California Consumer Privacy Act (CCPA)

  1. Home
  2. California Consumer Privacy Act (CCPA)

California Consumer Rights Requests

California Residents may submit a Do Not Sell My Personal Information request and exercise other rights on our California Consumer Privacy Act Homepage as described in our U.S. Consumer Privacy Notice.

Information for LexisNexis Risk Solutions Customers

CCPA and CPRA Compliance Planning

The California Consumer Privacy Act of 2018 (CCPA) is effective as of January 1, 2020. LexisNexis Risk Solutions has diligently worked to implement the requirements of the law and is following a detailed compliance plan. We also have a suite of data governance capabilities and industry-leading identity authentication services that can be used for your own CCPA compliance efforts. The CCPA created significant new privacy rights for California consumers as well as new obligations for companies that collect or sell personal information. In order to comply with the CCPA, LexisNexis Risk Solutions has reviewed its data sets and has implemented plans by data and product. We are also using our proprietary linking process to verify identities and process consumer rights under the CCPA. The CCPA includes exemptions for certain data subject to the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act (DPPA). It also exempts data from government agency records. As a result of these exemptions, many LexisNexis Risk Solutions products are either not subject to the law or are minimally impacted.

On November 3, 2020, California citizens voted to pass the California Privacy Rights Act of 2020 (CPRA) which will be fully effective as of January 1, 2023.  The CPRA builds on and adds new requirements to the California Consumer Privacy Act of 2018 (CCPA). LexisNexis Risk Solutions has been following the CPRA closely and we are making the necessary adjustments to our current CCPA program prior to January 1, 2023. 

For customers of LexisNexis Risk Solutions who have questions, please contact us at ccpa@lexisnexisrisk.com

Using LexisNexis Risk Solutions LexID and Authentication Services for CCPA Compliance

LexID Service

Our customers face CCPA compliance challenges due to the fact that much of the personal data they currently hold about California residents is unstructured. For example, businesses with direct consumer relationships often have an account number for each consumer. That account number is a useful tool for organizing data about customers. However, these same businesses usually have additional data such as email addresses that are not associated with a given account.

The LexisNexis Risk Solutions LexID service can help a business structure its personal data and associate it with a specific consumer identity. It is created using our unparalleled US consumer data set coupled with advanced artificial intelligence-driven linking techniques.

For customers of LexisNexis Risk Solutions who have questions about using our LexID services for CCPA compliance, please contact us at ccpa@lexisnexisrisk.com.

Identity Verification and Authentication Services

A number of our customers use LexisNexis Risk Solutions identity verification and authentication services when they receive requests from consumers seeking to exercise their CCPA rights. Authentication is particularly important when a consumer requests to be informed about what data a business holds about them.

The challenge is to ensure the individual who is submitting a CCPA request isn’t a fraudster — without sacrificing a legitimate consumer’s experience or generating high authentication costs. The multiplicity of consumer touchpoints and devices makes doing this more complex, but also more critical. Our identity verification and authentication solutions help you find balance, mitigate fraud, improve end user satisfaction and easily adapt to emerging channels and trends. We have the tools to help your organization create a comprehensive, layered approach or easily plug into your existing identity management framework. Our capabilities and offerings include:

  • Out of Band solutions to help support higher levels of assurance.
  • Advanced analytics that yield perceptive insights that allow for a more tailored approach to authentication.
  • One of the largest compilations of consumer and business identity intelligence including those individuals with limited or no credit histories.
  • Administration through a single, streamlined platform.

For customers of LexisNexis Risk Solutions who have questions about using our authentication services for CCPA compliance, please contact us at ccpa@lexisnexisrisk.com.

Frequently Asked Questions about the CCPA

What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act is a consumer privacy law that grants California residents certain rights regarding personal information that has been collected, sold, or disclosed by businesses subject to the law. The CCPA was signed into law on June 28, 2018 and became effective on January 1, 2020.

What rights does it grant?
The CCPA grants California residents various rights including:

  • The right to be informed of the categories of personal information being collected, sold or disclosed; the categories of sources from which the information is collected; the purpose for which the information is sold and the categories of third parties to which the information is sold or disclosed; and the specific personal information being collected.
  • The right to have certain personal information deleted.
  • The right to opt out of having personal information sold to a third party.
  • The right to not be discriminated against in pricing, goods or services if a California consumer exercises their CCPA rights.

When does the CCPA take effect?
The CCPA was signed into law on June 28, 2018, and became effective on January 1, 2020.

Who has rights under the CCPA?
The CCPA grants protections and rights to California residents.

What is “personal information” under the CCPA?
“Personal information” is broadly defined under the CCPA and specifically includes the following:

  • Identifiers such as name, alias, address, unique personal identifier, IP address, email, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Other personal information under California law including physical description, telephone, insurance policy number, financial info, etc.
  • Characteristics of protected classifications under California and federal law
  • Commercial information including purchasing history or tendencies
  • Biometric information
  • Internet or other electronic network activity information (i.e., browsing history, search history, and interactions with websites, apps and advertisements)
  • Geolocation data
  • Audio, electronic, visual, olfactory or similar information
  • Professional or employment related information
  • Educational information
  • Inferences drawn from any of the above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

At the same time, the CCPA does not apply to “publicly available” information that is lawfully made available from a government source, data that is subject to the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or the Driver’s Privacy Protection Act (DPPA), and data that is deidentified or aggregate consumer data.

What businesses are subject to the CCPA?
The CCPA applies to for-profit entities conducting business in California that meet certain statutory thresholds. 

Is LexisNexis Risk Solutions impacted by CCPA? If yes, then how?
LexisNexis Risk Solutions qualifies as a business subject to the CCPA. However, because of the exemptions currently in the law many LexisNexis Risk Solutions products are either not subject to the law or are minimally impacted.

Frequently Asked Questions about the CPRA

What is the CPRA?
The CPRA builds on and adds new requirements to the California Consumer Privacy Act of 2018 (CCPA). The CCPA is already law and currently in effect, whereas the California Privacy Rights Act of 2020 (CRPA) is a passed ballot initiative that expands the requirements of the CCPA and will soon be effective. 

When will it become effective? 
Operationally, the CRPA will be fully effective as of January 1, 2023.  It can be enforced beginning July 1, 2023.

What does it do? 
The basic structure and underlying requirements of the CCPA do not change under the CPRA.  However, the CPRA creates additional requirements including new notice obligations to inform consumers how their personal information is used, a right to correction, a right to restrict sharing of personal information for cross-context behavioral advertising, and an expanded exemption for publicly available data. In addition, it enables the creation of a new agency, the California Privacy Protection Agency, specifically dedicated to enforcing the CCPA and CPRA.   

What is the California Privacy Protection Agency?

The California Privacy Rights Act established a new agency, the California Privacy Protection Agency (CPPA) to implement and enforce the law. The CPPA has full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act and the California Privacy Rights Act. The CPPA is governed by a board that consists of experts in privacy, technology, and consumer rights. The Board appoints the agency’s executive director, officers, counsel and employees. The CPPA may bring enforcement actions related to the CCPA or CPRA. The California Attorney General will retain civil enforcement authority over the CCPA and the CPRA 

What is LexisNexis Risk Solutions doing to determine the scope of CPRA?   
LexisNexis Risk Solutions has been following the CPRA closely and we are making the necessary adjustments prior to January 1, 2023. We are also continuing to monitor the developments regarding CPRA regulations.

Where do I go for more information?
California Residents may submit a Do Not Sell My Personal Information request and exercise other rights on our California Consumer Privacy Act Homepage as described in our California Consumer Privacy Act Notice.

For customers of LexisNexis Risk Solutions who have questions, please contact us at ccpa@lexisnexisrisk.com.

Frequently Asked Questions about the Virginia Consumer Data Protection Act (VCDPA)

What is the Virginia Consumer Data Protection Act (VCDPA)?

The Virginia Consumer Data Protection Act is a consumer privacy law that grants Virginia residents certain rights regarding personal information that has been collected, sold, or disclosed by businesses subject to the law. The VCDPA was signed into law on March 2, 2021 and is effective as of January 1, 2023.

What rights does it grant?
The VCDPA grants Virginia residents various privacy rights similar to those available under CCPA and CPRA including:

  • The right to confirm whether or not a controller is processing the consumer's personal data and to access such personal data;
  • The right to correct inaccuracies in the consumer's personal data;
  • The right to delete certain personal data;
  • The right to obtain a copy of the consumer's personal data; and
  • The right to opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
When will it become effective?

Operationally, the VCDPA will be fully effective as of January 1, 2023.

Is LexisNexis Risk Solutions impacted by VCDPA? If yes, then how?
LexisNexis Risk Solutions is subject to the VCDPA. The VCDPA includes exemptions for certain data subject to the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act (DPPA). It also exempts data from publicly available records. As a result of these exemptions, many LexisNexis Risk Solutions products are either not subject to the law or are minimally impacted.