The much anticipated California Consumer Privacy Act (“CCPA”) is now in effect (as of January 1, 2020), and as we’ve recently reported, class action litigation under the CCPA has already begun. Organizations should have already assessed whether their business is subject to the new law and if so, taken steps to ensure compliance. Likely, one of the most difficult compliance areas of the CCPA is responding to consumer requests to know the personal information a business collects about them. Under the CCPA consumers have the right to know what personal information a business is collecting about them. The information must be made available, free of charge, within 45 days, although extensions are available in limited circumstances. The business’s response to a request to know must be in a “readily useable format that allows the consumer to transmit this information to another entity without hindrance.” In addition, in October of 2019, as required by the CCPA, Attorney General Xavier Becerra announced Proposed Regulations that operationalize the new law and provide clarity and specificity to assist in implementation of the CCPA. The Proposed Regulations, which were recently updated, have yet to be finalized, but as is, have a technical and substantive impact on the consumer request to know process.
The CCPA defines “personal information” very broadly, which is the reason consumer requests to know are particularly cumbersome for businesses. Per the statute, personal information is that which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes the types of personal information we are used to seeing, including Social Security numbers and driver’s license numbers, it also includes a person’s name and address (physical and email). In addition, it may include less obvious things like the person’s browsing history, biometric data, and geolocation data.
The following are practical tips for handling consumer requests to know:
Preparing for compliance
- Identification of process owner: Organizations should designate a person or team to handle requests to know.
- Develop an effective process: Organizations should have clear internal policies and procedures for responding to requests. Like the discovery process in litigation, reviewing data in response to a request can be incredibly burdensome. Personal information must be transmitted securely and all deleted information must be permanently erased, deidentified or aggregated. Organizations may want to employ technology and outside partners to make this process more efficient. For example, current technology is available to make files more easily searchable, to extract key metadata, and to remove duplicate files to eliminate redundancy. In addition, organizations must maintain records of consumer requests for at least 24 months, and these records generally cannot be used for any other purpose.
- Training: The response team (which may include third party service providers if applicable), and other key staff and management involved in handling requests must receive training on what a consumer may request and the organization’s policies and procedures for responding to requests.
- Data mapping: Organizations should have an easy-to-access file of what personal data it is storing, why it has the data, how it uses the data, with whom it shares the data, how long it retains the data, and where it is located.
- Provide a method for requests: Under the CCPA, organizations are required to create at least two designated methods for submitting disclosure requests, including, at minimum, a toll-free number and another acceptable method, such as an email address. Organizations should provide clear direction on how to submit requests to know and should not make the process difficult, as this could lead to fines for non-compliance.
Responding to a request
- Ensure request is valid: To comply with requests to know, organizations need verification and authentication processes to confirm the identity of the consumer making the request and the validity of the request. A request made by a third party on behalf of someone else should be refused without written authority. The Proposed Regulations require organizations to establish, document and comply with reasonable methods for verifying the identity of the consumer. There are also several factors for determining the “reasonable” identity verification method:
- The type, sensitivity and value of the personal information collected;
- The risk of harm to the consumer posed by unauthorized access or deletion;
- The likelihood that fraudulent or malicious actors would seek the personal information;
- Whether the personal information the consumer must provide in order to verify their identity is easily spoofed or fabricated;
- The manner in which the business interacts with the consumer; and
- Available technology for verification.
If the identity of the consumer cannot be verified, the individual submitting the request must be informed that the request cannot be verified. Moreover organizations must implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access to these records. Note that there are separate verification requirements if the organization maintains a password-protected account with the consumer. Organizations should not collect additional data during the verification process. Instead, they should rely on existing credentials. For example, if, during the period it collected the data, the organization required a dedicated user name, it should use this to verify the requester. We will be addressing some of these issues in other posts; check out one of our recent blog posts on the topic available here.
- Narrow the search: Ideally, requests to know should be as specific as possible, and organizations should work with the requestor to narrow the scope as much as possible. For example, if a consumer requests all personal information ever collected by the organization, the search could be vast. But if the organization works with the consumer to determine the specific matter of the consumer’s concern, the requesting consumer may agree to narrow the scope of the request.
- Determine universe of data that should be searched: This may include electronic records, emails, archived information, information stored on organizational databases and paper files. The CCPA requires disclosure of certain information in response to a request to know, including the source, the purpose for collection and any third parties with which the data is shared, among others; organizations should ensure they are disclosing all required information.
- Ensure response is timely: Organizations must confirm receipt of a request within 10 business days and respond to the request within 45 calendar days from the time the request is received, not from when the request is verified although an extension may be possible. It can take a considerable amount of time to respond to a request, and this is a short timeframe. Thus, organizations should begin work on the request as soon as it is received.
- Review response to ensure it does not contain the personal information of others: The individual is only entitled to their own personal data, and organizations must redact any documents or information related to another individual, unless that individual has provided consent. This becomes complicated in the context of joint household requests. Under the CCPA, all members of a household can jointly request to know or delete specific pieces of personal information for the household. While the household request was referenced in the CCPA, only in the update to the Proposed Regulations has procedures for this request been addressed – businesses may respond to household requests only if all consumers of the household jointly make the request, the business verifies the identity of each consumer, and verifies that each is current household member. If a member of the household is under 13 years of age, there must be verifiable parental consent before compliance with the request.
- Monitor compliance: Compliance with company policies and procedures for responding to requests should be periodically audited.
It should be noted that under the CCPA consumers are allotted several rights in regards to their personal information, including, for example the “right to delete” the information businesses have collected about them, and while the practical tips described above are particularly geared towards a consumer’s “right to know”, the underlying principles generally can be applied to other forms of consumer requests as well.
In addition, as of now, businesses are exempt from most CCPA obligations in regards to their employees – the exclusion includes information collected “by a business in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business” (see more on this in a recent blog post discussing employees under the CCPA). As of now, however, this exemption sunsets on January 1, 2021, and while it is not clear what will be, considering the current direction of privacy law, it seems likely that there will be more and not less privacy protections for employees by the end of 2020.