consumer's PI and wait 12 months before prompting the consumer to opt back in. Common exceptions to this opt-out right include sales that are necessary to comply with legal obligations and certain exempted medical or credit report information. Opt-out requests should be submitted to the businesses themselves and not their service providers, as service providers are not responsible for responding to such requests. Businesses can only sell PI of a child under the age of 16 if they have received affirmative "opt-in" consent. If the child is under the age of 13, that consent must come from the child's guardian.

• Right to Know: California residents have the right to ask businesses what PI has been collected, used, shared or sold about them in the preceding 12 months, as well as the reasons for doing so. Most businesses must provide two methods for residents to submit such requests. One of those methods must be a toll-free phone number, and if the business has a website, another method must be available on its website. Businesses operating exclusively online are only required to provide an email address for submitting requests. If businesses request additional PI to respond to a request to know, they can only use such information to verify the consumer's identity. Businesses must respond to requests within 45 days but may extend another 45 days if they notify the consumer. Common exceptions to this right include (i) where disclosure would restrict a business's ability to comply with legal obligations, (ii) certain exempted medical or credit report information, and (iii) where businesses have already provided the requested PI to the consumer more than twice in the preceding 12 months.
• Right to Delete: California residents may request that businesses delete PI collected from them unless an exception applies. Examples of exceptions include where businesses need the PI (i) to complete the consumer's transaction, provide a product or service, or for warranty and product recall purposes; (ii) for certain business security practices; and (iii) to comply with legal obligations, exercise legal claims or rights, or defend legal claims. Residents can submit deletion requests to businesses via one of two required designated methods, and businesses cannot require residents to create accounts to submit these requests. Businesses must respond to such requests within 45 days but can extend this deadline another 45 days if they notify the resident. And if businesses ask for PI to complete the request to delete, they can only use such information to verify the resident's identity. Additionally, requests to delete should be submitted to the businesses themselves and not their service providers, as service providers are not responsible for responding to residents' requests. Credit reporting agencies, however, may still disclose credit information and residents may still receive calls from debt collectors even after they have filed a deletion request.
• Right to Non-Discrimination: Businesses cannot discriminate against residents for exercising their rights under the CCPA. But if a resident's PI is necessary for a business to provide its goods or services and the resident refuses to provide the required PI, the business may not be able to complete the transaction. Businesses may also offer promotions, discounts and other deals in exchange for collecting, keeping, or selling residents' PI so long as the financial incentive offered is reasonable related to the value of the resident's PI.
• Required Notices: Businesses must list the categories of PI they collect about California residents and the purposes for which they use this information in a "notice at collection," which must be provided at or before the point at which businesses collect PI. The "notice at collection" may be found, for a website, on its homepage or a webpage where one can place an order or enter their PI, and for an app, in the settings menu. If businesses sell PI, the notice at collection must include a Do Not Sell Link and a link to the businesses' privacy policies. Businesses must also have a privacy policy that describes their online and offline practices for the collection, use, sharing, and sale of consumers' PI. It must include information regarding the four above-mentioned privacy rights and how consumers can exercise them.
• Limited Private Right of Action: Consumers "cannot sue businesses for most CCPA violations." They can "only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances." The limited circumstances would be where the consumer's nonencrypted and nonredacted PI (first and last name plus Social Security Number, government issued ID, credit card number or other financial account number combined with required access code or password, medical or health insurance information, or fingerprint or other biometric data) was stolen in a data breach as a result of a business's failure to maintain reasonable security procedures and practices to protect it. And before filing suit, California residents must give written notice to the business of the CCPA violation and allow 30 days for the business to cure. If the business provides written confirmation that it cured the violation, the California resident cannot sue for statutory damages. "For all other violations of the CCPA, only the Attorney General can file an action against businesses."
• Data Brokers: Data brokers are subject to the CCPA and are defined as businesses that knowingly collect and sell the PI of a consumer with whom the business does not have a direct relationship to third parties. Businesses like consumer reporting agencies and insurance companies are exempted from this definition. Data brokers are required to register with the Attorney General on the Registry. Consumers will not be able to stop data brokers from selling their PI that was lawfully obtained from government records.