Part two of this CCPA client alert series focuses on how to verify and respond to consumer requests.
The California Consumer Privacy Act of 2018 (the “CCPA”) and the related proposed Attorney General Regulations (the “Regulations”) provide California consumers with increased privacy rights and protections with respect to their personal information. Businesses that are subject to the CCPA must comply with various notice obligations and requirements related to the collection, deletion and sale of personal information. The California Attorney General intends to begin enforcing the CCPA and the Regulations on July 1, 2020.
Verifying Consumer Requests
- A business must establish, document and comply with a reasonable method for verifying that the person making a request pursuant to the CCPA is, in fact, the consumer about whom the business has collected personal information.
- In determining its verification method, the business must, whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with the Regulations.
- Additionally, the business must avoid collecting certain confidential identifying information, such as the requestor’s driver’s license, passport and social security number, unless necessary to verify the requestor’s identity.
Responding to Consumer Requests
- A business must confirm receipt of a consumer request pursuant to the CCPA within 10 business days and provide information about how it will process the request, including the business’ verification process and when the consumer should expect a response. A business generally must respond to a consumer request within 45 calendar days.
- In response to a verifiable consumer request to know categories of personal information, a business must provide: (1) the categories of personal information collected about the consumer in the last 12 months; (2) the categories of sources from which the personal information was collected; (3) the business or commercial purpose for which it collected or sold the personal information; (4) the categories of third parties with which it shares personal information; (5) the categories of personal information it sold in the last 12 months, and for each category identified, the categories of third parties to which it sold that particular category of personal information; and (6) the categories of personal information that it disclosed for a business purpose in the last 12 months, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information.
- In response to a verifiable consumer request to delete personal information, a business must (1) permanently and completely erase the personal information on its existing systems, with the exception of archived or back-up systems; (2) de-identify the personal information; or (3) aggregate the consumer information. The business must also inform the consumer whether or not it has complied with the request to delete.
- A business may deny a verifiable consumer request to delete personal information pursuant to certain exceptions outlined in the CCPA. These exceptions include if the business must maintain the personal information to complete the transaction for which it was provided, enable solely internal uses, or comply with a legal obligation. If a business denies a request, it must inform the consumer that it will not comply with the request and describe the basis for denial, delete the personal information not subject to the exception, and not use the personal information retained for any purpose other than as provided by the applicable exception.
A business must use reasonable security measures when transmitting personal information to a consumer.