The CCPA states that a business should disclose any information that it is required to disclose in response to an access request “in writing” and “delivered through the consumer’s account with the business.”1 The requirement, of course, assumes that a business maintains an “account” or portal through which it typically communicates with a consumer. For businesses that do not maintain consumer portals, the CCPA requires the business to provide the requested information “by mail or electronically at the consumer’s option.”2 As a result, businesses should first attempt to leverage any customer portal that they maintain; absent such an option, they should defer to any request from the consumer to receive the data electronically or by mail. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.3
In comparison, the European GDPR gives individuals two separate rights – a right to access the personal data that a company holds about them,4 and a right to receive personal data in a “portabl[e]” format.5 While those rights are interrelated, they are not co-extensive.
An individual’s right of “access to the personal data” that a company holds about them (or at least to receive a description of the type of personal data that a company holds about them) applies regardless of why a company that is considered a “controller” maintains personal information about the individual. When a request relating to this right is received, the GDPR does not mandate that a company provide the information to the data subject in any particular format. Some supervisory authorities have recognized that while a data subject may prefer a response electronically, a company can satisfy its obligation by producing the information in any “intelligible form” including by providing a “photocopy or print-out of the relevant information.”6
In contrast, an individual’s right to receive their personal data in a portable format only applies when a company’s processing is based either on the fact that the data subject provided their consent for the processing, or the data subject entered into a contract with the company.7 When a request relating to the portabiltiy right is received, the company is obligated to provide the data in an electronic format.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA, Section 1798.130(a)(2).
2. CCPA, Section 1798.130(a)(2) (emphasis added).
3. See Assembly Bill 25 passed on November 13, 2019.
4. GDPR, Article 15.
5. GDPR, Article 20.
6. UK Information Commissioner’s Office, Subject Access Code of Practice: Dealing with Requests from Individuals for Personal Information at 42.
7. GDPR, Article 20(1)(a). See also Article 29 Data Protection Working Party, WP 242: Guidelines on the right to data portability at 8 (5 Apr. 2017).