The Practical Guide to the California Consumer Privacy Act: Part 2

BCLP
Contact
LinkedIn
Facebook
X
Send
Embed

The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive - and complex - data privacy regulation in the United States.  The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects.  As a result, United States companies that thought that they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute.  While the CCPA was drafted with an eye toward the GDPR, it also differs from that regulation in many respects.  As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.

To help address the confusion caused by the CCPA, Bryan Cave Leighton Paisner is publishing this multi-part Practical Guide to the California Consumer Privacy Act.  

Quick Overview

The right to access data refers to the ability of a person to request that a company confirm whether it has personal information about him or her, the type of personal information that the company keeps about the individual, and/or a copy of the specific information that the company keeps on file.  Access requests are sometimes referred to as Data Subject Access Requests or SARs.

Comparison to Other Privacy Laws

The right of access is not a new concept.  For example in Europe, the European Union Charter of Fundamental Rights, which was adopted in 2000, states that “[e]veryone has the right of access to data which has been collected concerning him or her . . . .”  That right was further codified in the European Privacy Directive of 1995 and, more recently, in the European GDPR.  The majority of data privacy laws in the United States do not include a right to access personal data, but there are some notable exceptions.  For example the Health Insurance Portability and Accountability Act (“HIPAA”) and the Family and Educational Rights and Privacy Act (“FERPA”) confer rights of access in the context of health related data and student records.

To Do List

  • Review existing methods for submitting access requests to your organization to verify that they comply with the CCPA.
  • Review existing policies or procedures for authenticating individuals that make access requests.
  • If no authentication policy exists, draft an appropriate policy for authentication of individuals that make data subject requests.
  • Draft a “play book” that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
  • Train employees on the handling of access requests.
  • Verify that the policy in-place facilitates the fulfillment of access requests within the time period permitted by the statute.

Cross References

CCPA Provisions

GDPR Provisions

Cal. Civil Code 1798.100(a)

Cal. Civil Code 1798.110(a)(1)-(5), (b)

Cal. Civil Code 1798.130(a)(1)-(7)

Recital 63

Recital 64

Recital 68

Article 15

Article 20

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
BCLP
Contact
more
less

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide