Cal. Civ. Code §§ 1798.110; 1798.115; 1798.130; 1798.105; 1798.145; 1798.120; 1798.125
The CCPA requires a business to comply with requests to exercise the following rights:
Right to Know: To request any or all of the following information relating to the consumer’s personal information the business has collected and disclosed in the previous twelve (12) months, upon verification of the consumer’s identity:
- The specific pieces of personal information the business has collected about the consumer;
- The categories of personal information the business has collected about the consumer;
- The categories of sources of the personal information;
- The categories of personal information that the business has disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed;
- The categories of personal information the business has sold about the consumer, and the categories of third parties to whom the information was sold; and
- The business or commercial purposes for collecting or, if applicable, selling the personal information.
Right to Delete: To request the deletion of personal information the business has collected from the consumer, subject to certain exceptions.
Right to Opt Out: To opt out of the “sale” of their personal information.
If the business sells consumers’ personal information, information about this right must be provided to consumers in the business’s privacy notice and a link titled “Do Not Sell My Personal Information” must be included on the business’s Internet home page, if any.
Right to Nondiscrimination: To not receive discriminatory treatment for exercising any consumer right, subject to certain exceptions.
A business typically must provide two (2) or more methods for a consumer to submit a consumer request under the Right to Know and Right to Deletion. Methods include a toll‑free number, an email address or an online form. The business must verify Right to Know and Right to Deletion requests and may need to gather additional information from the requesting consumer to ensure the consumer is authorized to submit the request, and/or to receive the information requested. For Right to Know and Right to Deletion requests, the business must acknowledge receipt of the requests within ten (10) business days, and must respond within forty-five (45) calendar days of receipt of the request, though this period may be extended an additional forty-five (45) days in certain circumstances. Additionally, authorized agents are permitted to submit requests on behalf of consumers subject to specific authorization requirements.
|
Cal. Civ. Code §§ 1798.110; 1798.115; 17.98.130; 1798.105; 1798.145; 1798.106; 1798.185; 1798.120; 1798.185(a)(16); 1798.125; 1798.121
The CPRA expands several consumer rights established by the CCPA as well as adds new consumer rights and protections. Additional guidance on the revised or additional CPRA consumer rights obligations are expected from the California Attorney General in the forthcoming regulations.
The CPRA provides for the following consumer rights:
Right to Know: The CPRA modifies and/or expands the CCPA’s Right to Know by:
- Requiring the business to also provide information about the categories of personal information shared with third parties, where “shared” is defined as providing personal information to a third party for cross‑contextual behavioral advertising.
- Removing the twelve (12)-month look-back limitation by requiring a business to provide more than twelve (12) months of information, so long as such a disclosure would not be “impossible” or “involve a disproportionate effort,” though this requirement would not apply to any data collected by the business prior to January 1, 2022.
- Clarifying that these requests encompass personal data collected by the business directly or indirectly, including through or by a service provider or contractor. The CPRA also emphasizes the obligation for service providers or contractors to aid the business with respect to the business’s response to a verifiable consumer request.
- Clarifying the obligation that the business provide specific pieces of personal information in a structured, commonly used, machine-readable format “which also may be transmitted to another entity at the consumer’s request without hindrance” to the extent it is technically feasible.
- Directing the CPPA to issue regulations governing access rights with respect to the business’s use of automated decision‑making and profiling. The CPRA further directs the forthcoming regulations to require businesses’ response to access requests to include meaningful information about the logic involved in such decision‑making processes, as well as a description of the likely outcome of the process with respect to the consumer.
Right to Delete: The CPRA modifies and/or expands the CCPA’s Right to Delete by requiring the business to notify its service providers and contractors and also notify any third parties to whom the business has sold or shared (for cross‑contextual advertising purposes) the consumer’s personal information, unless this “proves impossible or involves disproportionate effort.” Additionally, service providers and contractors must pass deletion requests downstream in certain circumstances. The CPRA also provides several new exceptions or clarifications to the deletion requirement under the CCPA. Under the CPRA, the business is not required to delete:
- household data, defined as data relating to a group of consumers who cohabitate at the same residential address and share common devices or services;
- personal information about the consumer that belongs to, or that the business maintains on behalf of, another natural person;
- personal information that applies to a student’s grades, test scores, or educational test results that the business holds on behalf of a local education entity;
- a particular piece of information if the consumer has consented to the business’s use of that information to produce a physical item (such as a yearbook) if the business has incurred significant expense and compliance with the deletion request would not be commercially reasonable; and
- personal information that the business bought or received, subject to certain exceptions, of the consumer’s request.
Right to Correction: To correct inaccurate personal information maintained by the business. Once a business receives a verified request to correct inaccurate personal information, the business must use “commercially reasonable efforts” to correct said personal information as directed by the consumer and the adopted regulations. The CPRA calls on the California attorney general to promulgate regulations governing how a business should respond to such a request, including exceptions for requests for which the response would be impossible or involve disproportionate effects, and how concerns over the accuracy of personal information should be resolved.
Right to Opt Out of the Sale or Sharing: The CPRA expands on the CCPA’s existing opt-out right to also include the “sharing” of personal information. Accordingly, the link posted on a business’s home page must be titled “Do Not Sell or Share My Personal Information.”
- “Sharing” is defined by the CPRA as the transfer or making available of a consumer’s personal information by the business to a third party for cross-contextual behavioral advertising, whether or not for monetary or other valuable consideration.
The business is further prohibited from selling or sharing personal information of a consumer under the age of sixteen (16) unless the consumer (for consumers at least thirteen (13) years old) or the consumer’s parent (for consumers who are less than thirteen (13) years old) has affirmatively authorized the sale or sharing.
Additionally, the CPRA directs the CPPA to issue regulations governing access and opt-out rights with respect to the business’s use of automated decision-making technology and profiling. The text suggests that such regulations may include a requirement for a business to disclose information about the logic involved in the automated decision-making process in response to a consumer request.
Right to Opt Out of Automated Decision‑Making Technology: The CPRA authorizes and directs the CPPA to issue regulations governing access and opt-out rights with respect to a business’s use of automated decision-making and profiling.
See Section 2: Profiling and Automated Decision‑Making above for additional information.
Right of Non-Retaliation: To not discriminate against a consumer because the consumer exercised any of the consumer’s California rights, unless the price or service difference is reasonably related to the value provided to the business by the consumer’s data. The right to non-discrimination does not prohibit the business from offering loyalty, rewards, premium features, discounts, or club card programs.
Right to Limit the Use and Disclosure of Sensitive Personal Information: To direct a business to limit its use of “sensitive personal information” to that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services,” or for the performance of specific enumerated business purposes. The CPRA requires a second link on the website home page titled “Limit the Use of My Sensitive Personal Information.” In some circumstances, a business may provide a single home page link that combines this link with the Do Not Sell or Share My Personal Information link to allow consumers to make one or both of these selections. The CPRA also contemplates the creation of an “opt-out preference signal” sent by the consumer’s request indicating the consumer’s intent to opt out of the sale or sharing of the consumer’s personal information or to limit the use and disclosure of sensitive personal information, or both, though leaves the details to be presented in the forthcoming regulations.
|
Colo. Rev. Stat. §§ 6-1-1306(1)(b); 6‑1‑1306(1)(d); 6-1-1306(1)(e); 6-1-1306(1)(c); 6‑1-1306(1)(a)(I); 6-1-1306(1)(a)(IV)(B); 6‑1‑1313(2); 6-1-1306(3); 6-1-1307(3)
The CPA requires controllers to comply with authenticated requests to exercise the following rights:
Right of Access: To confirm whether a controller is processing personal data and to access such personal data.
Right to Deletion: To delete personal data concerning the consumer.
Right to Portability: To obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to easily transmit the data to another entity. A consumer may exercise this right now more than twice per calendar year.
Right to Correction: To correct inaccuracies in the consumer’s personal data, taking into consideration the nature of the personal data and the purposes of the processing of the personal data.
Right to Opt Out: To opt out of the processing of personal data for the purposes of (1) targeted advertising; (2) the sale of personal data; and (3)“profiling in furtherance of decisions that produce legal or similarly significant effects.” The controller must provide a “clear and conspicuous” method to exercise the right to opt out of the processing of personal data for the purposes of targeted advertising or sale in their privacy notice and in a readily accessible location outside of the privacy notice.
Note that the CPA prohibits controllers from processing sensitive data without first obtaining the consumer’s opt-in consent or, if pertaining to a known child, without first obtaining consent from the parent or lawful guardian.
Right to Universal Opt-Out Mechanisms: Effective July 1, 2024, controllers that process personal data for the purposes of targeted advertising or sale must allow consumers to exercise the right to opt out through a user‑selected universal opt-out mechanism. The attorney general is directed to adopt rules that clarify the technical specifications for such an opt‑out mechanism by July 1, 2023.
The controller must respond to consumer requests within forty-five (45) days (with the option to extend the period to an additional forty-five (45) days). The controller must honor a consumer request free of charge; however, for a second or subsequent request within a twelve (12)-month period, the controller may charge the consumer an amount calculated in the manner specified in the CPA. Controllers are required to authenticate consumer requests. The CPA has a statutory right to appeal denied consumer requests, and requires that controllers establish internal processes for consumers to appeal a refusal to act on a request to exercise any of the rights above. The appeal process must be made readily available and as easy to use as the process for submitting a request. Furthermore, the CPA mandates that controllers inform the consumer of their ability to contact the attorney general if the consumer has any concerns regarding the result of an appeal.
The consumer rights above do not apply to pseudonymous data if (1) the controller can demonstrate that the information necessary to identify the consumer is kept separately, and (2)the data is subject to effective technical and organizational controls that prevent the controller from accessing such information.
|
Va. Code §§59.1-573.A.1; 59.1-573.A.2; 59.1‑573.A.3; 59.1-573.A.4; 59.1-573.A.5; 59.1‑573.C
The VCDPA requires a controller to comply with authenticated requests to exercise the following rights:
Right to Access: To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data.
Right to Deletion: To delete personal data provided by or obtained about the consumer.
Right to Portability: To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
Right to Correction: To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data
Right to Opt Out: To opt out of personal data processed for the following purposes: (1)targeted advertising; (2) the “sale” of personal data; and (3) profiling for decisions that produce legal or similarly significant effects for the consumer.
- “Targeted advertising” is defined to include displaying ads based on personal data obtained from consumer activities over time and across nonaffiliated websites or applications.
- “Sale” is defined to include the exchange of personal data for monetary consideration. Similar to the CPA, the VCDPA excludes the following disclosures from the definition of “sale”: to a processor that processes the personal data on behalf of the controller; to a third party for purposes of providing a product or service requested by the consumer; to an affiliate of the controller; of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
- “Profiling” is defined to include automated processing of personal data to analyze or predict consumer activities or characteristics. “Legal or similarly significant effects” include, among other things, decisions that impact financial services, housing, employment, and health care.
Additionally, like the CPA, the VCDPA prohibits controllers from processing sensitive data without first obtaining the consumer’s opt-in consent or, if pertaining to a known child, without first obtaining consent from the parent or lawful guardian in accordance with the Children’s Online Privacy Protection Act.
The VCDPA provides a statutory right to appeal the denial of a consumer rights request. If such an appeal is denied, the controller must ensure the consumer is provided with “an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.”
|