The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business. As the first five requests ask that a business respond with broad information about the type of information collected (as opposed to the actual information itself), they are often referred to as category-level access requests.
The CCPA permits consumers to “institute a civil action” only where certain types of personal information are “subject to an unauthorized access and exfiltration, theft, or disclosure.”1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a business violates its obligation to provide notice concerning its
The CCPA generally does not require that a company obtain the consent (or the “opt-in”) of a person before collecting or using their personal information. Consent is, required, however, in the following situations:
No.
The European GDPR does not use the term “service provider” and, instead, refers to “processors.” While processors within the GDPR are defined in a similar manner to service providers under the CCPA, the GDPR is far more proscriptive regarding the contractual terms that must be present in a processor agreement. Specifically, the GDPR requires
While United States statutes that require privacy notices differ in terms of what they require to be included within a privacy notice, none mandate that an organization disclose the fact that information may be shared as part of a merger or acquisition.[1] That said, in 2000 the Federal Trade Commission (FTC) took the position
Potentially.
Some consumers may assume that a company owns the payment card-related information that it collects when it accepts payment cards (e.g., credit or debit cards). In order to process payment cards, however, a company typically must enter into a written contract with a payment processor or merchant-bank. Those contracts often specify that payment card-related
The regulations implementing the CCPA make clear that the notice at collection (or the privacy notice if it is being used to satisfy the notice at collection) does not have to be physically provided to a consumer; instead a business must make it “readily available” in a location where consumers are likely to encounter it.
No.
Based upon a review of the websites of the Fortune 500 conducted approximately one year after the CCPA went into effect, 21.4% of websites included a “do not sell my personal information link.” 78.6% of websites did not include a link to opt out of the sale of personal information.1 A review of
As plaintiffs’ attorneys continue to experiment with ways to utilize the California Consumer Privacy Act (CCPA) to obtain quasi-discovery, questions exist whether they may attempt to leverage the obligations imposed by the CCPA on law firms. While the CCPA states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive,
Litigants traditionally look to the rules of civil procedure in order to get discovery in a litigation. Plaintiff’s attorneys have, however, begun to try to circumvent restrictions within the discovery rules that are designed to limit the number, type, and timing of information requests, by sending out “access requests” on behalf of their clients under