Effective as of January 1, 2020, the California Consumer Privacy Act (CCPA), allows any Californian resident to request or delete all information a company has saved on them as well as receive a full list of every third party that data was shared with. Further, the new law requires a business to verify and respond to consumer requests within 45 days of initial contact and are subject to servicing requests with data dating back 12 months.
How Right to Know requests are submitted
Under the CCPA, businesses must offer at least two methods of submission — a toll-free number (required) and website address (if the business maintains a website). Here are possible methods for request intake:
- Privacy portal
- Company website
- Web form
- Third-party intake
- Toll-free telephone number
- Email address
- email@example.com or firstname.lastname@example.org
What does a proper request intake process look like for a company? It includes a “do not sell my information” form as well as a privacy request intake for, easily accessible through a company’s homepage or privacy page. Forms are clear, concise, provide a verification process, and an option to choose the type of request.
Types of submissions a consumer may submit
Right to Know
The CCPA data access request provides California residents the right to access their personal data by contacting the company. This even extends to metadata, including sources of the data, the purposes of processing or collecting the data, and third parties with access to the data.
1798.100. (a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected about that consumer.
Under the CCPA, consumers are granted the right to request for a business to delete data stored on them. This can be fulfilled through a subject request (as mentioned above), and the business must also verify that the requester is the correct data subject. Businesses are required to delete the subject’s data when requested in most circumstances. To paraphrase the law, a business must delete the data — unless the data is essential to maintaining security, is needed for repair, or is subject to another legal obligation.
CCPA 1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
Verification, time, and portability: what you can expect
Businesses are required to verify a consumer’s identity before providing information. This includes a “Verifiable Consumer Request” or a request where a business can verify that the consumer making the request is associated with the data or authorized to make a request by the consumer.
It’s important to note that verification processes can be tricky at times and further compromise consumer privacy and diminish trust. In a recent article on Bloomberg, Alistair Barr outlines a privacy portal gone wrong, detailing how during certain verification processes, consumers may be asked to provide additional personal information to companies beyond the one receiving a request.
Alastair stated, “In the process of trying to retrieve my data… I handed over more sensitive personal details than I’ve ever knowingly given to almost any other business.” He outlines the difficulty and challenges that come with verification and emphasizes how delicate privacy processes can be due to the type of information being handled. He summarizes his experience stating, “Roughly two hours into the process, at least three companies (and possibly 10 or more companies) have access to a photo of me, pictures of my driver’s license, my signature, name, email, and home address.”
If managed correctly, however, verification can be a seamless process that utilizes the data a company already has and ensures that data is sent to the correct recipient.
Through our privacy platform, DataGrail customers utilize data already on-hand to verify a user’s identity, contacting them through a secure message and link before processing to send or delete any data. The layers of verification can be adjusted depending on the type of request and the applicable legal framework. This process ensures the security of the user’s data and protects their privacy by staying clear of additional data intake.
Businesses must respond to a request by mail or electronically within 45 days. If there are excusable delays, businesses may inform the consumer of an extension of 45 days with a receipt of the request along with reasons for the extension. Businesses are not required to provide personal information to a specific consumer more than twice in a 12-month period.
Personal information, if provided electronically for a consumer request, should be in a “portable and (to the extent technically feasible) in a readily usable format that allows the consumer to transmit this information to another entity without hindrance. – (1798.100.d)” If the consumer has an account with the business, the personal information should be delivered through that account as a secondary security measure. If the consumer does not have an account, the data can be delivered by mail or electronically.