Small businesses will have to address eight specific consumer rights.
Editor’s note: this is part one of a two part article.
The California Consumer Privacy Act (CCPA) is not a copycat of the EU’s General Data Protection Regulation (GDPR); instead, it adds another layer of personal information (PI) definitions and requirements that enterprises that employ or deal with California residents must comply with.
Small businesses will have to address eight specific consumer rights, observe restrictions on data monetization models, and update their privacy notices about their data handling practices. The law goes into effect January 1, 2020 and failure to comply could result in penalties that could cumulatively be materially significant. Companies must begin preparing and cataloging their data inventories of all PI pertaining to California residents now to prevent non-compliance costs when the act goes into effect.
The rationale for GDPR was consumer rights in terms of consent, rights of objection and erasure, cross-border transfer, and data breach notification. The California legislature took a very different tack on consumer privacy and emphasized PI disclosure rights, right to opt-out of sale of data, deletion and discrimination rights.
PI Definition and The Eight Consumer Rights
The CCPA expands the definition of PI beyond GDPR and other current U.S. privacy laws. It defines PI as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Furthermore, it includes personal identifiers, IP addresses, commercial information, records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies; Internet or other electronic network activity information, professional or employment-related information; or any consumer profile.
Using those criteria, the CCPA provides California residents/consumers eight exercisable PI rights when dealing with businesses holding their PI.
These eight rights are as follows:
1. Abbreviated Disclosure Right Applicable to Businesses that Collect PI.
This gives the consumer the right to request that business disclose the categories and specific pieces of PI collected about them.
2. Expanded Disclosure Right Applicable to Businesses that Collect PI.
In addition to the above, consumers can also ask for the sources from which the PI is collected, the business or commercial purpose and to whom (i.e., third parties) the collected information was shared. Furthermore, consumers can request the specific notice of the business’ PI collection practices.
3. Right to Request Information from Businesses that Sell or Disclose PI for Business Purposes.
Consumers have the right to request that a business disclose for the prior 12 months the categories of PI collected and sold, categories of third parties to whom the data was sold and the business purpose.
4. Right to Opt-Out of the Sale of Data.
5. Right to Opt-In for Children: Business Obligation Not to Sell Children’s PI without Affirmative Authorization.
Whereas adults have the right to opt-out, for children companies must obtain the consent from a child’s parent or guardian before selling the child’s PI.
6. Deletion Rights.
Consumers have the right to request a business delete their PI after a verifiable request.
7. Rights to Access and Portability.
This gives the consumer the right to access their PI after submitting a verifiable access request.
8. Not to be Discriminated Against for Exercising Any of the Consumer’s Rights.
Examples of consumer non-discrimination rights include denying goods or services to the consumer, charging different prices or rates, providing a different level of quality of goods or services, or suggesting that any of the above might occur.
In part two we’ll cover the The Eight Corresponding Business Obligations. In order to satisfy the above consumer rights, small businesses have a set of corresponding obligations.
Facebook, General Data Protection Regulation, Privacy and You
20 years of Data — Where have we been, where are we going?
Does your Data Asset have an Ownership Certificate?
U.S. Small Business Owners and Europe’s General Data Protection Regulation