Skip to Content

CCPA Categories of Personal Information Required to be Disclosed to Consumers (130.c)

66  Matthew Burdick September 26, 2022  CCPA Exercising Consumer Rights

Overview:
The categories of personal information required to be disclosed pursuant to Sections 1798.110 and 1798.115 shall follow the definition of personal information in Section 1798.140.


Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Review existing policies or procedures for authenticating individuals that make access requests.
5) If no authentication policy exists, draft an appropriate policy for authentication of individuals that make data subject requests.
6) Draft a "play book" that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
7) Train employees on the handling of access requests.
8) Verify that the policy in place facilitates the fulfillment of access requests within the time period permitted by the statute.
9) Create and make available to consumers the following Submission Options: The Business must make available to Consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the Business maintains a website, a website address.
10) Establish a means to establish a request is a proper Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer's behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.
11) Create a process to readily access the specific Personal Information the Business has about each Consumer. This includes knowing what Personal Information is held and what "category" it falls into; where it is stored; and having the ability to extract it.
12) Create a tracking system to ensure compliance with the Response Time and that the request complies with the Applicable Time Period. Business must respond to a VCR by mail or electronically within 45 days (which can be extended for an additional 45 days upon notice to the consumer). The Business needs to inform the Consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Note: In a different section, the CCPA states the response to any VCR can be extended for an additional 90 days. It is unclear whether this is in addition to the two 45 day periods noted here. There is no obligation to provide this information to a Consumer more than twice in a 12-month period, and the information provided need only cover the 12-month period prior to the VCR.
13) Create a means to provide requested Personal Information in a portable and readily usable format. The Personal Information, if provided electronically, should be in a portable and in a readily usable format that allows the consumer to transmit this information from one entity to another entity "without hindrance." If the Consumer has an account with the Business the Personal Information should be delivered through that account. If the Consumer does not have such an account, it can be delivered by mail or electronically at the Consumer's option. Note that a Business cannot require a consumer to create an account in order to submit a VCR.
14) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.


Related Documents:
1) Privacy Notice
2) List of the categories of information required to be disclosed to consumers


Additional Guidance:
Personal Information
Personal Information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household:
1) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number or other similar identifiers.
2) Signature, physical characteristics or description, telephone number, state identification card number, insurance policy number, employment, employment history, bank account number, credit card number, debit card number or any other financial information, medical information or health insurance information.
3) Characteristics of protected classifications under California or federal law.
4) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
5) Biometric information
6) Internet or other electronic network activity information, including, but not limited to, browsing history, search history and information regarding a consumer's interaction with an internet website, app or advertisement.
7) Geolocation data
8) Audio, electronic, visual, thermal, olfactory or similar information.
9) Professional or employment-related information.
10) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.
11) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.


Exceptions to the Personal Information Definition
1) Information that is publicly available (i.e., lawfully made available from federal, state or local government records) is not covered by the CCPA provided the use is compatible with the purpose for which the data is maintained and made available in the government records. Biometric information collected about a Consumer without the Consumer's knowledge is not deemed "publicly available." 2) Deidentified Public Information - "Deidentified" means information that cannot reasonably identify, relate to, describe, be capable of being associated with or be linked, directly or indirectly, to a particular Consumer, provided that a Business that uses deidentified information (i) has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain, (ii) has implemented business processes that specifically prohibit reidentification of the information, (iii) has implemented business processes to prevent inadvertent release of deidentified information, and (iv) makes no attempt to reidentify the information. The challenge for many Businesses will be determining whether information cannot reasonably "be capable of" being associated with a particular Consumer, directly or indirectly, particularly at a time when advances in data analytics are making it easier to recreate an individual's identity from disparate data elements. 3) Aggregate Consumer Information - "Aggregate consumer information" is defined as information that relates to a group or category of Consumers, from which individual Consumer identities have been removed, and that is not linked or reasonably linkable to any Consumer or household, including via a device.
Not Rated
Secure Code