The California Consumer Protection Act
In 2018 California passed the California Consumer Protection Act, a measure that works to put the control of your data in your hands. This act applies to any company doing business with persons residing in California.
Our complete CCPA compliance policy is provided below, as are links to help you submit legal data requests. SunRev has tools that allow you to easily submit CCPA requests. We ask that you review the CCPA policy below to understand how the law affects you and what rights you have when submitting requests.
Your Rights Under the California Consumer Protection Act
- What is the California Consumer Protection Act (CCPA)?
- What information does SunRev collect, and how is it used?
- What rights do I have under the CCPA?
- What information is excluded from CCPA requests?
- What information does SunRev collect and why?
- What services does SunRev Energy use that may relate to the CCPA?
- How do I submit a CCPA request to SunRev?
What is the California Consumer Protection Act (CCPA)?
In 2018 California passed the California Consumer Protection Act (CCPA), a privacy-centric bill aimed at protecting the privacy of California consumers, effective January 1, 2020. This bill sets requirements for how businesses handle consumers’ Personally Identifiable Information (PII) and gives rights to consumers in controlling how that data is used. SunRev has always taken the privacy and security of customer data seriously and has implemented steps that empower you in compliance with the CCPA.
Under the CCPA, consumers have the right to request access to information of theirs we hold, request that the data be deleted, a disclosure of our data collection practices and how the data is used, and request to opt-out of the sale of their data to third parties. SunRev does not and will never sell or rent the types of information outlined in this document.
The CCPA requires that businesses disclose the following: how information is used and, if/how it may be shared with third-party services, how the business’ website responds to “Do Not Track” signals from a web browser.
Consumers also have the right to not be discriminated against for exercising their rights under the CCPA.
Notice to consumers doing business with SunRev outside of California.
While the California Consumer Protection Act legally only applies to consumers in California, we have standardized this process and will honor requests made by consumers who have interacted with SunRev in any state. We are committed to providing the same privacy protections to our customers and potential customers, whether in California or in other states within the U.S.
Details for how to submit CCPA requests and detailed information on how we use consumer data outlined below also apply to any consumer located in the U.S.
What information does SunRev collect, and how is it used?
SunRev collects both personally identifiable information (PII) and non-personally identifiable information when consumers contact us with interest in SunRev offerings and during the ensuing communications to service these requests. This data is stored for the purposes of communication, advertising, and providing agreed-upon or contracted delivery of products and services. We may, at times, share this information with trusted third parties for advertising and marketing purposes, services that we require to conduct regular business, or services that allow us to enhance the services provided to consumers both online and offline.
The information we may collect is as follows and the specific information we collect from each person will depend on the types of interactions and communications that are chosen by that person. Some items below may not be individually considered personally identifiable information but maybe when combined with other items.
- Full name
- Phone number
- Email address
- Physical address
- IP address
- Google Client ID (if available)
We may receive additional information voluntarily provided by you when requesting information about products and services offered by SunRev, or participate in the sales process.
How does the CCPA allow me to make requests regarding my personally identifiable information?
Under the CCPA, California consumers may have the right to make personal information requests, known as the “Right of Access” and “Right of Deletion.” The CCPA requires that businesses respond to all requests within 45 days, and these requests are as follows:
- Right of Access – The consumer may have the right to request and receive a list of personal information and additional details a business collects (or has collected) as well as the intended business use for collecting the data. A Right of Access request entitles a person to request the data collected for the previous 12 months no more than twice within that time period. Data provided by a Right of Access request are restricted from providing highly sensitive data such as social security numbers and banking information.
- Right of Deletion – The consumer may also be able to request that any specific personal information be deleted. With the exception of specific types of data (outlined below under ‘What information is excluded from CCPA requests?’), these deletion requests must be fulfilled by SunRev, and once a deletion request is fulfilled, we will have no access to any data that was previously available to us, which means that Right of Access requests cannot be fulfilled from that point forward.
- Right to Request Disclosure of Data Practices – The consumer may have the right to request disclosure of our business’ data collection and sales practices in connection with requesting consumer, including categories of personal information we have collected, the source of information, our use of the information, and the categories of personal information disclosed or sold to third parties as well as the categories of third parties to whom such information was disclosed or sold. SunRev does not sell or rent any personally identifiable information to any third party, partner, or entity.
- Right to Opt-Out of the Sale of Data – The CCPA allows consumers to opt out of the sale of their data to third parties. SunRev does not and will never sell or rent personal information to third parties. Because of this company policy, we do not provide a method to opt out of the sale of consumer data.
- Rights Against Discrimination – The consumer has the right to not be discriminated against for exercising their rights under the CCPA.
How do you verify the identity of consumers making CCPA requests?
Protecting the data of consumers from fraudulent requests is the highest priority in SunRev’s CCPA compliance procedures. All CCPA requests must be validated through strict measures to ensure that the individual submitting the request is the owner of the information in question. Confirmation methods may include, but are not limited to, the following:
- Verification of information that we have on record.
- Confirmation of identity using multiple communication methods.
- Providing physical identification.
SunRev will confirm and validate any and all requests made for both Right of Access and Right of Deletion requests while protecting the personally identifiable information related to the request itself. If we are unable to validate and confirm the identification of the individual submitting a CCPA request, SunRev is legally obligated and reserves the right to deny that request. Requests must be made by the individual whose data is the subject of request exclusively – the CCPA does not allow for other members of the household to request data on behalf of others within that household unless they are a legal parent or guardian of the minor for which the request is being made. For the purposes of the CCPA, a minor is defined as a person 13 years of age or younger.
What circumstances may affect SunRev’s requirement to comply with a CCPA request?
There are circumstances that exist which may limit or prevent SunRev’s ability and legal requirement to fulfill a Right of Deletion request. According to the CCPA, a deletion request cannot be fulfilled for a SunRev customer where personally identifiable information is required for conducting ongoing business or fulfilling standing contractual obligations.
SunRev may also reject requests for Right of Deletion and Right of Access if reasonable steps have been taken to confirm the identity of the individual making that request yet are unable to determine that the request is being made by the owner of the personal data. This provision protects both consumers and companies from fraudulent and malicious requests by third parties.
The CCPA has been interpreted to state that a Right of Deletion request implies that the individual is also opting out of any further use or collection of that data in the future. However, there may be situations where that, in complying with a Right of Deletion request, SunRev would not be in possession of any data that would allow us to ensure that the information we receive or collect was subject to any requests made regarding that data previously. In the event that you believe we have come into possession of your data either directly or indirectly, please contact us to submit another Right of Access or Right of Deletion request.
If you have a question regarding requests involving SunRev that you believe may be affected by these provisions, please contact us by sending an email to firstname.lastname@example.org or by calling our phone number at (818) 918-8689
Is it possible to confirm that a CCPA request to SunRev has been fulfilled?
Yes. SunRev keeps an anonymized ledger of requests made so that any individual who has made a request, person/organization legally representing an individual who has made a request, or government entity can confirm and verify that a request was received and fulfilled. All confirmation inquiries are also subject to identity verification to ensure that the person or organization submitting a confirmation request is qualified to receive this information. The records of fulfillment are created using a method of one-way encoding for data that could be classified as PII, which allows us to log CCPA requests while remaining in compliance in not retaining any personally identifiable information.
To create and maintain verifiable records, every request is recorded with the following information:
- An anonymized (salted/hashed) value for the methods used to communicate with the person making the request
- Date of the request
- Date of SunRev’s response
- Date of the request’s fulfillment
- Type of request made by the individual (Access, Delete, Lookup)
- Manner/method in which the request was made
- Type of response (accepted or rejected)
- Description and details of denial if the request is denied in whole or in part.
- Email address of the SunRev employee who worked to fulfill the request.
This information will be provided to a properly verified individual or organization in response to a request as described above. These confirmation requests will also be recorded.
How does secure and anonymize PII in their CCPA request ledger?
Maintains ledgers that make use of salted/hashed values for the contact information used to fulfill the request made. This allows us to store a record of the transaction without requiring that we retain any personally identifiable information. When a value (such as an email address or phone number) is hashed, it cannot be “unhashed.” The result is an encrypted version of the original value. No two hashes are alike, and when the same original value is hashed again, it will always result in the same encrypted string.
By using this method, we are able to convert contact information to an encrypted string, delete the records we have, and at a later date, provide a lookup of that record by re-hashing the information an individual provides and then searching for that anonymized value in our request logs. For reference, this secure method of data storage is how the passwords you use on websites and apps are stored and protected.
For more details on what hashing is and how it works, read more here: https://en.wikipedia.org/wiki/Hash_function
How do I opt out of select services that SunRev uses?
How do I submit a CCPA request to SunRev?
In compliance with the CCPA, SunRev provides more than one method to submit a CCPA request. Methods include calling our dedicated toll-free number, sending an email to our CCPA address, or submitting a request via a secure online form. The online form simplifies the request process by allowing the individual making the request to provide information upfront that can help expedite its review and fulfillment. However, we welcome communication via any method and will service all requests equally. If you are ready to submit a request, please ensure that you are familiar with the information located here. If you have questions about making a request or would like more information, please call or email us for assistance.
The SunRev dedicated CCPA phone number:
The SunRev dedicated CCPA email address:
Last updated 8/16/2023