The US notoriously lacks a comprehensive federal privacy legislation. In this context, the CCPA is a step forward and makes California a forerunner of digital privacy in the US landscape. Unsurprisingly, other States have been using the CCPA as the blueprint for their own legislation.
But what are the privacy rights of consumers under the CCPA and how can individuals exercise them? Let’s find out!
- What are your rights under the CCPA?
- The right to know
- The right to delete or correct
- The right to opt-out
- The right to limit the use and disclosure of sensitive information
- How do I exercise my rights under the CCPA?
- How do these rights compare to the GDPR?
- Conclusions
What are your rights under the CCPA?
The CCPA lists several consumer rights:
- the right to know what personal information a business uses and how
- the right to have personal information deleted
- the right to opt out of the sale and sharing of personal information
- the right of non-discrimination for exercising rights under the CCPA
- the right to correct inaccurate information
- the right to limit the use and disclosure of sensitive information
The first four rights were always part of the CCPA. The rights to correct information, and limit the use and disclosure of sensitive information, were added in 2020 when the CCPA was amended by the CPRA.
The right to know
Under the CCPA, you have a right to request information about the use of your data. You can ask a business:
- what categories of personal information were collected and used, and for what purpose
- from which sources the information was collected
- what information were shared, and with whom
You can also require specific information that were collected.
The consumer’s right to know should not be confused with the businesses’ duty to provide a notice at collection. While both ultimately aim at enhancing transparency and user control, notices at collection must be provided regardless of any request to do so.
If a business sells or shares personal information, then its notice at collection must include a “Do Not Sell Or Share” link (more on this below).
The right to delete or correct
Consumers have a right to request the erasure or correction of their personal information. There are some exceptions to the rule such as publicly available information, credit reporting information, and information needed to exercise legal claims.
Businesses need to comply within 90 days (again, that is a 45 days deadline, plus a 45 days extension upon notice).
The right to opt-out
Under the CCPA, consumers have a right to opt-out from the selling and sharing of personal information.
Websites that sell or share personal information must provide the option to opt-out through a visible link on their website.
Consumers can also require not to be tracked through the Global Privacy Control. GPC is a mechanism offered by some browsers to automatically forward a request not to sell or share data to every website visited by the user. Businesses must honor requests made through Global Privacy Control under the CCPA.
There used to be some uncertainty around the meaning of “sale” under the CCPA. So, the law was later amended to refer to the selling and sharing of personal information, and to explicitly refer to the sharing of data with third parties such as Google and Meta for the purpose of web marketing and retargeting. So there is no doubt that these activities fall under the rules on opting out!
The right to limit the use and disclosure of sensitive information
The CCPA lists certain categories of data as sensitive information, including identifiers such as social security numbers, precise geolocation data, emails and text messages, health data, genetic data, data on sexual life/sexual orientation, and so on. Consumers have a right to limit the use and disclosure of such information.
In practice, this right is similar to the right to opt-out from the sharing of personal information. Websites and services that collect sensitive information must make the option visible and available on their website. After receiving a limitation request, businesses can only process sensitive data in a way that is strictly necessary to provide the goods and services requested.
How do I exercise my rights under the CCPA?
Businesses covered by the CCPA must allow consumers to exercise their right to know, delete, and correct in at least two methods- such as via e-mail, via mail, and through a toll-free phone line. Businesses have 45 days to comply with a request and they can extend the deadline by 45 extra days, provided that they notify the extension to the consumer.
As for the right to opt-out, consumers can exercise it through a Do Not Sell Or Share link on websites, and through Global Privacy Controls.
How do these rights compare to the GDPR?
Some rights under the CCPA have a clear parallel in the GDPR: the right to know, the right to erasure, and the right to have information corrected, all function in a similar way.
On the other hand there is no GDPR counterpart to the right to opt out from the selling and sharing of personal information, nor is there a counterpart to the right to limit the use of sensitive data. This does not mean the GDPR is more permissive in this regard- quite the opposite.
The GDPR opts for a more strict and prescriptive approach by laying out stringent requirements for processing personal data. Opt-out rights play a relatively minor role in the Regulation because there are strict requirements for processing personal data in the first place. For intance, the principle of lawfulness (which we touched upon in this blog) plays a crucial role in the GDPR and finds no parallel under the CCPA.
On the other hand, the CCPA seeks to empower consumers by giving them a right to decide on the use of their personal information. So, companies enjoy quite a bit of freedom under the CCPA as long as the consumer does not opt out.
There are pros and cons to each approach. CCPA compliance is definitely less burdensome than GDPR compliance. At the same time, placing the burden of privacy on the consumer can be risky. Just imagine visiting 50 websites a day and having to individually opt out of the selling of your data for each and every one of them! Global Privacy Control is supposed to help with this but the system has not been widely implemented yet. There is also no GPC counterpart for limiting the use of sensitive data.
The GDPR takes the opposite approach and shifts the burden of privacy from the public toorganizations. The idea behind the GDPR is that people should not need to manually opt out from the privacy-invasive practices of the countless services they use. This is why the Regulation has a lot of strict and detailed rules on what companies can and cannot do with personal data.
In a world where everyone uses a hundred different data-hungry services, and no one really reads privacy notices or fine-tunes privacy settings, individual control over data is often little more than a farce. So, placing the burden of privacy on organizations and holding them to high standards is probably a more effective approach than leaving it up to the individual. On the other hand, this prescriptive approach results in very technical and complex rules that are sometimes difficult for companies (especially smaller ones) to understand and comply with.
It is also interesting to compare the notion of sensitive data between the laws. Sensitive information under the CCPA includes data such as government identifiers, which could be used for identity theft. The CCPA also considers precise geolocation data to be sensitive data, which is a good idea and something EU law could take a hint from.
At the same time, the GDPR is much more restrictive in limiting the use of sensitive data. Again, the CCPA takes a consumer-focused, opt-out approach whereas the GDPR takes a prescriptive route.
We might be biased but we believe that the GDPR is a clear winner for sensitive data: a right to opt-out is simply not good enough here.
Conclusions
At the end of the day, privacy matters no matter where you are. We believe that companies should preserve the privacy of their customers and visitors whether the law requires them to do so or not.
We built Simple Analytics to help our customers all over the world grow their audience in an ethical, privacy-friendly way.
Simple Analytics gives you all the insights you need without using cookies, trackers, or fingerprinting users. We do not track your visitors and do not collect a single bit of personal data!
If this sounds good to you, feel free to give us a try!