What disclosures must businesses provide to consumers under CCPA/CPRA?
CCPA/CPRA (California Consumer Privacy Act and California Privacy Rights Act) requires businesses to give consumers transparent, accessible notice about how they handle personal data. Specifically, any business subject to CCPA/CPRA must publish several distinct disclosures, each serving a different purpose in the consumer notice framework. Moreover, these disclosures must meet accessibility requirements for people with disabilities.
In practice, CCPA/CPRA mandates five types of notice:
- Privacy Policy: explains categories of personal information collected, sources, business purposes, consumer rights, and how to submit requests
- Notice at Collection: provided at or before the point of data collection, specifying categories, collection purpose, and whether data is sold or shared
- Notice of Right to Opt-Out: required if you sell or share personal data, displayed as a link or an alternative opt-out mechanism
- Notice of Right to Limit: required if you use sensitive personal data beyond authorized purposes
- Notice of Financial Incentive: required if you offer discounts or benefits in exchange for personal data, explaining the data’s value and the program terms
How must businesses handle opt-out requests and avoid dark patterns?
CCPA/CPRA requires businesses to offer at least two ways for consumers to opt out of the sale or sharing of their personal data. Specifically, acceptable methods include a “Do Not Sell or Share My Personal Information” link, a web form, and processing valid opt-out preference signals such as Global Privacy Control (GPC). Moreover, when a business receives a compliant GPC signal, it must process the opt-out for the device or browser transmitting that signal.
In addition, CCPA/CPRA explicitly prohibits dark patterns, which are interface designs that manipulate users into choices they would not otherwise make. Specifically, non-compliant behaviors include:
- Making opt-out harder or more time-consuming than giving consent
- Offering “Accept All” without a clearly visible “Decline All” option
- Using double negatives that confuse the consumer’s choice
- Adding unnecessary steps to refuse consent
How must businesses handle sensitive personal information under CCPA/CPRA?
CCPA/CPRA defines Sensitive Personal Information (SPI) as data such as precise geolocation, racial or ethnic origin, biometric identifiers, and genetic data. Specifically, consumers hold a Right to Limit how businesses use or disclose their SPI. Moreover, businesses must provide two ways to submit limitation requests and cannot require identity verification for those requests.
However, the right to limit does not apply in all situations. Specifically, businesses do not need to offer this right when they use SPI only to:
- Provide the service the consumer requested
- Prevent or detect security incidents or fraud
- Protect physical safety
- Short-term, limited internal operational use
What are the response deadlines for consumer rights requests under CCPA/CPRA?
CCPA/CPRA sets legally binding timelines for responding to consumer requests. Specifically, businesses must acknowledge receipt within 10 business days and provide a full response within 45 calendar days. Moreover, a single extension of up to 45 additional days is permitted, but only when the business notifies the consumer of the reason for the delay within the original 45-day window. Furthermore, opt-out requests carry a shorter deadline: businesses must complete them within 15 business days of receipt.
Identity verification rules vary by request type. Specifically, verification is required for requests to know, deletion, correction, and Automated Decision-Making Technology (ADMT) requests. However, businesses must not require verification for opt-out requests, right-to-limit requests, or opt-out of ADMT. In practice, the verification standard scales with the sensitivity of the data: two matching data points for category-level requests, and three data points plus a signed declaration for specific data or ADMT results.
When do CCPA/CPRA cybersecurity audits and risk assessments apply?
CCPA/CPRA requires businesses to conduct risk assessments before engaging in certain high-risk processing activities. Specifically, a risk assessment is mandatory before selling or sharing personal data, processing sensitive personal data, using Automated Decision-Making Technology for significant consumer decisions, training AI models on consumer data, or monitoring consumers in sensitive locations. Moreover, businesses must review each risk assessment every three years or after any material change in processing activities.
In addition, CCPA/CPRA imposes a separate cybersecurity audit requirement. Specifically, a cybersecurity audit applies when a business meets annual revenue thresholds, processes personal data for 250,000 or more consumers, or processes sensitive personal data for 50,000 or more consumers. Furthermore, a qualified and independent professional must conduct the audit. As a result, after completion, the business must submit a written certification to the California Privacy Protection Agency (CPPA).
