When a business receives a request from a consumer to access the personal information that the business has “collected,” it must decide whether to grant the request or to deny it based upon one of the exceptions to access contained in the CCPA.1 If the business decides to grant the request, the CCPA states only that the “specific pieces of personal information [the business] has collected about that consumer” should be produced.2 It does not mandate that all copies of the information be produced. As a result, if a business collects information about a consumer, transmits a copy of that information to one or more service providers, but maintains the original information in its own files, it can satisfy the access requirements of the CCPA using its own copy and without flowing down the access request.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA, Section 1798.100(a) (right of access); 1798.145 (exemptions and exceptions that can be asserted in connection with a request for access).
2. CCPA, Section 1798.110(a)(5).