Under the California Consumer Privacy Act (CCPA), California consumers may exercise certain rights in relation to their personal information, and companies have strict deadlines for responding to such consumer requests. These rights and your obligations to respond were substantially expanded on January 1, 2023, when a major amendment to the CCPA went into effect. This summary, prepared by the Fisher Phillips Consumer Privacy Team, provides a helpful review of existing and upcoming obligations you should know about.
Prior Rule of Law
Prior to 2023, the CCPA did not provide coverage for employees, job applicants, independent contractors, and individuals in a business-to-business context. Until the end of 2022, California residents who were not included in these exemptions were able to exercise certain consumer rights, including the right to request that you tell them what data was collected about them in the last 12 months, the right to request deletion of your data (subject to certain exceptions), and the right to opt out of selling your data, among other rights.
Current Legal Obligations
As of January 1, 2023, all of your “consumers” from whom you have collected personal information since January 1, 2022 have the following rights:
1. Right to know. Consumers may request, up to two times in a 12-month period, the following:
- the categories of personal information collected about them since January 1, 2022, unless doing so is impossible or involves disproportionate effort, or unless the consumer requests a specific time period;
- the categories of sources from which the personal information was collected;
- the business or commercial purpose for collecting, selling or sharing this information;
- the categories of third parties with which the company shares or has shared this personal information since January 1, 2022;
- the categories of personal information sold or shared for cross-context behavioral advertising purposes, and the categories of third parties to whom the personal information was sold or shared; and
- the categories of personal information that has been disclosed for a business purpose and the categories of persons to whom it has been disclosed for a business purpose.
2. Right of Access.
The right to request, up to twice in a 12-month period, free of charge, the specific personal data collected about them since January 1, 2022, unless doing so is impossible or involves disproportionate effort, or unless the consumer requests a specific time period.
3. Right to Delete.
The right to request, up to twice in a 12-month period, the deletion of personal information collected from the consumer, subject to certain exceptions.
4. Right of Rectification.
The right to request correction of inaccurate personal information (to the extent such inaccuracy exists) held about them.
5. Right to Opt Out.
The right to opt out of selling or sharing your personal information with third parties. Sharing is defined in the CCPA as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by company to a third party for cross-contextual behavioral advertising, whether for money or other valuable consideration, including transactions between a company and a third party for cross-contextual behavioral advertising for the benefit of a company where no money is exchanged” .
6. Right of Limitation.
The right to request that the business limit the use or disclosure of sensitive personal information for certain purposes outside of the eight purposes for which a business may use or disclose such information without having to provide consumers with this right.
7. Right to Authorize an Agent.
The right to designate an authorized agent to file one of the above requests on behalf of the consumer.
8. Right to Non-Discrimination.
The right to be free from discrimination and retaliation for exercising any of the above rights, including the right of an employee, applicant, and independent contractor not to be subject to retaliation for exercising the above rights, including receiving a level, quantity, quality, or the price of goods or services as a result of exercising any of these rights, unless a compliant Financial Incentive Notice is provided and followed.
Deadlines for responding to consumer requests
Once a business receives a request from a California consumer exercising one of the above rights, it has a limited amount of time to respond to the consumer’s request.
Information request, Access request, Correction request, Deletion request
A business has 10 business days to confirm receipt of a consumer’s request and provide information about how it will process the request, including the business’s verification process and when the consumer should expect a response. You must respond to a consumer’s request no later than 45 calendar days after receiving the request.
However, if necessary, you may extend your response time for an additional 45 days, up to a maximum total of 90 calendar days from the receipt of the consumer’s request. You must notify the consumer and provide an explanation of why it will take longer than 45 days to respond to the request.
Request to Opt Out or Request to Limit the Use or Disclosure of Sensitive Personal Information
A business must respond to a consumer’s request as soon as possible, but no later than 15 business days from the date it receives a request to opt out or a request to limit use or disclosure.