Privacy rights are a core element of modern privacy legislation giving individuals greater control over their personal information and how it is used. The EU General Data Protection Regulation (GDPR) set the groundwork for many of the privacy rights we see included in privacy laws across the world. Many of these rights have been written into US state privacy laws including the right to access, right to erasure, and right to data portability. However, in many cases, the language used to describe these rights differs from the EU to the US. The most obvious example of this is when the individual making the request is referred to as a ‘data subject’ under the GDPR, whereas the same individual is commonly referred to as a ‘consumer’ under the US privacy laws. As a result, we see new rights that are not seen in EU legislation such as the right to opt-out of the sale of personal information and other commercially focused rights.  

Of course, different privacy laws provide different individual rights, and this rings true across US state privacy laws. The California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA) all provide a set of rights for individuals to freely exercise to manage and control how organizations handle their personal information. However, who can exercise these rights, what rights they have, and how organizations must manage privacy rights requests all differ from state to state. 

Privacy Rights Under The CCPA, CPRA, CDPA, and CPA

Generally, the CCPA, CPRA, CDPA, and CPA offer a fairly similar set of rights to consumers, though there are some nuances between each law that should be observed. For example, the CCPA and CPRA require organizations to allow consumers to opt out of the sale of their personal information. Whereas the right to opt-out under both the CDPA and CPA are more specific, giving consumers the right to opt-out of sale as well as targeted advertising, and profiling.  

Let’s take a closer look at consumer rights under each state privacy law to have a better understanding of the nuances between them.  

CCPA

 The CCPA gives consumers the following rights:  

  • The right to know 
  • The right to access  
  • The right to deletion  
  • The right to opt-out of sale  
  • The right to data portability  
  • The right to non-discrimination 

The CCPA also includes a private right of action for consumers to seek damages in cases where unencrypted personal information has been part of a data breach or incident.  

CPRA

The CPRA provides consumers with all the rights found under the CCPA as well as:  

  • The right to rectification 
  • The right to limit the use and disclosure of sensitive personal information 

The CPRA will also amend several of the rights outlined by the CCPA, including the right to opt-out, by introducing the right to opt-out of personal information being shared and will expand the private right of action to include more categories of personal information affected by a data breach.  

CDPA

The CDPA provides consumers with a set of rights similar to the CCPA and CPRA,  but its right to opt out is more restrictive and can only be exercised in certain circumstances. The rights provided by the CDPA include:  

  • The right to confirm if their data is being processed 
  • The right to access 
  • The right to deletion  
  • The right to opt-out of the processing of the personal data for:  
    • Targeted advertising 
    • Sale of personal data 
    • Profiling  
  • The right to data portability  
  • The right to correction 

Unlike the CCPA and CPRA there is no private right of action under the CDPA. 

CPA

The CPA provides consumers with a set of rights that are largely the same as the CDPA, including a narrower scope for the right to opt-out. The CPA includes: 

  • The right to access 
  • The right to opt-out of the processing of the personal data for:  
    • Targeted advertising 
    • Sale of personal data 
    • Profiling  
  • The right to deletion  
  • The right to data portability  
  • The right to correction 

Like the CDPA, the CPA does not provide a private right of action. 

How To Manage Privacy Rights Under the CCPA, CPRA, CDPA, and CPA

When fulfilling privacy rights under US state privacy laws, it is essential to understand your obligations as an organization in each state. The CCPA, CPRA, CDPA, and CPA have different requirements that need to be considered to avoid potential penalties for non-compliance. For example, the CCPA and CPRA require businesses to provide confirmation of a request’s receipt within ten days of the request being made, whereas the CDPA and CPA do not require organizations to send confirmation. Additionally, when responding to privacy rights requests, the CCPA, CPRA, CDPA, and CPA all give organizations 45 days with the possibility of a 45-day extension where necessary and reasonable. The CDPA and CPA also provide consumers with the ability to appeal requests that are rejected by the data controller.  

As discussed in a previous blog, a foundational step towards managing privacy rights across multiple state laws is to conduct a comprehensive data discovery and mapping exercise to create an up-to-date inventory of the personal information that your organization holds. This inventory of accurately classified personal information will help further down the line in the privacy rights request process.  

With a comprehensive data inventory in place, organizations should look to having the appropriate intake methods for privacy rights relating to the applicable laws. For instance, businesses operating in California should be including a Do Not Sell My Personal Information link, and for those who fall under the scope of the CPRA, this should be updated to Do Not Sell or Share My Personal Information. Cookie banners and other external policies should be relevant to the state that the website is being visited from to ensure the correct opt-ins and opt-outs are being collected and communicated downstream.  

Identification verification is also an essential part of fulfilling a privacy rights request. The CDPA states that data controllers are not required to fulfill the request if it cannot be authenticated by commercially reasonable efforts. Furthermore, the CCPA gives a broad definition of a ‘verifiable consumer request’ and states that organizations are not obligated to provide personal information absent verifiable identification.   

Having verified the privacy rights request, organizations need to find the relevant personal information to fulfill the request. This is where the data inventory will be useful in helping to add regulatory context to the information found, such as whether the information should be considered sensitive personal information – which in the case of the CPRA, CDPA, and CPA would require redaction – or whether the personal information falls under one of the many exemptions outlined across the different state laws.  

The final aspect of privacy rights fulfillment should be universal across all state laws, and that is to deliver the information to the requester through an encrypted and secure messaging portal.  


Join us at our annual conference and discover best practices to build trust within your company.

Register now