Automated personal data systems’ (Ware, 1973: 1). More commonly referred to as privacy protection than data protection in the US, these instruments include laws, case law, and constitutional rights. The Computer Matching and Privacy Protection Act of 1988, P.L. 100–503, amended the Privacy Act of 1974 by adding certain protections for the subjects of Privacy Act records whose records are used in automated matching programs. These protections have been mandated to ensure: procedural uniformity in carrying out matching programs.
Now that summer has officially started, fewer than six months remain until the California Consumer Privacy Act (CCPA) becomes effective. Implementing corporate processes necessary to meet the CCPA’s broad consumer privacy rights guarantees is a key aspect of CCPA compliance, but can prove challenging in practice.
As we outlined previously, the CCPA contains a number of consumer rights. We will address these rights in more detail in a two-part series. This first post presents a brief “field guide” to the CCPA’s consumer rights and their potential complications. The second installment will address how companies should respond to consumer requests. It’s important to remember that the term “consumer” is defined broadly to mean any individual who is a resident of California. Barring further amendments, this includes employees.
Consumer rights in the CCPA can be formulated in different ways, but we divide them into the following categories: (1) right to notice, (2) right to access, (3) right to opt out (or right to opt in), (4) right to request deletion, and (5) right to equal services and prices.
Right to Notice
Probably the most obvious right that consumers have under the CCPA is the right to notice. Consumers can expect to ring in the New Year in 2020 with a flurry of notifications similar to the deluge of emails that accompanied the EU’s General Data Protection Regulation (GDPR) taking effect on May 25, 2018—or the barrage of paper notices that signaled the implementation of the federal Gramm-Leach-Bliley Act Privacy Rule, 12 CFR Part 1016, in 2001.
Under the CCPA, businesses must inform consumers at or before the point of collection what categories of personal information will be collected and the purposes for which these categories will be used. This will be particularly difficult for personal information collected in person or from third parties. And businesses must provide notice again before collecting additional categories or collecting personal information for new purposes.1 This requires ongoing efforts to identify changes in collection or use of previously collected personal information.
The CCPA also sets forth specific disclosures that businesses must include in their privacy policies, including descriptions of consumer rights and how to exercise them.2
Right to Access
A corollary to the right to notice under the CCPA is the right to access. Consumers have the right to request that a business disclose the categories of personal information collected; the categories of sources from which personal information is collected; the business or commercial purpose; the categories of third parties with which the business shares personal information; and the specific pieces of personal information the business holds about a consumer.3 If a business sells personal information or discloses it for business purposes, consumers have the right to request the categories of information so sold or disclosed.4
Access requests may be easier for companies that maintain databases, but most companies also collect unstructured data (such as emails, images, files, etc.) related to consumers. Given that “personal information” includes any information “capable of being associated with” a consumer or a household, requests will encompass a wide range of data that a business possesses.
Right to Opt-Out
Consumers have the right—at any time—to direct businesses that sell personal information about the consumer to third parties to stop this sale, known as the right to opt out. If a consumer is a minor, the CCPA provides for a right to opt in to the sale of data (exercised by the minor if the consumer is between 13 and 16 years of age, or by the minor’s parent or guardian if the consumer is under 13 years old).5 Businesses must wait at least 12 months before asking consumers to opt back in.6 Companies should examine their relationships with third parties to which they provide personal information, because “sale” is defined broadly!
Privatus 5 1 1 – Automated Privacy Protection Act AppliesRight to Request Deletion![]()
Consumers also have the right to request deletion of personal information, but only where that information was collected from the consumer. Like the right to erasure under the GDPR, this right is subject to exceptions. For instance, businesses need not delete personal information necessary for detecting security incidents, exercising free speech, protecting or defending against legal claims, or—in what is potentially a broad and likely contentious category—for internal uses reasonably aligned with the consumer’s expectations.7 Companies will have to determine the expectations of their particular consumers, how to handle the fact that personal information may be replicated many times and used for different purposes, and who (lawyers or the business) will make decisions regarding whether the CCPA’s exceptions apply.
![]() Right to Equal Services and Prices
The CCPA prohibits businesses from discriminating against consumers by denying goods or services, charging a different price or rate for goods or services, providing a different level or quality of goods or services, or suggesting that they will do any of these things based upon a consumer’s exercise of any CCPA rights. Put differently, consumers have a right to equal services and prices.8 This provision is likely the most misunderstood section of the CCPA, no doubt in part due to confusing wording. The right to equal services and prices does not place any restrictions on a business’ ability to collect information or deny service if a consumer does not want to participate in collection; it only applies where the consumer exercises specific CCPA rights, such as opting out of downstream sale of the data.
A business may offer financial incentives for the collection and sale of data, but only with the consumer’s prior opt-in consent—which can be withdrawn at any time—and where the price or difference is directly related to the value of the consumer’s personal information.9 Proving the value of personal information may be difficult.
Doing Right by CCPA
The CCPA dramatically raises the bar on the options and information businesses must make available to any individual about whom data is collected. It also creates consumer rights, which—due to the widespread use of personal information for different purposes, some of which may involve third party partners—will be challenging for many businesses to implement in practice.
FOOTNOTES
1See CCPA §§ 1798.100, 1798.120.
2See CCPA §§ 1798.130, 1798.135.
3See CCPA §§ 1798.100, 1798.110, 1798.115.
4See CCPA § 1798.115.
5See CCPA § 1798.120.
6See CCPA § 1798.120.
7See CCPA § 1798.105.
8See CCPA § 1798.125.
9See CCPA § 1798.125.
The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
Privatus 5 1 1 – Automated Privacy Protection Act Requirements
Click here to view the combined regulation text of all HIPAA Administrative Simplification Regulations found at 45 CFR 160, 162, and 164.
Privacy Rule History
* This HHS-approved document is being submitted to the Office of the Federal Register (OFR) for publication and has not yet been placed on public display or published in the Federal Register. This document may vary slightly from the published document if minor editorial changes are made during the OFR review process. The document published in the Federal Register is the official HHS-approved document.
** People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing [email protected].
Privatus 5 1 1 – Automated Privacy Protection Act RcwOther Privacy Rule Notices
Privatus 5 1 1 – Automated Privacy Protection ActOther Administrative Simplification RulesComments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2021
Categories |