The California Consumer Privacy Act (CCPA), signed into law on June 28, 2018, creates an array of consumer privacy rights and business obligations regarding the collection and sale of personal information. The CCPA went into effect Jan. 1, 2020. The California Privacy Rights Act (CPRA), also known as Proposition 24, was a ballot measure approved by California voters on Nov. 3, 2020. It significantly amended and expanded the CCPA, and it is sometimes referred to as “CCPA 2.0.” CPRA became operative on January 1, 2023.
SNo
Name of Right
Description
Also Refferred as
Section
1
Right to be Informed
You have the right to be informed about the type of personal information collected and processed about you, and your rights to opt-out.
Right to Notice
Cal. Civ Code 1798.130 (a) (5)
2
Right to Access Personal Information
You may request that businesses disclose to you what personal information they have collected, used, shared, or sold about you, and why they collected, used, shared, or sold that information.
Businesses must provide you this information for the 12-month period preceding your request. They must provide this information to you free of charge.
Right to Access
3
Right to Delete Personal Information
You may request that businesses delete personal information they collected from you and to tell their service providers to do the same. However, there are many exceptions that allow businesses to keep your personal information.
Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.
Right to Delete
4
Right to Correct Inaccurate Personal Information
A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer’s right to request correction of inaccurate personal information.
Right to Rectification
5
Right to Opt Out of Sale or Sharing of Personal Information
A consumer shall have the right to request that businesses stop selling or sharing consumer’s personal information (“opt-out”), specifically to sharing for cross-context behavioral advertising, which is the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s online activity across numerous websites.
Opt-Out of sale
6
Right to opt-out of sharing of personal information
A consumer shall have the right to request that businesses stop selling or sharing consumer’s personal information (“opt-out”), specifically to sharing for cross-context behavioral advertising, which is the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s online activity across numerous websites.
Opt-Out of targeted adsOpt-Out of profiling
7
Right to Know
A consumer shall have the right to request that a business that sells or shares the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
Right to Know
8
Right to limit use and disclosure of sensitive personal information
A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
Right to opt-out for sensitive data processing
9
Right of no retaliation following opt-out or exercise of other rights
Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.
Right to non-discrimination
10
Right to private action
An individual has the right to initiate private action on businesses under specific circumstances.
Right to private action
SNo
Obligations
Description
Also Refferred as
Reference
1
Privacy policies and procedures
Provide notice of consumer rights
Right to Notice
Sections 1798.100(a), 1798.100(b), 1798.130(a) and 1798.135,
2
Purpose limitation
Sections 1798.100(b), 1798.100(c)
3
Data minimization
Sections 1798.100(c) and 1798.100(a)(d)
4
Security requirements
Sections 1798.150(a), 1798.100(e) and 1798.150(a)
5
Processor/ service provider requirements
Sections 1798.140(v), 1798.100(d) and 1798.140(ag)(1)
6
Record keeping
Section 999.317
7
Risk impact assessment
Risk assessment
Section 1798.185(a)(15)
8
Breach notification
9
Registration with authorities
10
Data processing officer
Designated personnel
11
International data transfer restrictions
12
Global Privacy Controls
Although the text of the California Privacy Rights Act (CPRA) suggests that responding to the Global Privacy Control (GPC) will be optional in 2023, the California Attorney General will require companies to respond to GPC signals now.
GPC