Skip to Content

CCPA Limitations on Disclosure Requirements (110.d)

8  Matthew Burdick September 25, 2022  CCPA Access Requests

Overview:
This section does not require a business to do the following:
(1) Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained.
(2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Review existing policies or procedures for authenticating individuals that make access requests.
5) If no authentication policy exists, draft an appropriate policy for authentication of individuals that make data subject requests.
6) Draft a "play book" that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
7) Train employees on the handling of access requests.
8) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.

Related Documents:
1) Privacy Policy / Notice

Additional Guidance:
Deletion Exceptions
Deletion is not required where the Personal Information is necessary to:
1) complete the transaction for which the Personal Information was collected; provide a good or service requested by the Consumer or reasonably anticipated within the context of a Business' ongoing relationship with the Consumer; or otherwise perform a contract between the Business and a Consumer
2) detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity
3) debug and to identify and repair errors that impair functionality
4) exercise or ensure free speech or other legal rights
5) comply with the California Electronic Communications Privacy Act
6) engage in certain research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair such research, if the Consumer has provided informed consent
7) undertake internal uses that are reasonably aligned with the expectations of the Consumer's relationship with the Business
8) comply with a legal obligation
9) otherwise undertake internal uses in a lawful manner that are compatible with the context in which the Consumer provided the information.

Disclosure of Information Collected
The Business must provide a list of the categories of Personal Information it has collected about Consumers in the preceding 12 months either within its privacy policy or, if it does not have a privacy policy, on its website. This information needs to be updated once every 12 months.

Limitations to Disclosures
A Business is not required to retain Personal Information about a Consumer collected for a single one-time transaction if that information would not normally be retained. Nor is it required to reidentify data that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Information.
Not Rated
Secure Code