The attorney general’s office has posted a set of FAQs and corresponding responses on its California Consumer Privacy Act (CCPA) site. While aimed at providing guidance to consumers about the CCPA, the FAQs can also serve as a quick reference for businesses regarding their CCPA compliance obligations. Below are the highlights.
- Right to Opt Out of Sale: California residents have the right to request that businesses stop selling their personal information (PI), which is an “opt-out request” that can be submitted via the “Do Not Sell My Personal Information” link that businesses must conspicuously provide on their websites and privacy policies. Businesses cannot require residents to create an account to submit opt-out requests, and if businesses ask for PI to complete these requests, they can only use such information to verify the consumers’ identities. Upon receipt of an opt-out request, a business must stop all sales of the consumer’s PI and wait 12 months before prompting the consumer to opt back in. Common exceptions to this opt-out right include sales that are necessary to comply with legal obligations and certain exempted medical or credit report information. Opt-out requests should be submitted to the businesses themselves and not their service providers, as service providers are not responsible for responding to such requests. Businesses can only sell PI of a child under the age of 16 if they have received affirmative “opt-in” consent. If the child is under the age of 13, that consent must come from the child’s guardian.