• Opt-Out. Businesses must provide a clear and conspicuous link on their website that says, “Do Not Sell My Personal Information,” and provide consumers a mechanism to opt out of the sale of their personal information, a decision which the Business must respect.
  • Right to Deletion. The CCPA will require a business, upon verifiable request from a consumer, to delete personal information about the consumer which the business has collected from the consumer and direct any service providers to delete the consumer’s personal information.
  • Non-Discrimination and Financial Incentives. Businesses cannot discriminate against consumers for exercising any of their rights under the CCPA. Businesses can, however, offer financial incentives for the collection, sale, or deletion of personal information.
  • Disclosures. The CCPA will require Businesses to provide notice to consumers of their rights under the CCPA (e.g., the right to opt out of the sale of their personal information), a list of the categories of personal information collected about consumers in the preceding 12 months, and, where applicable, that the Business sells or discloses their personal information. If the Business sells consumers’ personal information or discloses it to third parties for a business purpose, the notice must also include lists of the categories of personal information sold and disclosed about consumers, respectively. Businesses will be required to make this disclosure in their online privacy notice.


  • The CCPA is enforceable by the California AG and authorizes a civil penalty up to $2,500 for each violation or $7,500 for each intentional violation.
  • The CCPA provides a private right of action only in connection with certain breaches of a consumer’s nonencrypted or nonredacted personal information, as defined in the state’s breach notification law, if the business failed “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” The consumer may bring an action to recover damages up to $750 per incident or actual damages, whichever is greater.

For more information on the CCPA and a variety of other cybersecurity and data privacy topics, please visit Hunton Andrews Kurth’s Privacy & Information Security Law Blog at huntonprivacyblog.com.

Lisa Sotto chairs Hunton Andrews Kurth’s Global Privacy and Cybersecurity practice and has received widespread recognition for her work in this area. Lisa can be reached at LSotto@HuntonAK. com or (212) 309-1223. Aaron Simpson is a partner with Hunton Andrews Kurth and leads the firm’s EU Data Protection and Privacy practice. Aaron can be reached atASimpson@HuntonAK. com or (212) 309-1126. Brittany Bacon is a partner with Hunton Andrews Kurth and focuses on global privacy and data protection, with a particular emphasis on cybersecurity events. Brittany can be reached at BBacon@HuntonAK.com or (212) 309-1361.

Return to Index


For reprint and licensing requests for this article, CLICK HERE.