Personal Information—CCPA Right to Know, Delete and Do Not Sell Requests

To Which Consumers Does the CCPA Apply?

Any resident of California is in scope for CCPA’s privacy protections. While businesses can choose to deny these rights to people living in other places, once they implement a privacy compliance program, many businesses choose to offer the same privacy rights to all consumers globally. 

This is a choice that is not only consumer friendly and “privacy forward,” but it also acknowledges the global trend of increasing privacy legislation. For a list of domestic privacy bills, see our legislation tracker.

What Counts as Personal Information Under CCPA?

Any information that can be linked to a given person or household meets the definition of  “personal information” under CCPA. This includes contact information such as a consumer’s name, mailing address and email address, even if this information is revealed in public records such as those collected by records aggregators like spokeo.com, truthfinder.com and beenverified.com (hint: to remove personal data from these sites, try Brand Yourself). 

Besides these basics, personal information includes data such as a consumer’s online surfing and shopping history (if linkable to an identifiable person rather than being stored anonymously), and it also includes geolocation history, images of consumers, email contents, and other identifying information such as a driver’s license or bank account number. Particularly vexing for businesses because it shows up frequently in log files, an IP address is also personal information under CCPA

Lastly, any interest categories such as “pet lover” or “travel enthusiast” that a consumer might be placed in based on e.g., online activity, are also associated with the consumer or household and are therefore personal information. 

CCPA Privacy Policy Requirements—Explain the Core Rights

Your policy should notify consumers about the information you collect and why you collect it. Of course that requirement is not specific to CCPA, but there are some details you need to include that your existing privacy policy might not cover. 

What to Include in Privacy Policy

Most importantly, you must explain the following four basic rights that CCPA provides for consumers as well as how to access them:

1. The right to know about the personal information your business collects, discloses and sells

Include in your privacy policy the categories of information your business has collected, disclosed and/or sold within the last 12 months, and the categories of third parties to which it has sold or disclosed the information. By way of example, the J.Crew privacy policy does an excellent job of this. Your privacy policy should also explain a consumer’s right to obtain a copy of the personal information your business has collected about them. 

2. The right of consumers to ask your business to delete their personal information

If a consumer makes a delete request, you should delete all the personal information that you would have furnished to the consumer if she or he made a right to know request. Note there are important exemptions that apply, enabling businesses to keep a considerable amount of information after receiving a delete request. For more information, see “Responding to delete requests.”

3. The right to opt out of sales of personal information

Explain a consumer’s right to request that you do not sell their personal information, if you do so. If a consumer opts out, stop transferring data in any manner that would be considered a sale, and do not ask a consumer to opt back in for at least 12 months. The Ann Taylor website uses a banner that pops up when a user hovers over the legal text in on its homepage footer. The banner does a good job of explaining a consumer’s Do Not Sell right in the context of a business that does not “sell” information in the traditional sense:

Our website uses cookies to personalize your experience. Under certain state laws, collection of data through third-party cookies for targeted advertising and similar purposes may be considered a “sale.” If you wish to opt out of such a “sale” of your personal information, please click Manage Preferences. You may also use this tool to learn more about our use of cookies and set your preferences. 

The Harbor Freight privacy policy put it this way:

We do not exchange your personal information in exchange for monetary consideration. We may allow certain third parties (such as online advertising services) to collect your personal information via automated technologies on our Sites in exchange for non-monetary consideration.

4. The right to non-discriminatory treatment

Explain to consumers that if they exercise their privacy rights, your business will not treat them any differently, e.g., charging higher prices or denying them access to certain features. The CCPA does provide some exceptions to the non-discrimination rule that allow loyalty programs. For more information, see “Privacy Rights Discrimination and Loyalty Programs.” 

Note that all of your CCPA disclosures should be disability accessible (as should all of the online services you offer, according to the Americans with Disabilities Act). If you need help assessing whether or not your privacy policy is accessible, firms like Essential Accessibility can assist you with an audit.

CCPA Compliance Workshop Agenda What is a Sale Under CCPA?