CALIFORNIA RESIDENTS: Summary Of Consumer Rights Under The California Consumer Privacy Act (“CCPA”)
The California Consumer Privacy Act of 2018 (“CCPA”) took effect on January 1, 2020. The CCPA grants new privacy rights to California consumers, including:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
- The right to delete personal information held by businesses and by extension, a business’s service provider;
- The right to opt-out of the sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13; and
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
A business subject to the CCPA that collects a California consumer’s personal information must, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.
A covered business must disclose and deliver the personal information the business collected about the consumer in response to a verifiable consumer request.
For purposes of the CCPA, “Personal information” does not include:
- Publicly available information from government records;
- De-identified or aggregated consumer information; or
- Information excluded from the CCPA’s scope, such as:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
- personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
A further summary of consumer rights provided by the CCPA follows.
B. Right to Know.
A business that collects personal information must also disclose, in response to a verifiable consumer request, the following:
- The categories of personal information the business has collected about the consumer;
- The categories of sources from which that personal information is collected;
- The business or commercial purpose for collecting or selling personal information collected from consumers;
- The categories of third parties with which the business shares personal information;
- The specific pieces of personal information the business has collected about the consumer making the request;
A business that sells a consumer’s personal information or discloses a consumer’s personal information for a business purpose must disclose the following in response to a verifiable consumer request:
- The categories of personal information the business has collected about the individual consumer
- The categories of personal information the business has sold about the consumer and categories of third parties to which the personal information was sold by category or categories of personal information for each third party to which the personal information was sold. Or, if the business has not sold any consumer personal information, it must state that fact)
- The categories of personal information the business has disclosed about the consumer for a business purpose. Or, if the business has not disclosed any consumer personal information for a business purpose, it must state that fact.
C. Right to Deletion.
You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our Service Providers to delete) your Personal Information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our Service Providers to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
D. Right to Non-Discrimination.
A business must not discriminate against a consumer who exercises any of the consumer’s rights under the CCPA. However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the consumer by the consumer’s data and may offer financial incentives to a consumer for the collection, sale, or deletion of personal information on a prior opt-in consent basis.
E. Right to Opt-Out.
A business that sells consumers’ personal information to third parties needs to provide notice to consumers thereof and that consumers have the right to opt out of the sale of their personal information. A business must provide a “Do Not Sell My Personal Information” link on its Internet homepage that links to an Internet webpage that enables a consumer to opt out of the sale of the consumer’s personal information.
A business must not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information.
- Consumers’ rights under the CCPA, including the consumer right to opt out of the sale of the consumer’s personal information and a separate link to the “Do Not Sell My Personal Information” Internet Web page;
- The methods for submitting consumer requests; and
- A list of the categories of personal information that the business has collected about consumers, sold about consumers, and disclosed about consumers for a business purpose in the preceding 12 months
IX. CALIFORNIA RESIDENTS: How To Make A CCPA Consumer Rights Request.
A. Instructions For Submitting A CCPA Consumer Rights Request To Us
If you are a California resident and wish to exercise any of the CCPA consumer rights summarized above, such as a Request to Know or a Request to Delete Personal Information, you can do so in one of the following ways:
- Call us at 877-781-9679; or
- Reach us by email or U.S. mail at:
1930 Thoreau Drive, Ste. 100
Schaumburg, IL 60173
Upon receiving a verifiable request to know or a request to delete, we will confirm receipt of the request within ten (10) days and provide some information about how we will verify and handle the request, and by when you should expect to receive a response.
Please note that you may only make a verifiable consumer Request to Know or Request to Access your data under the CCPA two times within any 12-month period.
B. Verification Of The Person Making A Consumer Rights Request.
Of course, we need to be reasonably sure that the person making the request is actually you! So, we may need some information from you to verify that you are the person whose Personal Information you are asking to know about or to delete. Accordingly, a verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we have collected Personal Information or an authorized representative. This will include:
- Your first and last name, plus
- Last four digits of your Social Security Number;
- Account number of credit report; or
- Current mailing address
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
- If possible, please provide this information by clicking on this to complete and submit the referenced form
Understandably, we cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm that the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use any Personal Information provided in a verifiable consumer request to verify your identity or authority to make the request.
C. Designating An Authorized Agent to Make A Consumer Rights Request for You.
Only you or a person that you designate and authorize to act on your behalf may make a verifiable consumer request related to your Personal Information. For your protection, we will need to first see some proof that someone seeking to act on your behalf is actually authorized by you to do so. You may also make a verifiable consumer request on behalf of your minor child, again with some proof that you are the minor child’s parent or legal guardian. Forms of authorization may include:
- California Power of Attorney
- Written authorization sworn and signed under penalty of perjury
- Registered Agent status with the California Secretary of State
D. Response Timing and Format.
We will try to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we need more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt.
If you are making a Request to Delete your Personal Information, we will need to re-confirm with you that you really want your information deleted after verifying your request.
If we cannot respond to or comply with your Request to Know or Request to Delete, say because we cannot verify your identity or because an exception applies, we will explain the reasons we cannot comply with your request. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.