- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to post a “do not sell my personal information” link?
Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligation to include a “do not sell my personal information” link on the company’s homepage.2
The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA, as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4
An amendment to the CCPA – Senate Bill 561 – has been proposed, which, if passed, would extend the private right of action and the ability for plaintiffs’ attorneys to seek statutory damages for all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review.
The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to include a “do not sell my personal information” link, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with a failure to include the opt-out link on webpages.