CCPA: Managing Consumer Rights - CPRA regulations now enforceable

Those organizations rushing before 1 July 2023 to put compliance measures in place in time for the original enforcement date of the California Privacy Rights Act regulations (CPRA regulations) will have taken comfort in the last-minute decision by Sacramento County Superior Court last June to push enforcement back to 29 March 2024. However, the decision last week by the California Third District Court of Appeals means that the California Privacy Protection Agency (CPPA) can immediately begin to enforce the CPRA regulations, which include detailed rules on consumer privacy rights request handling, opt-out mechanisms for sale/sharing of data and the mandatory recognition of opt-out signals. From now on, we can expect to see a step up in enforcement activity and an increase in sanctions. And as recently signaled by the Attorney General’s planned investigate sweep of adherence by streaming platforms to the opt-out requirements for businesses that sale or share consumer personal information, we can safely assume that observance of consumer rights will be high on the list of enforcement priorities. Here we recap on the range of consumer rights available under the CCPA (considering amendments by the CPRA and the requirements of the CPRA regulations) and look at the practical steps businesses need to take to ensure compliant handling of consumer rights requests.

I. CCPA CONSUMER RIGHTS

The CCPA (as amended by the CPRA) provides California residents with six main privacy rights:

Privacy Rights	Description
Delete	Consumers may request that a business deletes the personal information that it has collected (or had a third party collect) about them. Exceptions to the requirement to delete data do apply, for example if the business is legally required to retain information or to perform the contract with the consumer.
Correct	An individual may request that a business corrects any inaccurate information that it maintains about the consumer and the business must use commercially reasonable efforts to make such corrections.
Know and Access	A consumer may ask a business twice in any 12-month period to disclose: • the categories of personal information it has collected about the individual • the specific personal information it has collected about that them • the categories of sources from which the data is obtained • the purposes for which the business uses the information • the categories of third parties with whom the business discloses the data • the categories of information that the business sells, shares or discloses to third parties.
Opt-out of data sale/sharing	An individual may request that a business stops selling or sharing (for cross-context behavioral advertising) their personal information. Upon receipt of such request a business is prohibited from further selling/sharing the data unless the individual later consents to it.
Limit disclosure of sensitive data	Consumers can direct businesses to only use their sensitive personal information (e.g. genetic data, precise geolocation, social security number, financial information) for limited purposes, such as providing the individual with the services they have requested or for specific enumerated business purposes.
Equal Treatment	Businesses cannot discriminate against consumers for exercising their CCPA rights.

The CCPA provides these rights to residents of California. A California resident is a person who resides in California, even if the person is outside of the state for a temporary or transitory reason. Eligibility does not, therefore, depend on the geolocation of an individual. A business handling a request may require the consumer to provide evidence that they are a resident of California if necessary.

II. GENERAL STEPS OF MANAGING CCPA RIGHTS REQUESTS

When managing consumer privacy rights requests under the CCPA there are steps that are common to all rights, such as receipt of requests and identification of the requester (General Steps) and there are activities that are unique to certain individual rights (Specific Steps). In this article we look at the General Steps required when managing CCPA requests.

(A) Intake of requests

Businesses have a duty to inform consumers about their rights in their privacy policy with instructions to consumers on how to submit requests. Businesses must also offer specific methods to individuals for making privacy rights requests depending on the type of right being exercised.

Rights to delete, correct and know/access

Businesses are required to provide a specific number of “designated methods for submitting requests” (mailing address, email address, internet web page, internet web portal, toll-free telephone number) and any new consumer-friendly means of contacting a business as approved by the AG) as follows:

• If a business operates exclusively online and has a direct relationship with a consumer, it shall only be required to provide an email address for receipt of requests;
• If a business does not operate exclusively online, it is required to provide two or more designated methods provided that:
  • every business must offer a toll free telephone number;
  • if a business has a website, one of those methods has to be via that website, e.g. a webform;
  • if the consumer has an account with the business, the business may require the consumer to use that account to submit a request.

Neither the Attorney General nor the CCPA says what “operate exclusively online” or “having a direct relationship with a consumer” means, it can be assumed that this means: • the business does not have any physical customer premises but instead offers their services via a website; AND • the business provides their goods or services directly to the customer instead of via or on behalf of third parties.

Rights to opt-out of sale/sharing and limit disclosure of sensitive information

A business that (i) sells/shares personal information or (ii) uses/discloses sensitive personal information is also required to provide two or more designated methods of submitting requests to opt out of sale/sharing and limit the use or disclosure of such information. At least one method offered shall reflect the way the business primarily interacts with the consumer. The opt-out mechanism must be easy for consumers to use and require minimal steps (further detail is provided in the CCPA regulations).

In most instances, a business must provide a clear and conspicuous link on its website that reads “Do Not Sell or Share My Personal Information” and/or ““Limit the Use of My Sensitive Personal Information” (as applicable) via which individuals can exercise their right(s). Clicking this link shall either have the immediate desired effect for the consumer or lead them to a webpage where they can learn about the sale/sharing or use/disclosure of their data and make that choice. To simplify this, businesses may provide consumers with an “Alternative Opt-Out Link”. This acts as a single, clearly labelled link that allows individuals to easily exercise both their right to opt-out of sale/sharing and their right to limit use/disclosure of their data through one mechanism. Businesses opting to use the Alternative Opt-Out Link are required to title the link “Your Privacy Choices” or “Your California Privacy Choices” and shall include the following opt-out icon adjacent to the title:

Businesses must also honour opt-out preference signals (“OOPS”) such as the Global Privacy Control, as a valid request to opt-out of sale/sharing that meet certain requirements as a valid request to opt-out of sale/sharing.

B) Identification

As with any attempt to exercise privacy rights, it is important that the business receiving a request can confirm the identity of the requester to avoid unlawful processing of the data concerned, for example by providing one individual with the personal data of another.

For the rights to know, delete or correct personal information a business must receive a “verifiable consumer request”. Businesses are required to use commercially reasonable methods to identify the individual to be the consumer about whom the business has collected personal information. Requests to opt-out of sale/sharing of data, as well as requests to limit the use/disclosure of sensitive personal information do not require receipt of a verifiable consumer request.

When a consumer uses an authorized agent to submit a request, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request.

C) Response Times

The CCPA specifies the time in which businesses must respond to a consumer request with these timeframes also differing depending on the type of right.

For the rights to delete, correct or know/access information a business must:

• confirm receipt of the request and provide information about how the business will process the request within 10 business days; and • provide a final response within 45 days of receipt of the request (although the business may be able to extend this by a further 45 days to a total of 90 days).

By contrast, for requests to opt-out of sale/sharing of data and requests to limit use/disclosure of sensitive personal information businesses have a maximum of 15 business days to comply.

(D) Notifying Service Providers, Contractors and Third Parties

Businesses that receive requests to delete or correct personal information and/or requests to opt-out of the sale/sharing of information or to limit the use/disclosure of sensitive personal information must notify the relevant service providers, contractors and all third parties to whom the information has been sold, shared or disclosed.

(E) Exemptions

There are several general exemptions that a business may be able to rely upon for not having to comply with a consumer request. One example is where the obligations imposed by the CCPA would otherwise restrict the business’s ability to comply with federal, state or locals laws, civil, criminal or regulatory enquiries, investigations etc or to cooperate with law enforcement and government agencies or exercise or defend legal claims. There are also sector-specific exemptions such as in respect of medical information. There is no duty on a business to disclose trade secrets, and consumer rights do apply to household data. Where requests are manifestly unfounded or excessive (e.g. repetitive requests) a business may (i) charge a reasonable fee for handling the request, (reflective of its costs in doing so) or (ii) refuse to act on the request and notify the consumer of the reason. The burden of demonstrating that a request is manifestly unfounded or excessive rests with the business wishing to rely on the exemption.

Conclusion

The heightened significance of these changes stems from the growing awareness among consumers of privacy related issues and their rights in respect of the use of their data. As awareness increases, the frequency of requests faced by companies continues to escalate. Beyond sheer volume, the intricacies of handling requests simultaneously across multiple jurisdictions and the need to customize processes for each regulatory framework pose challenges for companies, often demanding significant resource investment. With the threat of regulatory investigation and enforcement looming, now is the time for organizations to ensure they have the correct policies, procedures, and tools in place to meet the rigorous requirements of the CCPA.