California Consumer Privacy Act
Commonly Asked Questions:
(Disclaimer: The following information is not meant to be a substitute for the language in the CCPA itself and is not provided as legal advice regarding interpretation of the law. It is meant only to act as a general guide to some of the provisions of the CCPA. Please refer specifically to the language of the law found here to answer your questions definitively or consult your personal attorney.)
“I’m a resident of California. Does this law give me rights over the commercial use of my personal data?”
Yes. If you are a resident of the state of California, the CCPA gives you certain rights to view and control personal information a business collects about you.
“What is meant by ‘business or commercial purposes’?”
Commercial and business purposes are specifically defined in the CCPA and, in general, commercial purposes covers the collection and use of your personal information by companies for financial gain. . A clear-cut example of commercial purposes would be when a business collects or possesses your personal data and then uses it to contact you to sell a product or service, but there are several exceptions. For example, “commercial purposes do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.”
“If a business is using my personal data what rights do I have?”
“How do I go about exercising those rights?”
Every business utilizing your personal data for must be responsive to your requests by offering, at a minimum, a toll-free number and an interactive webform making it easy for you to exercise your rights. To protect the security of your personal information, a business will verify your identity before fulfilling any of the above requests Once a business has received your request and confirmed your identity, it has up to 45 days to respond to that request. If necessary, businesses may take up to an additional 45 days to respond to your request so long as the business provides the consumer with notice and an explanation of the extension.
“Do I have the right to sue a company over their use of my data?”
The CCPA provides a private right of action for any consumer whose nonencrypted personal information is subject to an unauthorized access, exfiltration, theft or disclosure as a result of a business’s failure to implement and maintain reasonable security procedures and practices. There is no private right of action for a businesses’ failure to comply with a request to review or delete data. See 1798.150(c). However, prior to initiating any action, you must first give the business 30 days’ written notice identifying the specific CCPA provisions that have been or are being violated. No action may be initiated if the business cures the noticed violation within 30 days of receiving notice and gives the consumer an express written statement confirming that the violations have been cured and that no further violation will occur.