- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Consumer Rights and Information
Exercise of Consumer Rights/Opt-Outs
Definitions
Other statutes and enforcement
Statutory Construction and Regulation
Miscellaneous Provisions
CPRA Only
Full Text
State Privacy Law Tracker
How many deletion requests can a consumer send to a business each year?
The CCPA does not specify how many deletion requests a consumer can send to a business each year. However, it does permit businesses to “refuse to act on” a deletion request if a consumer’s requests become “unfounded or excessive.”1 The Act specifically calls out “repetitive” requests as an example of an excessive practice.2 If a dispute arises between a business and a consumer regarding whether a particular quantity of requests is, or is not, excessive, the CCPA states that the “business shall bear the burden of demonstrating” that the quantity received is “manifestly . . . excessive.”3 One method that businesses may consider adopting when determining whether deletion requests are excessive, or in demonstrating that excessiveness, is to compare the quantity of deletion requests received from a particular consumer, with the quantity of deletion requests received from other consumers. To the extent that a particular consumer’s quantity of requests significantly departs from the behavior of most (or all) other consumers, a strong argument could be made that the requests have become repetitive and excessive.
Does the CCPA apply to the personal information of employees?
Yes.
The CCPA applies to personal information held about “consumers” – a term which is defined as referring to any resident of California.1 As a result, if a business is governed by the CCPA, the rights conferred by the statute apply to the business’s employees.
While the CCPA applies to data collected about employees, the California legislature passed an amendment in 2019 (Senate Bill 25) that effectively phased-in the rights afforded to employees over the course of 2020. Pursuant to the amendment, those provisions of the CCPA found within Sections 100(b) and 150 applied immediately to employees.2 These included the obligation that a business inform an employee “at or before the point of collection” of the personal information to be collected and the purposes for which the information will be used.3 They also included the ability of an employee to bring suit if an employer failed to adequately protect sensitive category information.5 Employee’s personal information was exempted from other provisions of the CCPA until January 1, 2021 (e.g., access rights, deletion rights, sale rights, etc.).5
What is the maximum penalty that may be asserted by the California Attorney General for a violation of CCPA?
$7,500 per violation.
There is no private right of action for violations of the CCPA related to an individual’s right to be forgotten. The CCPA provides that the maximum fine that may be imposed by the Attorney General is $7,500 “for each intentional violation.”1 That said, it remains to be seen how such “violations” will be computed by the Attorney General.
If a business receives a right to be forgotten request from an employee, or a former employee, does it have to delete the requestor’s information?
Not necessarily.
As an initial matter, employees that are residents of California will not qualify as full “consumers” under the law until January 1, 2021. Pursuant to an amendment to the CCPA enacted in 2019, the title shall not apply to “[p]ersonal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.”1 As of the date of this writing, this provision will expire on January 1, 2021, and employees will be considered full “consumers” under CCPA on that date.
That said, assuming that employees are consumers, there are a number of exceptions to the consumer’s right to deletion that may be applications. Specifically, the business may argue that the employee’s request for deletion cannot be granted based on one or more statutory exceptions outlined above. In particular, the business may argue that it has a legal obligation to retain the data, and that the data is required to carry out a transaction with the employee.2 This list is by no means exhaustive. Finally, it should be noted that even apart from the specific exceptions to the consumer’s right to deletion articulated in section 1798.105 of CCPA, the business also is not required to take any action that would violate other state or federal obligations imposed upon it, including federal employment laws.3
Do financial institutions need to comply with the CCPA with respect to all consumer information?
No, with a caveat.
The CCPA does not to apply to “personal information collected, processed, sold, or disclosed pursuant to the Gramm Leach Bliley Act (GLBA) and implementing regulations.” The GLBA regulates privacy and security for financial institutions and applies to more than just banks, including mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers, auto-dealers that extend credit, and insurance companies.
The GLBA imposes privacy requirements – and therefore would preempt application of the CCPA – when financial institutions collect “nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes.”1 Note that the qualifier “who obtain” is somewhat misleading. Under the GLBA, “consumer” includes individuals who applied for, but did not obtain, financial products, including:
- Individuals who apply for credit, regardless of whether the credit is extended;
- Individuals who provide non-public personal information to the financial institution in order to obtain a determination about whether they may qualify for a loan, regardless of whether the loan is extended;
- Individuals who provide non-public personal information in connection with obtaining or seeking to obtain financial, investment, or economic advisory services, regardless of whether they establish an advisory relationship.
GLBA does not apply, and therefore would not preempt application of the CCPA, to the following situations:
- When financial institutions collect information about individuals “who obtain financial products or services for business, commercial, or agricultural purposes” – such as information collected when providing commercial loans, commercial checking accounts or other B2B services;2
- When financial institutions collect information from an individual who is not applying for a financial product or seeking to obtain financial services, such as website data or marketing leads generated by third parties where the individual hasn’t applied for a product;
- When financial institutions possess personal information about individuals who are consumers of another financial institution for which the financial institution is acting as an agent or providing processing or for which it is providing other services;
- When the financial institution is designated by an individual as the trustee for a trust;
- If an individual is a participant or beneficiary of an employee benefit plan sponsored by the financial institution;
- Personal information about financial institution employees (subject to the CCPA beginning in 2021).
Note that the partial exemption applies to privacy requirements under the CCPA only. A financial institution is still subject to being sued and defending against actual or statutory damages under Section 1798.150 of the CCPA if a business fails to implement and maintain reasonable security to protect certain sensitive categories of personal information.
What does a Human Resources Director need to know about the CCPA?
- Privacy notices. Under the CCPA, employers are required to provide California employees with privacy notices that, among other things, itemize the categories of personal information collected, shared, and sold about the employee.1
- Access rights. Under the CCPA, California employees are permitted to request access to the personal information that the employer has collected about the employee.2
- Deletion rights. Under the CCPA, California employees are permitted to request the deletion of the personal information that the employer has collected from the employee.3 Note that the CCPA does not require that employers grant such requests in all situations.
- HR benefits providers. Under the CCPA, an employer must stake steps to verify that by providing personal information about California employees to benefits providers it is not “selling” personal information as that term is defined in the statute. If a sale does occur, the employer must disclose the sale to the employee and offer them the ability to opt-out of the sale through a “Do Not Sell” mechanism.
- Data security breach. Under the CCPA, if the sensitive information of a California employee (e.g., Social Security Number) is breached as a result of the employer’s inadequate data security, an employee may be able to initiate suit to recover statutory liquidated damages.4
Under US law, can an employer share with public health authorities the names of employees infected with a contagious disease?
- The CCPA requires that a business include within its notice of collection and/or privacy notice a general disclosure that informs employees of the business purposes for which their information was collected. While it is not certain whether disclosure to a public health authority would be considered a “business purpose,” businesses should consider stating within their privacy notices that information may be shared with federal, state, or local government agencies for the purpose of protecting employees, protecting the public, or protecting other individuals.2
- In the event that an employee submits an access request upon the business, the CCPA requires (beginning on January 1, 2021) that the business state what information was “disclosed for a business purpose.”3 While it is not certain whether disclosure to a public health authority would be considered a “business purpose,” businesses should consider stating in response to an access request that information was shared with a government agency and identifying the categories of information that were shared.4
It is important to note that other federal or state labor and employment laws likely preclude a business from sharing information about potentially contagious employees with public health authorities. For example, the federal Americans with Disabilities Act requires that any information which is obtained as part of a voluntary medical examination, or as part of voluntarily collecting medical information from an employee, be kept “confidential.”5 Although this confidentiality requirement is subject to certain exceptions, the only government-related exception permits disclosure upon request to “government official investigating compliance with [the ADA].”6 Thus the ADA may prohibit a business from voluntarily disclosing information about an infected employee to state or local public health agencies. As a practical matter, most infectious diseases are identified by medical providers who may have an independent obligation to report the infection to public health authorities (e.g., the Center for Disease Control). As a result, public health authorities should not be reliant upon a company to provide information about infected individuals.
In response to an access request, does a company have to produce its internal notes relating to an individual?
Maybe.
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.
In response to an access request, does a company have to produce information about its transactions and experiences with an individual?
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1.1798.100(b).
2. 1798.145(j).
3. 1798.150(a).
4. 1798.140(e).
In response to an access request, does a company have to produce its own work product?
Maybe.
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background programming
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.