Overview: California Consumer Privacy Act (“CCPA”)
Note: The following guidance is meant to provide you with general information on the CCPA, and is not a substitute for legal guidance. You should consult your own legal counsel, as the CCPA is subject to future amendments and the implementing regulations are not finalized. This guidance is not meant to be all inclusive or a substitute for reading the law and understanding your obligations under the CCPA.
What is the California Consumer Privacy Act (“CCPA”)
The CCPA establishes and enhances consumer privacy rights for California residents and imposes new rules on businesses that collect and process their personal information. On this page, we provide you with some basics of the law that are the most applicable to you as a business and our customer and provide you with information you need to help you comply with your obligations as it relates to any personal information we process on your behalf as your Service Provider.
Does the CCPA apply to my business?
As currently written, the CCPA applies to any for-profit entity doing business in California that collects and controls the processing of a consumer’s personal information, and also satisfies ANY one of the following thresholds:
- Exceeds $25 million gross revenue annually,
- Handles the personal information of 50,000 or more California consumers, households, or devices annually, or
- Derives more than 50% of annual revenue from selling consumers' personal information.
There are several exceptions in the applicability of the CCPA, however, and the above is not intended to be dispositive. You should consult your own legal counsel for an official determination of whether the CCPA applies to you.
Who and what does the CCPA protect?
The CCPA protects privacy by affording California residents the right to access, delete, and opt-out of the sale of their personal information. The CCPA protects “consumers,” which are broadly defined as California residents. “Consumers” extends to both California residents currently in the state and those traveling outside of the state. They encompass customers of goods and services, employees, and business-to-business transactions.
You might be wondering what type of data is protected under the CCPA. Right now, the data covered can be broadly described as all personal information collected on consumers. You can think of personal information as information that directly or indirectly, identifies, describes, or can reasonably be linked to a particular consumer or household. For example, commercial internet activity information and any inferences drawn about a consumer is considered personal information. There is currently a non-exhaustive list of specific categories of personal information defined in section 1798.140 of the CCPA.
Requirements under the CCPA
The CCPA grants consumers rights to know what personal information a business sells, discloses, or collects about them as well as the categories of third parties who purchased or received their data. Consumers have the right to obtain a copy of personal information collected about them by making “verified consumer requests.” Customers then have the right to transmit the information from one entity to another.
Consumers can request that a business delete any of the personal information that the business has collected from them. The CCPA creates certain exceptions to this deletion right, like when personal information is necessary to perform a contract or complete a transaction.
Consumers are given the right to opt-out of the sale of their personal information, and the CCPA prohibits businesses from discriminating against consumers that exercise their opt-out rights. Companies cannot ask consumers to sign contracts that limit their data privacy rights under the CCPA. This includes contract provisions limiting or waiving the right to a specific remedy or means of enforcement for an alleged violation
Responding to consumer rights requests
Businesses subject to the CCPA must implement processes to respond to verified consumer requests and opt-out requests. For example, responses to customer requests must cover the 12-month period preceding the request, so companies must have a way to date the data they collect.
Right to Know (Access and portability)
Businesses subject to the CCPA must generally respond to consumers requests for information within 45 days of receiving a request, which may be delivered by mail or electronically in a portable format.
Right to Delete
If requested, businesses subject to the CCPA must delete the consumer’s personal information from its records unless maintaining the information is necessary to complete a transaction, for security or fraud-prevention purposes, or another purpose listed in the CCPA. You should consult the CCPA for further details on these exceptions.
How will Knock help you comply with the CCPA?
We are ready to assist you, as applicable, with any verified consumer request you might receive. If you have provided us with the personal information from any California consumer in connection with your use of our Services, and you need our assistance with either a Right to Delete or Right to Know request, simply send us an email at firstname.lastname@example.org.
You will need to identify the following in the email for us to assist with the request:
- The requesting consumer’s name and email address
- Whether you need assistance with a consumer “Right to Delete” Request or a “Right to Know” Request
- The date you received the consumer request
We will send you an email confirming that we have received your request for assistance. Given the timing for complying with such requests in the CCPA, we will endeavor to take the action you request in a timely manner.