Summary of California Consumer Rights and Business Deadlines for Responding to Privacy-Related Requests
Under the California Consumer Privacy Act (CCPA), California consumers may exercise certain rights in relation to their personal information – and businesses have strict deadlines to respond to such consumer requests. These rights and your obligations to respond have substantially expanded on January 1, 2023, when a major amendment to the CCPA took effect. This summary, prepared by the Fisher Phillips’ Consumer Privacy Team, offers a helpful review of existing and future obligations that you need to know.
Previous State of the Law
Prior to 2023, the CCPA did not offer coverage for employees, job applicants, independent contractors, and individuals in the business-to-business context. Through the end of 2022, California residents who fell outside of these exemptions were able to exercise certain consumer rights, including the right to request that you tell them what data was collected about them in the last 12 months, the right to request deletion of their data (subject to certain exceptions), and the right to opt-out of the selling of their data, among other rights.
Current Legal Obligations
As of January 1, 2023, all of your “consumers” from or about whom you have collected any personal information since January 1, 2022 have the following rights:
1. Right to Know. Consumers may request, up to two times in a 12-month period, the following:
- the categories of personal information collected about them going back to January 1, 2022, unless doing so would be impossible or involve disproportionate effort, or unless the consumer request a specific time period;
- the categories of sources from which the personal information was collected;
- the business or commercial purpose for collecting, selling, or sharing this information;
- the categories of third parties with whom the business shares or has shared this personal information since January 1, 2022;
- the categories of personal information sold or shared for cross-context behavioral advertising purposes, and the categories of third parties to whom the personal information was sold or with whom it was shared; and
- the categories of personal information that has been disclosed for a business purpose and the categories of persons to whom it was disclosed for a business purpose.
2. Right to Access.
- The right to request, up to two times in a 12-month period, free of charge, the specific pieces of personal information collected about them going back to January 1, 2022, unless doing so would be impossible or involve disproportionate effort, or unless the consumer requests a specific time period.
3. Right to Delete.
- The right to request, up to two times in a 12-month period, deletion of personal information collected from the consumer, subject to certain exceptions.
4. Right to Correct.
- The right to request correction of inaccurate personal information (to the extent such an inaccuracy exists) that is maintained about them.
5. Right to Opt Out.
- The right to opt out of the selling or sharing of your personal information to or with third parties. Sharing is defined in the CCPA as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
6. Right to Limit.
- The right to request that the business limit the use or disclosure of sensitive personal information for certain purposes outside of eight purposes for which a business may use or disclose such information without having to provide consumers with this right.
7. Right to Authorize an Agent.
- The right to designate an authorized agent to submit one of the above requests on the consumer’s behalf.
8. Right to No Discrimination.
- The right to not be discriminated or retaliated against for exercising any of the above rights, including an employee’s, applicant’s, and independent contractor’s right not to be retaliated against for exercising the above rights, and including by receiving a different level, quantity, quality, or pricing of goods or services as a result of exercising any of these rights unless a compliant Notice of Financial Incentive is provided and followed.
Deadlines to Respond to Consumer Requests
Once a business receives a request from a California consumer exercising one of the above rights, you have a limited amount of time to respond to the consumer’s request.
Request to Know, Request to Access, Request to Correct, Request to Delete
A business has 10 business days to confirm receipt of a consumer’s request and provide information about how it will process the request, including the business’s verification process and when the consumer should except to receive a response. You must respond to a consumer’s request by no later than 45 calendar days after receiving the request.
However, if necessary, you may extend your time to respond by an additional 45 days, for a maximum total of 90 calendar days from the day the consumer’s request is received. You must notify the consumer and provide an explanation of the reason why it will take more than 45 days to respond to the request.
Request to Opt-Out or Request to Limit Use or Disclosure of Sensitive Personal Information
A business must respond to the consumer’s request as soon as possible, but no later than 15 business day from the date you receive a request to opt-out, or a request to limit use or disclosure.
Fisher Phillips will continue to monitor CCPA obligations and enforcement efforts and provide updates as warranted, so make sure that you are subscribed to Fisher Phillips’ Insights to get the most up-to-date information direct to your inbox. For further information, contact your Fisher Phillips attorney, the authors of this Insight, or any attorney on the firm’s Consumer Privacy Team.