Personal Information—CCPA Right to Know, Delete and Do Not Sell Requests
To Which Consumers Does the CCPA Apply?
Any resident of California is in scope for CCPA’s privacy protections. While businesses can choose to deny these rights to people living in other places, once they implement a privacy compliance program, many businesses choose to offer the same privacy rights to all consumers globally.
This is a choice that is not only consumer friendly and “privacy forward,” but it also acknowledges the global trend of increasing privacy legislation. For a list of domestic privacy bills, see our legislation tracker.
What Counts as Personal Information Under CCPA?
Any information that can be linked to a given person or household meets the definition of “personal information” under CCPA. This includes contact information such as a consumer’s name, mailing address and email address, even if this information is revealed in public records such as those collected by records aggregators like spokeo.com, truthfinder.com and beenverified.com (hint: to remove personal data from these sites, try Brand Yourself).
Besides these basics, personal information includes data such as a consumer’s online surfing and shopping history (if linkable to an identifiable person rather than being stored anonymously), and it also includes geolocation history, images of consumers, email contents, and other identifying information such as a driver’s license or bank account number. Particularly vexing for businesses because it shows up frequently in log files, an IP address is also personal information under CCPA.
Lastly, any interest categories such as “pet lover” or “travel enthusiast” that a consumer might be placed in based on e.g., online activity, are also associated with the consumer or household and are therefore personal information.
Most importantly, you must explain the following four basic rights that CCPA provides for consumers as well as how to access them:
1. The right to know about the personal information your business collects, discloses and sells
2. The right of consumers to ask your business to delete their personal information
If a consumer makes a delete request, you should delete all the personal information that you would have furnished to the consumer if she or he made a right to know request. Note there are important exemptions that apply, enabling businesses to keep a considerable amount of information after receiving a delete request. For more information, see “Responding to delete requests.”
3. The right to opt out of sales of personal information
Explain a consumer’s right to request that you do not sell their personal information, if you do so. If a consumer opts out, stop transferring data in any manner that would be considered a sale, and do not ask a consumer to opt back in for at least 12 months. The Ann Taylor website uses a banner that pops up when a user hovers over the legal text in on its homepage footer. The banner does a good job of explaining a consumer’s Do Not Sell right in the context of a business that does not “sell” information in the traditional sense:
We do not exchange your personal information in exchange for monetary consideration. We may allow certain third parties (such as online advertising services) to collect your personal information via automated technologies on our Sites in exchange for non-monetary consideration.
4. The right to non-discriminatory treatment
Explain to consumers that if they exercise their privacy rights, your business will not treat them any differently, e.g., charging higher prices or denying them access to certain features. The CCPA does provide some exceptions to the non-discrimination rule that allow loyalty programs. For more information, see “Privacy Rights Discrimination and Loyalty Programs.”