Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

California AG publishes CCPA FAQs

Privacy/Cyber Risk & Data Security State Issues CCPA California State Attorney General Opt-Out Disclosures

Privacy, Cyber Risk & Data Security

The California attorney general recently published a set of frequently asked questions providing general consumer information on the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. Final proposed regulations were submitted by the AG last month as required under the CCPA’s July 1 statutory deadline (covered by InfoBytes here), and are currently with the California Office of Administrative Law for review. The FAQs—which will be updated periodically and do not serve as legal advice, regulatory guidance, or as an opinion of the AG—are intended to provide consumers guidance on exercising their rights under the CCPA.

  • General CCPA information. The FAQs address consumer rights under the CCPA and reiterate that these rights apply only to California residents. This section also clarifies the definition of “personal information,” outlines businesses’ compliance thresholds, and states that the CCPA does not apply to nonprofit organizations and government agencies. The FAQs also remind consumers of their limited ability to sue businesses for CCPA violations and details the conditions that must be met before a consumer may sue a business for a data breach. The FAQs remind consumers that if they believe a business has violated the CCPA, they may file a complaint with the AG’s office.
  • Right to opt-out of sale. The FAQs answer common questions related to consumers’ requests for businesses not to sell their personal information. The FAQs provide information on the steps for submitting opt-out requests, as well as explanations for why a business may deny an opt-out request. It also address circumstances where a consumer receives a response from a service provider that says it is not required to act on an opt-out request.
  • Right to know. The FAQs discuss a consumer’s right to know what personal information is collected, used, shared, or sold, and clarifies what consumers should do to submit requests to know, how long a business may take to respond, and what steps should be taken if a business requests more information, denies a request to know, or claims to be a service provider that is not required to respond.
  • Required notices. The FAQs outline the disclosures that businesses must provide - i.e., the “notice at collection” and privacy policy. It also discusses the common places where notices at collection and privacy policies are located.
  • Request to delete. The FAQs address several questions related to consumers’ right to delete personal information, including how to submit a request to delete, businesses’ responses to and denials of requests to delete, and why a debt collector may make an attempt to collect a debt or a credit reporting agency may provide credit information even after a request to delete has been made.
  • Right to non-discrimination. Consumers are reminded that a business “cannot deny goods or services, charge. . .a different price, or provide a different level or quality of goods or services just because [a consumer] exercised [his or her] rights under the CCPA.”
  • Data brokers. The FAQs set forth the definition of a data broker under California law and outline steps for consumers interested in finding data brokers that collect and sell personal information, as well as measures consumers can take to opt-out of the sale of certain personal information.