In response to an access request, does a company have to produce its own work product?

BCLP
Contact

Maybe.

The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.

Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:

  1. The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
  2. Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3

A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.

A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:

[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4

Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:

  • Inferences about a consumer
  • Background programming
  • Background responses (e.g., internal responses to consumer requests and/or consumer activity)
  • Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
  • Internal notes about a consumer

For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase  ̶  such as the consumer’s name, phone number, mailing address, and the request made  ̶  is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made  ̶  such as internal return protocols, the refund date, the retailer’s response to the consumer,  fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ­ ̶  is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.

For more information and resources about the CCPA visit http://www.CCPA-info.com. 


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. 1798.100(b).

2. 1798.145(j).

3. 1798.150(a).

4. 1798.140(e).

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
Contact
more
less

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide