CCPA/CPRA Consumer Privacy Rights

CCPA/CPRA Consumer Privacy Rights: A Comprehensive Guide for CIPM Exam Preparation

Introduction

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), represents one of the most significant privacy laws in the United States. For privacy professionals preparing for the CIPM exam, understanding how to respond to consumer requests and manage incidents under CCPA/CPRA is essential. This guide covers the key concepts, operational requirements, and exam strategies you need to master.

Why CCPA/CPRA Consumer Privacy Rights Are Important

CCPA/CPRA is critically important for several reasons:

• It grants California residents comprehensive privacy rights comparable in many ways to those found in the GDPR.
• It applies to businesses worldwide that meet certain thresholds and handle the personal information of California residents.
• It imposes significant penalties for non-compliance, including statutory damages of $100–$750 per consumer per incident for data breaches, and administrative fines of up to $7,500 per intentional violation.
• It established the California Privacy Protection Agency (CPPA), the first dedicated state-level privacy enforcement agency in the U.S.
• It sets a precedent for other U.S. state privacy laws and influences the broader privacy landscape.

What Are CCPA/CPRA Consumer Privacy Rights?

Under CCPA as amended by CPRA, California consumers have the following rights:

1. Right to Know (Right of Access)
Consumers have the right to request that a business disclose the categories and specific pieces of personal information it has collected about them. This includes information about the sources of data, the purposes for collection, and the categories of third parties with whom data is shared.

2. Right to Delete
Consumers can request the deletion of their personal information collected by a business. The business must also direct its service providers and contractors to delete the information, subject to certain exceptions.

3. Right to Correct
Added by CPRA, consumers have the right to request that a business correct inaccurate personal information it maintains about them.

4. Right to Opt-Out of Sale or Sharing
Consumers can opt out of the sale of their personal information or the sharing of their personal information for cross-context behavioral advertising. Businesses must provide a clear "Do Not Sell or Share My Personal Information" link on their website.

5. Right to Limit Use and Disclosure of Sensitive Personal Information
Added by CPRA, consumers can direct businesses to limit their use of sensitive personal information (such as Social Security numbers, financial account details, precise geolocation, race, ethnicity, religious beliefs, and biometric data) to what is necessary for performing the services or providing the goods reasonably expected by the consumer.

6. Right to Non-Discrimination
Businesses cannot discriminate against consumers for exercising their privacy rights. This means they cannot deny goods or services, charge different prices, provide different quality of service, or suggest that exercising rights will result in these outcomes. However, businesses may offer financial incentives for the collection, sale, or retention of personal information.

7. Right to Data Portability
When consumers exercise their right to know, the information must be provided in a portable, readily usable format that allows transmission to another entity without hindrance.

How CCPA/CPRA Consumer Request Handling Works

Applicability Thresholds
CCPA/CPRA applies to for-profit businesses that do business in California and meet one or more of the following:
• Annual gross revenue exceeding $25 million
• Buy, sell, or share the personal information of 100,000 or more consumers or households (CPRA changed the threshold from 50,000)
• Derive 50% or more of annual revenue from selling or sharing consumers' personal information

Submitting Requests
Businesses must provide at least two designated methods for consumers to submit requests, including at minimum a toll-free telephone number and, if the business has a website, a website address. Online-only businesses may provide only an email address.

Verification of Identity
A critical operational element is verifying the identity of the consumer making a request. Businesses must:
• Match at least two data points provided by the consumer with data points maintained by the business for right to know (categories) requests
• Match at least three data points for right to know (specific pieces) requests and right to delete requests
• Use a signed declaration under penalty of perjury for requests for specific pieces of personal information
• Not require the consumer to create an account to make a request

Timelines for Responding
• Businesses must confirm receipt of a request within 10 business days
• Businesses must respond substantively within 45 calendar days of receiving the request
• An extension of an additional 45 calendar days is permitted when reasonably necessary, provided the consumer is notified
• Opt-out requests must be acted upon within 15 business days

Authorized Agents
Consumers may designate an authorized agent to submit requests on their behalf. Businesses may require the authorized agent to provide proof of authorization (such as a power of attorney or signed permission from the consumer) and may separately verify the consumer's identity.

Exceptions to Deletion
Businesses may deny a deletion request if the information is needed to:
• Complete a transaction or provide a requested good or service
• Detect security incidents or protect against malicious, deceptive, or illegal activity
• Debug or identify and repair errors
• Exercise free speech or ensure another consumer's right to free speech
• Comply with the California Electronic Communications Privacy Act
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest
• Enable solely internal uses reasonably aligned with consumer expectations
• Comply with a legal obligation

Service Providers, Contractors, and Third Parties
CPRA introduced a more granular framework for downstream data recipients:
• Service providers process personal information on behalf of a business pursuant to a written contract
• Contractors are similar to service providers but have a distinct contractual relationship
• Third parties are entities that are not service providers or contractors
• Upon receiving a deletion request, businesses must notify service providers and contractors to also delete the data

Sensitive Personal Information
CPRA introduced the concept of sensitive personal information, which includes:
• Social Security number, driver's license, state ID, or passport number
• Account login credentials (username with password or security question)
• Financial account, debit card, or credit card number with access credentials
• Precise geolocation
• Racial or ethnic origin, religious or philosophical beliefs, union membership
• Contents of mail, email, or text messages (unless the business is the intended recipient)
• Genetic data
• Biometric information for identification purposes
• Health information
• Sex life or sexual orientation

Businesses must provide a "Limit the Use of My Sensitive Personal Information" link if they use sensitive personal information beyond what is necessary to perform services reasonably expected by the consumer.

Record Keeping
Businesses must maintain records of consumer requests and how they responded for at least 24 months. Businesses that handle personal information of 10 million or more consumers must also compile certain metrics about request handling and make them publicly available.

Private Right of Action
Consumers have a private right of action only in the case of data breaches resulting from a business's failure to implement and maintain reasonable security procedures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. Consumers must provide 30 days' notice to the business before filing suit, allowing the business to cure the violation.

Enforcement
The California Privacy Protection Agency (CPPA), established by CPRA, has administrative enforcement authority. The California Attorney General retains civil enforcement authority. Administrative fines can be up to $2,500 per unintentional violation and $7,500 per intentional violation or violations involving minors.

Children's Privacy Under CCPA/CPRA
• Businesses cannot sell or share personal information of consumers under 16 without affirmative opt-in consent
• For children under 13, a parent or guardian must provide consent
• For consumers aged 13-15, the consumer can provide their own opt-in consent
• CPRA increased penalties to $7,500 per violation involving minors' data

Key Differences Between CCPA and CPRA

Understanding the CPRA amendments is crucial for the exam:

• New rights: Right to correct and right to limit use of sensitive personal information
• Sharing: Expanded opt-out to include "sharing" for cross-context behavioral advertising, not just "selling"
• Sensitive personal information: New category with specific protections
• Contractors: New category of data recipient with specific contractual requirements
• CPPA: Creation of a dedicated enforcement agency
• Data minimization: Collection, use, retention, and sharing of personal information must be reasonably necessary and proportionate to the purposes for which the information was collected
• Storage limitation: Businesses must not retain personal information longer than reasonably necessary for the disclosed purpose
• Audit requirements: Businesses engaged in processing that presents significant risk to consumer privacy may be required to perform annual cybersecurity audits and submit risk assessments to the CPPA
• Threshold change: Changed from 50,000 to 100,000 consumers or households
• Employee and B2B exemptions: Removed (these exemptions expired January 1, 2023)

Operational Best Practices for Responding to Requests and Incidents

1. Intake and tracking: Establish a centralized system for receiving, logging, and tracking consumer requests across all designated channels
2. Identity verification: Implement a robust, tiered verification process that matches the sensitivity of the request type
3. Data mapping: Maintain a comprehensive data inventory to efficiently locate all personal information related to a consumer
4. Workflow automation: Use automated workflows where possible to ensure timely responses within the 45-day window
5. Training: Ensure all employees handling consumer inquiries understand the request process and can direct consumers appropriately
6. Third-party management: Ensure service providers and contractors have appropriate contractual terms and can support deletion and correction requests
7. Documentation: Maintain thorough records of all requests and responses for the required 24-month period
8. Incident response: Maintain an incident response plan that addresses potential data breaches, including notification obligations under California's breach notification law (Civil Code § 1798.82)

Exam Tips: Answering Questions on CCPA/CPRA Consumer Privacy Rights

1. Know the Timelines Cold
Exam questions frequently test your knowledge of specific deadlines. Remember: 10 business days to acknowledge, 45 calendar days to respond, 45-day extension available, 15 business days for opt-out requests, and 24 months for record retention.

2. Distinguish Between Rights
Be clear about which rights existed under the original CCPA and which were added by CPRA. The right to correct and the right to limit use of sensitive personal information are CPRA additions.

3. Understand Verification Requirements
Questions may ask about the appropriate level of verification. Remember the tiered approach: two data points for category requests, three data points for specific pieces and deletion requests, and the signed declaration under penalty of perjury for specific pieces of information.

4. Know the Exceptions
Be familiar with the exceptions to the right to delete. Exam questions may present scenarios where a business can legitimately deny a deletion request. Look for cues like legal obligations, security incidents, or completing a transaction.

5. Differentiate Service Providers, Contractors, and Third Parties
CPRA's three-tiered framework is exam-relevant. Understand the contractual requirements and obligations that differ among these categories.

6. Focus on Sensitive Personal Information
Know the specific categories of sensitive personal information and understand the right to limit its use. This is a frequently tested CPRA concept.

7. Remember the Applicability Thresholds
Be careful with the revenue threshold ($25 million), the consumer/household threshold (100,000 under CPRA, changed from 50,000), and the revenue derivation threshold (50% from selling or sharing).

8. Understand the Enforcement Landscape
Know the roles of both the CPPA and the California Attorney General. Understand the difference between administrative enforcement and the private right of action, which is limited to data breach situations.

9. Pay Attention to Children's Privacy Provisions
Remember the age thresholds (under 13 requires parental consent, 13-15 requires the minor's own opt-in consent) and that violations involving minors carry the higher $7,500 penalty.

10. Compare with GDPR Where Relevant
The CIPM exam may include comparative questions. Note similarities (right to access, delete, correct, portability) and differences (CCPA's opt-out model vs. GDPR's opt-in model for consent, different legal bases, broader scope of GDPR).

11. Read Scenarios Carefully
Many CIPM questions are scenario-based. Pay close attention to details about the type of business, the type of data, the nature of the request, and any stated exceptions. Look for keywords like "sell," "share," "sensitive personal information," and "service provider."

12. Apply the Data Minimization and Purpose Limitation Principles
CPRA introduced these concepts explicitly. When answering questions about data processing practices, consider whether the processing is reasonably necessary and proportionate to the disclosed purpose.

13. Practice Process-Oriented Thinking
The CIPM exam emphasizes the operational and management aspects of privacy. Think in terms of processes, workflows, and governance structures rather than just legal requirements. When a question asks how to respond to a specific request, think through the complete lifecycle: receipt, acknowledgment, verification, processing, response, and documentation.

Summary

CCPA/CPRA represents a landmark U.S. privacy regime that grants California consumers robust rights over their personal information. For the CIPM exam, focus on the operational aspects of responding to consumer requests—verification procedures, response timelines, exception handling, and documentation requirements. Understanding the distinctions introduced by CPRA (new rights, sensitive personal information, the CPPA, and the contractor category) is essential for exam success. Always approach questions with a process-oriented mindset, and remember that the CIPM tests your ability to manage and implement privacy programs, not just your knowledge of legal text.