CCPA Disclosure of Categories Sold to Third Parties After Receipt of a Consumer Request (115.b)

Overview:
A business that sells personal information about a consumer, or that discloses a consumer's personal information for a business purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer upon receipt of a verifiable consumer request from the consumer.

Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Train employees on the handling of access requests.
5) Verify that the policy in place facilitates the fulfillment of access requests within the time period permitted by the statute.
6) Establish a means to establish a request is a proper Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer's behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.
7) Create a process to readily access the specific Personal Information the Business has about each Consumer. This includes knowing what Personal Information is held and what "category" it falls into; where it is stored; and having the ability to extract it.
8) Create a tracking system to ensure compliance with the Response Time and that the request complies with the Applicable Time Period. Business must respond to a VCR by mail or electronically within 45 days (which can be extended for an additional 45 days upon notice to the consumer). The Business needs to inform the Consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Note: In a different section, the CCPA states the response to any VCR can be extended for an additional 90 days. It is unclear whether this is in addition to the two 45 day periods noted here. There is no obligation to provide this information to a Consumer more than twice in a 12-month period, and the information provided need only cover the 12-month period prior to the VCR.
9) Create a means to provide requested Personal Information in a portable and readily usable format. The Personal Information, if provided electronically, should be in a portable and in a readily usable format that allows the consumer to transmit this information from one entity to another entity "without hindrance." If the Consumer has an account with the Business the Personal Information should be delivered through that account. If the Consumer does not have such an account, it can be delivered by mail or electronically at the Consumer's option. Note that a Business cannot require a consumer to create an account in order to submit a VCR.
10) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.

Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data
4) List of the categories of personal information that the business collected about consumers
5) List of categories of personal information that the business sold about the consumer
6) List of the third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
7) List of the categories of personal information that the business disclosed about the consumer for a business purpose.

Additional Guidance:
Verifiable Consumer Requests (VCRs)
Businesses must only provide this information after receipt of a Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer's behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.

Right to Refuse a Consumer Request
A business can refuse a request for the deletion or disclosure of Personal Information in two situations:
1) A Business can determine it has a basis not to comply with the Consumer's request provided it promptly informs the Consumer of that decision (and at least within the time periods required under the applicable CCPA provisions). That notice must explain the Business' rationale and any rights the Consumer may have to appeal that decision to the Business. Note that the CCPA does not seem to mandate that the Business provide an appeal right. In order to be able to invoke this exception, a Business should have a documented policy for when they will refuse a Consumer request and a mechanism to inform the Consumer of that decision within the required time frame.
2) A Business can determine that a request from a Consumer is "manifestly unfounded or excessive, in particular because of their repetitive character." In such a case, the Business can (i) refuse the request provided it promptly informs the Consumer of that decision (and at least within the time periods required under the applicable CCPA provisions), and (ii) can charge a reasonable fee to comply with the request, based on its costs. Although the Business bears the burden of demonstrating that a request is "manifestly unfounded or excessive," the CCPA offers no guidance on how that decision should be made. In order to be able to invoke this exception, Businesses should have a documented policy to determine when a request is excessive so it is not doing so on an ad hoc basis. The Business should also establish a policy as to whether it will charge for the request or refuse it, and if it does charge, have a method for determining a reasonable fee.