California Consumer Privacy Act (CCPA) Right of Access
The California Consumer Privacy Act requires covered businesses to honor consumer requests exercising the right of access to their personal information under the new privacy law (passing through the California legislature on June 28, 2018 as AB-375).
Starting on January 1, 2020 (the CA law’s effective date of implementation), covered businesses will need to disclose the categories and specific pieces of personal information the business has collected about a consumer upon their request.
Businesses will need to verify that a request is made by the consumer (or their authorized representative) about whom the business has collected personal information. The verification process will be pursuant to regulations adopted by the California Attorney General before the law goes into effect.
What is considered personal information under the CA privacy law?
The new privacy law has an extensive definition of personal information which will need to be disclosed to consumers if it has been collected. The covered personal information includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Here is a partial list of personal information specified by the law:
– Identifiers: Real name, postal address, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
– Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interactions online.
– Geolocation data.
– Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
– Biometric information.
– Characteristics of protected classifications under California or federal law.
– Professional or employment-related information.
– Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.
– Audio, electronic, visual, thermal, olfactory, or similar information.
– Inferences drawn from any of the protected information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
– Any categories of personal information described in subdivision (e) of Section 1798.80.
The law also provides an exception for publicly available information. Publicly available means information that is lawfully made available from federal, state, or local government records. However, information is not publicly available if that data is used for a purpose that is not compatible with the purpose for which the data is maintained.
What businesses are covered?
The law applies to people and organizations doing business in the State of California that (a) have annual gross revenues in excess of $25 million, (b) handle the personal information of at least 50,000 consumers or devices, or (c) derive 50 percent or more in annual revenue from selling consumers’ personal information.
Learn more about California’s new law:
Applying the 9 CCPA Exemptions to Deletion Requests
GDPR Right of Access Under Article 15
Right to Rectification (Correction) Under GDPR Article 16
GDPR Right to Erasure Under Article 17
Right to Data Portability under GDPR Article 20
Data Subject Access Request Management Tools and Procedures
Individual Rights Manager Software
Legal Obligation Exceptions to the CCPA Right to Delete
Internal Use Exceptions to the CCPA Right to Delete
Research Exception to the CCPA Right to Delete
Verifiable Consumer Requests in CCPA