Skip to Content

CCPA List of Categories of Personal Information Sold or Disclosed (130.a.5)

62  Matthew Burdick September 26, 2022  CCPA Exercising Consumer Rights

Overview:
In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, a business shall in a form that is reasonably accessible to consumers: Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers' privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:
(A) A description of a consumer's rights pursuant to 1798.100, 1798.105, Sections 1798.110, 1798.115, and 1798.125 and one or more designated methods for submitting requests.
(B) For purposes of subdivision (c) of Section 1798.110, a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.
(C) For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:
(i) A list of the categories of personal information it has sold about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold, or if the business has not sold consumers' personal information in the preceding 12 months, the business shall disclose that fact.
(ii) A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describe the personal information disclosed, or if the business has not disclosed consumers' personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.


Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Review existing policies or procedures for authenticating individuals that make access requests.
5) If no authentication policy exists, draft an appropriate policy for authentication of individuals that make data subject requests.
6) Draft a "play book" that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
7) Train employees on the handling of access requests.
8) Verify that the policy in place facilitates the fulfillment of access requests within the time period permitted by the statute.
9) Create and make available to consumers the following Submission Options: The Business must make available to Consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the Business maintains a website, a website address.
10) Establish a means to establish a request is a proper Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer's behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.
11) Create a process to readily access the specific Personal Information the Business has about each Consumer. This includes knowing what Personal Information is held and what "category" it falls into; where it is stored; and having the ability to extract it.
12) Create a tracking system to ensure compliance with the Response Time and that the request complies with the Applicable Time Period. Business must respond to a VCR by mail or electronically within 45 days (which can be extended for an additional 45 days upon notice to the consumer). The Business needs to inform the Consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Note: In a different section, the CCPA states the response to any VCR can be extended for an additional 90 days. It is unclear whether this is in addition to the two 45 day periods noted here. There is no obligation to provide this information to a Consumer more than twice in a 12-month period, and the information provided need only cover the 12-month period prior to the VCR.
13) Create a means to provide requested Personal Information in a portable and readily usable format. The Personal Information, if provided electronically, should be in a portable and in a readily usable format that allows the consumer to transmit this information from one entity to another entity "without hindrance." If the Consumer has an account with the Business the Personal Information should be delivered through that account. If the Consumer does not have such an account, it can be delivered by mail or electronically at the Consumer's option. Note that a Business cannot require a consumer to create an account in order to submit a VCR.
14) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.


Related Documents:
1) Privacy Notice
2) A list of the categories of personal information the business has sold about consumers in the preceding 12 months
3) A list of the categories of personal information the business has disclosed about consumers in the preceding 12 months


Additional Guidance:
Document Processes and Procedures
While the CCPA does not require that a Businesses document its compliance processes and procedures, it is a best practice to do so. Most Businesses will find it challenging to comply with the CCPA's requirements without written policies and procedures in place. In addition, if a Business needs to defend its compliance activities in a litigation or enforcement action, it will be important to have documentation to show the steps the Business takes in general, and how it addressed the specific issue at hand.


Privacy Notices
A privacy notice (sometimes referred to as a privacy policy or an information notice) is a document provided by a company to data subjects that includes, among other things, a description of what types of personal data the company collects, how the company uses that data, with whom the company shares the data, and how the company protects the data. The CCPA requires that a business provide those Californians about whom it has collected personal information, information about the organization's privacy practices. The privacy notice should typically be given "at or before the point of collection" of the information.


Data Map
In order to comply with many of the CCPA requirements, a Business must first have ready access to certain facts about the Personal Information it collects. This includes:
1) What Personal Information it has collected about a Consumer (both by "category" and specific information), taking into account the broad definition of "collection"
2) The source of that Personal Information (e.g., did the Business collect it directly or obtain it from a third party); If from a third party, is there an agreement with that party as to Personal Information use or collection?
3) How that Personal Information was collected (e.g., as part of an online application, in the course of a sales transaction, as part of a marketing campaign, etc.)
4) Where that Personal Information is stored and when it is deleted
5) How Personal Information is used by the Business and who has the authority to determine or change that use
6) What Personal Information, if any, was "sold" to a third party (including the identity of those third parties, the method of "sale" and what rights they were granted in the Personal Information), taking into account the broad definition of a "sale"
7) Whether the business knows, or can reasonably ascertain, the age of the Consumer
8) Whether the Consumer has any type of account with the Business


A best practice to gather and sort this information is by creating a "data map" that traces what Personal Information is ingested by the company and how it is "collected," used, processed, stored and "sold." While there are a variety of ways to organize a data map, most Businesses will find that organizing this information in a way that mirrors how the Businesses itself is organized will capture the necessary data.
Not Rated
Secure Code