In part 1 of our overview of the CCPA’s consumer rights, we examined the rights to notice, access, opt out, request deletion, and equal services and prices—and potential complications.
This second installment addresses how businesses should prepare for January 1, 2020, when consumer requests related to the rights to access, opt out, and request deletion may start to pour in. More specifically, this post discusses five steps businesses should take to prepare for consumer rights requests. This is not meant as a comprehensive guide and businesses should evaluate their own processes on a case-by-case basis.
1. Know Where Your Personal Information Is
As previously discussed, the CCPA provides consumers with the right to access their personal information. The CCPA does not require businesses to retain information collected for one-time transactions, if the information would not be otherwise sold or retained by the business, or to link information not otherwise maintained as personal information.
However, businesses should remember the CCPA defines "personal information" broadly to include device identifiers, IP addresses, customer numbers, and other persistent or probabilistic identifiers that could be used to identify a particular individual or device.1
Access requests may seem simple but can quickly become complicated given the broad scope of personal information and the likelihood that businesses store this information in multiple locations. An information risk assessment or data audit is essential for businesses to understand what personal information they are storing and how they can provide this information to consumers who request access.
2. Establish Request Methods
An appropriate response to a consumer request begins long before the business first hears from the consumer. The CCPA requires businesses to establish at least two methods for consumers to submit requests for information. One of these must be a toll-free telephone number.
If the business has an Internet website, the other must be a website address. There are other options in the statute.2 A pending amendment to the CCPA would allow online-only businesses that have direct relationships with consumers to provide only an email address for requests.
3. Be Ready to Verify Consumers’ Identities
The CCPA is clear that businesses are required to disclose personal information to consumers (or their authorized representatives) only upon receipt of a verifiable consumer request. At this time, the statute does not provide much detail on how to verify consumers.
The law merely requires businesses to "reasonably verify" consumers’ identity.
Businesses may not require consumers to create an account in order to make a verifiable request. Additionally, businesses should be aware that information collected for purposes of verifying a consumer request may only be used for verification.3
If a business cannot verify a consumer’s identity, the business is not obligated to provide the requested information to the consumer.4
The California Attorney General may adopt regulations that will provide more guidance . For instance, these regulations could address language in the CCPA suggesting that a request submitted through a consumer’s password-protected account is per se a verified request, but also provide a mechanism for a consumer who does not maintain an account with the business to make such a request.5
4. Know the Rules on Deadlines and Fees
When a consumer exercises the right to access, businesses have 45 days to disclose and deliver the information. Under the CCPA, verifying a consumer’s identity is not an excuse to extend this deadline.
A one-time extension of either 45 or 90 days (the statute presents conflicting statements on this issue) may be possible, but businesses must notify the customer of any extension within the first 45 days after receiving the request.6
The CCPA requires businesses to provide consumers with their personal information free of charge. However, when faced with requests from a consumer that are "manifestly unfounded or excessive," particularly repeat requests, businesses may either:
- Charge a "reasonable fee" reflecting administrative costs involved; or
- Refuse to respond to the request and notify the consumer of the reason.
The burden of demonstrating a request is manifestly unfounded or excessive falls on the business.7
5. Understand the Limits of the Right to DeletionConsumers also have the right to request deletion of their personal information collected by businesses. Like the comparable right to erasure under Europe’s General Data Protection Regulation (GDPR), this right may be misunderstood.
Importantly, the right to deletion is not absolute. Businesses are not required to comply with a deletion request if the consumer’s personal information is necessary for a number of specified purposes, including completing a transaction, detecting security incidents, exercising free speech, complying with a legal obligation, or otherwise using the personal information internally and "in a lawful manner that is compatible with the context in which the consumer provided the information."8
The last exception appears open to broad interpretation. However, rather than assume they can rely on it as a blanket exception, businesses should take this as an opportunity to review—and document—what internal uses of personal information are compatible with the context in which the consumer provided it.
No Time Like the Present
Failure to respond timely to consumer requests could invite regulatory scrutiny and worse – an enforcement action. By investing time and resources now to develop and implement sound response procedures in line with statutory requirements, you can identify and avoid easy-to-spot pitfalls and be ready to respond promptly to consumers’ requests when they begin on January 1, 2020.