- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Consumer Rights and Information
Exercise of Consumer Rights/Opt-Outs
Definitions
Other statutes and enforcement
Statutory Construction and Regulation
Miscellaneous Provisions
CPRA Only
Full Text
State Privacy Law Tracker
What rights does a consumer have in relation to a loyalty program under the CCPA?
Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program” as a practical matter, most, if not all, loyalty programs share two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.1
Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:
| Right | Applicability to Loyalty Program |
| Notice at Collection | A loyalty program that collects personal information from its members should provide a notice at the point where information is being collected regarding the categories of personal information that will be collected and how that information will be used.2 |
| Privacy Notice | A loyalty program that collects personal information of its members should make a privacy notice available to its members.3 |
| Notice of Financial Incentive | To the extent that a loyalty program qualifies as a “financial incentive” under the regulations implementing the CCPA, a business should provide a “notice of financial incentive.”4 |
| Access to Information | A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.5 |
| Deletion of information | A company may generally deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten. |
| Opt-out of sale | A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner), it would not be considered a “sale” of information. |
Are businesses required to offer the same methods for submitting DSR requests under the CCPA as they are under the GDPR?
No.
Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.1
Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.2
The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.
Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.
| GDPR | CCPA |
|
Access:
Opt-out:
Delete:
|
Are the verification requirements for access and deletion requests the same under the CCPA as they are under the GDPR?
No.
Both the CCPA and the GDPR provide individuals with a right to request access to their personal information and a right to request the deletion of their personal information.1 As a result, businesses that field rights requests are required to ensure that the requestor is indeed the individual he or she is claiming to be. The failure to properly verify an individual, and the subsequent unauthorized disclosure, can trigger data breach provisions under both laws.
While the GDPR provides high-level guidance on how to verify the identity of a requestor, the CCPA and the accompanying Proposed Regulations are more specific in their requirements. 2 Below is a comparison of the requirements for verifying the identity of a requestor under the GDPR and under the CCPA.
Do companies have to “flow down” access requests to service providers?
Probably.
When a business receives a request from a consumer to access the personal information that the business has “collected,” it must decide whether to grant the request or to deny it based upon one of the exceptions to access contained in the CCPA.1 If the business decides to grant the request and provide the personal information in its possession, the CCPA does not specifically state that the business must also direct its service providers to produce the personal information that may be in their possession. This contrasts with deletion requests where the CCPA expressly states that a business which intends to honor such a request must “direct any service providers to delete the consumer’s personal information from their records.”2
Although the CCPA does not expressly state that a business must direct its service providers to search for and produce information collected from a consumer, privacy advocates are likely to take the position that flowing down an access request is implicitly required for the following reasons:
- Service providers are an extension of a business. The CCPA states that a service provider “processes information on behalf of a business.”3 To the extent that a service provider functions as an agent of a business, an argument could be made that a failure by the business to instruct the service provider to search for and produce information could constitute a violation by the business itself.
- The CCPA refers to access to the information “collected.” The CCPA states that a consumer should be able to request access to the “specific pieces of personal information the business has collected.”4 To the extent that a business collects personal information and then transmits it to a service provider for storage or further processing, the personal information was still “collected” by the business and, therefore, may need to be identified and produced regardless of whether it currently resides with the business or with its service provider.
- Access requests under the European GDPR are typically flowed down. Like the CCPA, the European GDPR does not expressly state that a controller must flow down an access request to a processor. In practice, however, it is well accepted in Europe that if a controller grants an access request it should flow down an instruction to its processors to provide the impacted personal information. In turn, the GDPR requires processors to “assist[] the controller . . . [in] the fulfilment of the controller’s obligation to respond to requests for exercising data subject’s rights . . . .”5
The act of instructing service providers to provide personal information in response to a consumer’s request is often referred to as “flowing down” an access request, or an “access request flow down.”
Do companies have to flow down access requests to service providers that maintain redundant copies of information?
No.
When a business receives a request from a consumer to access the personal information that the business has “collected,” it must decide whether to grant the request or to deny it based upon one of the exceptions to access contained in the CCPA.1 If the business decides to grant the request, the CCPA states only that the “specific pieces of personal information [the business] has collected about that consumer” should be produced.2 It does not mandate that all copies of the information be produced. As a result, if a business collects information about a consumer, transmits a copy of that information to one or more service providers, but maintains the original information in its own files, it can satisfy the access requirements of the CCPA using its own copy and without flowing down the access request.
Does the CCPA impose any additional obligations on companies that market to business contacts identified during conferences and trade shows?
Note that to the extent that the business contact or prospect is an “employee, owner, director, officer, or contractor” of a company, some of the requirements of the CCPA may be deferred until 2021.2 Whether the requirements are, or are not, deferred, however, may depend upon whether the marketing communication relates to “due diligence regarding,” or “providing or receiving a product or service.” While the deferral should extend to marketing communications relating to future products or services, it is possible that a privacy advocate might argue that marketing is neither due diligence regarding, or the actual provision of, a product or service.
CCPA Privacy FAQs: If a business receives an access request, does it have to provide information that it collected more than a year ago about the consumer?
No.
The CCPA contains four references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.1 Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business in response to an access request “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request . . . ”2 The statute reiterates that access is limited to a 12 month lookback in California Civil Code Section 1798.130(a)(3)(B) by stating that access requests which seek information about a business’s collection practices (as opposed to requests that seek the specific pieces of information held by the business) are similarly limited to “the preceding 12 months.”3 It is unclear, from this text, whether the legislature intended that a company provide access only to data that was collected during the 12 month lookback period, or provide access to data that was held by the company during some portion of the 12 month lookback.
CCPA Privacy FAQs: If a business receives an access request, does it have to provide information that it collected more than a year ago about the consumer?
No.
The CCPA contains four references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.1 Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business in response to an access request “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request . . . ”2 The statute reiterates that access is limited to a 12 month lookback in California Civil Code Section 1798.130(a)(3)(B) by stating that access requests which seek information about a business’s collection practices (as opposed to requests that seek the specific pieces of information held by the business) are similarly limited to “the preceding 12 months.”3 It is unclear, from this text, whether the legislature intended that a company provide access only to data that was collected during the 12 month lookback period, or provide access to data that was held by the company during some portion of the 12 month lookback.
CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to honor an access request?
No.
Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.” 1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligations to disclose to consumers information about their data upon request, or provide “the specific pieces of personal information” collected about a consumer.2
The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4
An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action, and the ability for plaintiffs’ attorneys to seek statutory damages, to all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review. As a practical matter, this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.
The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to honor access requests, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with access requests.
CCPA Privacy FAQs: What rights does a consumer have in relation to a loyalty program?
Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. All loyalty programs share several things in common, however – they collect information about consumers and they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.
Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, then its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:
| Right | Applicability to Loyalty Program |
| Privacy Notice | ✓ A loyalty program that collects personal information of its members should provide a notice that, at a minimum, discusses the type of information collected and the purposes to which it will be put.1 |
| Access to Information | ✓ A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.2 |
| Deletion of information | X Unless the terms and conditions of the loyalty program give the consumer the right to delete their account, or the right to delete information relating to their account, a company may generally deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten. |
| Opt-out of sale | ✓ A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner) it would not be considered a “sale” of information. |