AuditXYZ

Lesson 2 of 5

CCPA Consumer Rights: What You Must Honor

11 min readIntermediate

CCPA Consumer Rights

CCPA grants California consumers several rights over their personal information. Businesses must implement processes to receive, verify, and fulfill these requests within statutory timelines. Failure to honor consumer rights is a primary source of CCPA enforcement.

Right to Know

Consumers can request that a business disclose what personal information it has collected, the sources, the business purposes, the categories of third parties with whom it was shared, and the specific pieces of personal information collected. Businesses must provide this information for the 12-month period preceding the request.

Right to Delete

Consumers can request deletion of their personal information. Businesses must delete the information and direct service providers to do the same. Exceptions exist for information needed to complete transactions, detect security incidents, comply with legal obligations, and certain other purposes.

Right to Opt-Out of Sale/Sharing

Consumers have the right to opt out of the sale or sharing of their personal information. Businesses that sell or share personal information must provide a clear "Do Not Sell or Share My Personal Information" link on their website. Once a consumer opts out, the business must wait at least 12 months before asking them to opt back in.

Right to Correct (CPRA)

Added by CPRA, consumers can request correction of inaccurate personal information. Businesses must use commercially reasonable efforts to correct the information as directed by the consumer.

Right to Limit Sensitive Information Use (CPRA)

Also added by CPRA, consumers can limit the use and disclosure of sensitive personal information (such as Social Security numbers, financial data, precise geolocation, and health information) to what is necessary for providing the requested service.

Request Handling

Businesses must provide at least two methods for submitting requests, including a toll-free number and (for online businesses) a web form. Requests must be acknowledged within 10 business days and fulfilled within 45 calendar days (extendable by another 45 days with notice). Verify the consumer's identity before fulfilling requests. Do not charge a fee for requests unless they are manifestly unfounded or excessive.

In the next lesson, we will cover business obligations under CCPA.