What rights does a Californian resident have?
If you are a California resident, you may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information, and not to sell your personal information. You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.
What businesses does the CCPA apply to?
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Derive 50% or more of their annual revenue from selling California residents’ personal information; or
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices.
This also means that every website which sets publisher cookies, collects IP-addresses, and/or analyzes website behavior of more than 50.000 individuals, households, or devices per year, and shares this information with a third party, should comply.
What is the right to know?
You may request that businesses disclose to you what personal information they have collected, used, shared, or sold about you and why they collected, used, shared, or sold that information. Specifically, you may request that businesses disclose:
- The categories of personal information collected
- Specific pieces of personal information collected
- The categories of sources from which the business collected personal information
- The purposes for which the business uses personal information
- The categories of third parties with whom the business shares the personal information
- The categories of information that the business sells or discloses to third parties
Businesses must provide you with this information for the 12-month period preceding your request. They must provide this information to you free of charge.
How to submit the request to know?
Businesses must designate at least two methods to submit your request—for example, an email address, website form, or hard copy form. One of those methods has to be a toll-free phone number and, if the business has a website, one of those methods has to be through its website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests to know.
What is the right to opt-out?
You may request that businesses stop selling your personal information (“opt-out”). With some exceptions, businesses cannot sell your personal information after receiving your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back into selling your personal information.
How to submit the opt-out request?
Businesses that sell personal information are subject to the CCPA’s requirement to provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account to submit your request.
Right to non-discrimination
Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.
However, if you refuse to provide your personal information to a business or ask it to delete or stop selling your personal information, and that personal information or sale is necessary for the business to provide you with goods or services, the business may not be able to complete that transaction.
How can Complianz help?
Do you want to know how Complianz can help website developers to meet these and other legal requirements? We have written an article about that too!