Consumer Rights and an Organization’s Responsibilities Under the CCPA

As we’ve previously blogged about, the California Consumer Privacy Act (“CCPA”) is an exhaustive piece of legislation requiring organizations to heed and defend consumer rights relating to access to, sharing of, and deletion of personal information that is collected by businesses. In particular, the CCPA requires organizations to notify California consumers of the rights newly afforded to them under the CCPA. These rights are summarized in the graphic below.

Summary of Consumer Rights and Organization’s Related Responsibilities:

In addition to notifying California residents of their consumer rights, organizations need to provide at least two methods– including a toll-free phone number—for consumers to submit requests to exercise their rights.  If the organization maintains a website, one of those methods needs to be a website address.  If an organization operates exclusively online and has a direct relationship with the consumer, it does not need to provide a toll-free number and only needs to provide an email address as a designated method for submitting requests.

Response Requirements When Consumer Exercises a CCPA Right

Once an organization obligated to comply with the CCPA receives a California consumer request to exercise a CCPA right, it must disclose and deliver the information free of charge within 45 days of receiving a verifiable request from the consumer. If reasonably necessary, the organization may extend its response period once by an additional 45 days, provided the consumer is provided notice of the extension within the first 45-day period.

The disclosure needs to cover the last 12-months prior to the organization’s receipt of the verifiable request and needs to be provided in writing.  If the consumer has an account with the organization, the disclosure should be delivered through the consumer’s account, by mail or electronically at the consumer’s option. If the consumer does not maintain an account with the organization, the disclosure should be delivered in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. Organizations cannot require the consumer to create an account in order to make a verifiable request.

The CCPA only applies to requests made by California residents, who are limited on exercising their “Right to Know” to twice in a 12-month period. Still, other states are beginning to follow suit so organizations should consider whether voluntarily extending the consumer rights afforded to California residents to all consumers makes good business sense.