- the right to “opt-out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);
- the right to have a business delete their personal information, with some exceptions; and
- the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.
The Act’s provisions are designed to put these rights into practice. The Act requires that companies make certain disclosures to consumers via their privacy policies, or otherwise at the time the personal data is collected. For example, businesses need to disclose proactively the existence and nature of consumers’ rights under the Act, the categories of personal information they collect, the purposes for which that personal information is collected, and the categories of personal information that it sold or disclosed in the preceding 12 months. In terms of compliance, these provisions will require companies to determine what personal data they are collecting from individuals and for what purposes, and to update their privacy policies every 12 months to make the disclosures the Act requires.
Companies that sell consumer data to third parties will need to disclose that practice and give consumers the ability to opt out of the sale by supplying a link titled “Do Not Sell My Personal Information” on the business’s home page. This is known as the right to “opt out.” The Act further provides that a business must not sell the personal information of consumers younger than 16 years of age without that consumer’s affirmative consent (or, for consumers younger than 13 years of age, without the affirmative consent of the consumer’s parent or guardian). This is known as the right to “opt in.”
Consumers also have the right to request certain information from businesses, including, for example, the sources from which a business collected the consumer’s personal information, the specific pieces of personal information it collected about the consumer, and the third parties with which it shared that information. The Act requires businesses to provide at least two means for consumers to submit requests for disclosure including, at minimum, a toll-free telephone number and Web site. Additionally, businesses will have to disclose the requested information free of charge within 45 days of the receipt of a consumer’s request, subject to possible extensions of this time frame. Companies therefore will need to determine how they can monitor their data sharing practices and marshal the requested information within a short period of time pursuant to a data subject’s request.
The Act also forbids businesses from “discriminating” against consumers for exercising their privacy rights under the Act. More specifically, that means businesses cannot deny goods or services, charge different prices for goods or services, or provide a different quality of goods or services to those consumers who exercise their privacy rights. However, the Act does permit businesses to charge a different price, or provide a different level of service, to a customer “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.” How this confusingly-worded loophole will be interpreted remains to be seen.