CCPA Delivery Method, Portability, and Timeframe (100.d)

Overview:
A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.

Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
6) Draft a "play book" that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
7) Train employees on the handling of access requests.
8) Verify that the policy in place facilitates the fulfillment of access requests within the time period permitted by the statute.
9) Create and make available to consumers the following Submission Options: The Business must make available to Consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the Business maintains a website, a website address.
10) Create a process to readily access the specific Personal Information the Business has about each Consumer. This includes knowing what Personal Information is held and what "category" it falls into; where it is stored; and having the ability to extract it.
11) Create a tracking system to ensure compliance with the Response Time and that the request complies with the Applicable Time Period. Business must respond to a VCR by mail or electronically within 45 days (which can be extended for an additional 45 days upon notice to the consumer). The Business needs to inform the Consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Note: In a different section, the CCPA states the response to any VCR can be extended for an additional 90 days. It is unclear whether this is in addition to the two 45 day periods noted here. There is no obligation to provide this information to a Consumer more than twice in a 12-month period, and the information provided need only cover the 12-month period prior to the VCR.
12) Create a means to provide requested Personal Information in a portable and readily usable format. The Personal Information, if provided electronically, should be in a portable and in a readily usable format that allows the consumer to transmit this information from one entity to another entity "without hindrance." If the Consumer has an account with the Business the Personal Information should be delivered through that account. If the Consumer does not have such an account, it can be delivered by mail or electronically at the Consumer's option. Note that a Business cannot require a consumer to create an account in order to submit a VCR.
13) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.

Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data
4) Documentation or screenshots validating portability, format, and content requirements for information submitted to consumers upon successful VCR

Additional Guidance:
Verifiable Consumer Requests (VCRs)
Businesses must only provide this information after receipt of a Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer's behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.

Submission Options
The Business must make available to Consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the Business maintains a website, a website address.

Verifiable Consumer Requests (VCRs)
Businesses must only provide this information after receipt of a Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer's behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.

Response Time
Business must respond to a VCR by mail or electronically within 45 days (which can be extended for an additional 45 days upon notice to the consumer). The Business needs to inform the Consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Note: In a different section, the CCPA states the response to any VCR can be extended for an additional 90 days. It is unclear whether this is in addition to the two 45 day periods noted here.

Portability Format
The Personal Information, if provided electronically, should be in a portable and in a readily usable format that allows the consumer to transmit this information from one entity to another entity "without hindrance."

Method to Deliver the Information
If the Consumer has an account with the Business the Personal Information should be delivered through that account. If the Consumer does not have such an account, it can be delivered by mail or electronically at the Consumer's option. Note that a Business cannot require a consumer to create an account in order to submit a VCR.

Applicable Time Period
There is no obligation to provide this information to a Consumer more than twice in a 12-month period, and the information provided need only cover the 12-month period prior to the VCR.