California Consumer Privacy Act (CCPA)

California Consumer Rights Requests

California Residents may submit a Do Not Sell My Personal Information request and exercise other rights on our California Consumer Privacy Act Homepage as described in our California Consumer Privacy Act Notice.

Information for LexisNexis Risk Solutions Customers

CCPA and CPRA Compliance Planning

The California Consumer Privacy Act of 2018 (CCPA) is effective as of January 1, 2020. LexisNexis Risk Solutions has diligently worked to implement the requirements of the law and is following a detailed compliance plan. We also have a suite of data governance capabilities and industry-leading identity authentication services that can be used for your own CCPA compliance efforts. The CCPA creates significant new privacy rights for California consumers as well as new obligations for companies that collect or sell personal information. In order to comply with the CCPA, LexisNexis Risk Solutions has reviewed its data sets and has made plans by data and product. We are also using our proprietary linking process to verify identities and process consumer rights under the CCPA. The CCPA includes exemptions for certain data subject to the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act (DPPA). It also exempts data from government agency records. As a result of these exemptions, many LexisNexis Risk Solutions products are either not subject to the law or are minimally impacted.

On November 3, 2020, California citizens voted to pass the California Privacy Rights Act of 2020 (CPRA) which will be fully effective as of January 1, 2023.  The CPRA builds on and adds new requirements to the California Consumer Privacy Act of 2018 (CCPA). LexisNexis Risk Solutions has been following the CPRA closely and we are reviewing our current CCPA program to ensure we make the necessary adjustments prior to January 1, 2023.  You can expect more details as we finalize our assessment of any potential changes required and our efforts to minimize any customer impact.

For customers of LexisNexis Risk Solutions who have questions, please contact us at ccpa@lexisnexisrisk.com

Using LexisNexis Risk Solutions LexID and Authentication Services for CCPA Compliance

LexID Service

Our customers face CCPA compliance challenges due to the fact that much of the personal data they currently hold about California residents is unstructured. For example, businesses with direct consumer relationships often have an account number for each consumer. That account number is a useful tool for organizing data about customers. However, these same businesses usually have additional data such as email addresses that are not associated with a given account.

The LexisNexis Risk Solutions LexID service can help a business structure its personal data and associate it with a specific consumer identity. It is created using our unparalleled US consumer data set coupled with advanced artificial intelligence-driven linking techniques.

For customers of LexisNexis Risk Solutions who have questions about using our LexID services for CCPA compliance, please contact us at ccpa@lexisnexisrisk.com.

Identity Verification and Authentication Services

A number of our customers use LexisNexis Risk Solutions identity verification and authentication services when they receive requests from consumers seeking to exercise their CCPA rights. Authentication is particularly important when a consumer requests to be informed about what data a business holds about them.

The challenge is to ensure the individual who is submitting a CCPA request isn’t a fraudster — without sacrificing a legitimate consumer’s experience or generating high authentication costs. The multiplicity of consumer touchpoints and devices makes doing this more complex, but also more critical. Our identity verification and authentication solutions help you find balance, mitigate fraud, improve end user satisfaction and easily adapt to emerging channels and trends. We have the tools to help your organization create a comprehensive, layered approach or easily plug into your existing identity management framework. Our capabilities and offerings include:

  • Out of Band solutions to help support higher levels of assurance.
  • Advanced analytics that yield perceptive insights that allow for a more tailored approach to authentication.
  • One of the largest compilations of consumer and business identity intelligence including those individuals with limited or no credit histories.
  • Administration through a single, streamlined platform.

For customers of LexisNexis Risk Solutions who have questions about using our authentication services for CCPA compliance, please contact us at ccpa@lexisnexisrisk.com.

Frequently Asked Questions about the CCPA

What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act is a consumer privacy law that grants California residents certain rights regarding personal information that has been collected, sold, or disclosed by businesses subject to the law. The CCPA was signed into law on June 28, 2018 and is effective as of January 1, 2020.

What rights does it grant?
The CCPA grants California residents various rights including:

  • The right to be informed of the categories of personal information being collected, sold or disclosed; the categories of sources from which the information is collected; the purpose for which the information is sold and the categories of third parties to which the information is sold or disclosed; and the specific personal information being collected.
  • The right to have certain personal information deleted.
  • The right to opt out of having personal information sold to a third party.
  • The right to not be discriminated against in pricing, goods or services if a California consumer exercises their CCPA rights.

When does the CCPA take effect?
The CCPA was signed into law on June 28, 2018, and is effective as of January 1, 2020.

Who has rights under the CCPA?
The CCPA grants protections and rights to California residents.

What is “personal information” under the CCPA?
“Personal information” is broadly defined under the CCPA and specifically includes the following:

  • Identifiers such as name, alias, address, unique personal identifier, IP address, email, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Other personal information under California law including physical description, telephone, insurance policy number, financial info, etc.
  • Characteristics of protected classifications under California and federal law
  • Commercial information including purchasing history or tendencies
  • Biometric information
  • Internet or other electronic network activity information (i.e., browsing history, search history, and interactions with websites, apps and advertisements)
  • Geolocation data
  • Audio, electronic, visual, olfactory or similar information
  • Professional or employment related information
  • Educational information
  • Inferences drawn from any of the above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

At the same time, the CCPA does not apply to “publicly available” information that is lawfully made available from a government source, data that is subject to the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or the Driver’s Privacy Protection Act (DPPA), and data that is deidentified or aggregate consumer data.

What businesses are subject to the CCPA?
The CCPA applies to for-profit entities conducting business in California that meet certain statutory thresholds. 

Is LexisNexis Risk Solutions impacted by CCPA? If yes, then how?
LexisNexis Risk Solutions qualifies as a business subject to the CCPA. However, because of the exemptions currently in the law many LexisNexis Risk Solutions products are either not subject to the law or are minimally impacted.

Frequently Asked Questions about the CPRA

Are CPRA and CCPA 2.0 the same?
The CPRA builds on and adds new requirements to the California Consumer Privacy Act of 2018 (CCPA). The CCPA is already law and currently in effect, whereas the California Privacy Rights Act of 2020 (CRPA) is a recently passed ballot initiative that will expand the requirements of the CCPA. The CPRA is frequently referred to as “CCPA 2.0” which links it to the CCPA as the law that preceded it. 

When will it become effective? 
Operationally, the CRPA will be fully effective as of January 1, 2023.  It can be enforced beginning July 1, 2023.

What does it do? 
The basic structure and underlying requirements of the CCPA do not change under the CPRA.  Amongst other things, the CPRA creates additional requirements including new notice obligations to inform consumers how their personal information is used, new obligations regarding deletion and notifications to third parties, a right to correction, and an expanded exemption for publicly available data. In addition, it enables the creation of a new agency, the California Privacy Protection Agency, specifically dedicated to enforcing the CCPA and CPRA.   

When will this new California Privacy Protection Agency be formed?
Currently, the California Attorney General’s office is managing privacy enforcement. It has not yet been announced when the new agency will begin operating nor who will lead it, although more information is expected on that front in the near future.  However, the law provides that the California Privacy Protection Agency may assume rulemaking responsibilities the earlier of July 1, 2021, or six months after the Agency provides notice to the Attorney General that it is prepared to begin rulemaking.  At the same time, the CPRA is not fully effective until January 1, 2023 and cannot be enforced until July 1, 2023. 

What is LexisNexis Risk Solutions doing to determine the scope of CPRA?   
LexisNexis Risk Solutions has been following the CPRA closely and we are reviewing our current CCPA program to ensure we make the necessary adjustments prior to January 1, 2023.  You can expect more details as we finalize our assessment of any potential changes required and our efforts to minimize any customer impact. 

Where do I go for more information?
California Residents may submit a Do Not Sell My Personal Information request and exercise other rights on our California Consumer Privacy Act Homepage as described in our California Consumer Privacy Act Notice.

For customers of LexisNexis Risk Solutions who have questions, please contact us at ccpa@lexisnexisrisk.com.