Skip to Content

CCPA Right to Disclose Categories of Information Collected (110.a.1)

1  Matthew Burdick September 24, 2022  CCPA Access Requests

Overview:
A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: The categories of personal information it has collected about consumers.

Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Draft a "play book" that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
5) Train employees on the handling of access requests.
6) Verify that the policy in place facilitates the fulfillment of access requests within the time period permitted by the statute.
7) Create a process to readily access the specific Personal Information the Business has about each Consumer. This includes knowing what Personal Information is held and what "category" it falls into; where it is stored; and having the ability to extract it.
8) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.

CCPA Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data


Additional Guidance:
Summary of Information to Be Included in Privacy Policies
Under the CCPA, certain information needs to be included in a Business' privacy policy and in any California-specific description of consumers' privacy rights. If a Business does not maintain such policies, this information needs to be included somewhere on its website. Note that this information must be updated at least once every 12 months. The following is required:
1) One or more designated methods for submitting requests permitted under the CCPA
2) A description of a Consumer's rights to: request disclosure of information collected; request disclosure of information sold; nondiscrimination relating to Consumers who exercise CCPA rights; and opt out, along with a separate link to the "Do Not Sell My Personal Information" opt-out page
3) A list of the categories (by reference to the CCPA enumerated category) of Personal Information the Business has collected about Consumers in the preceding 12 months
4) Two separate lists of categories (by reference to the CCPA enumerated category) of information the Business has (i) sold or (ii) disclosed for a business purpose, each within the preceding 12 months or, if the Business has not done so, disclosing that fact.

Disclosure of Information Collected
The Business must provide a list of the categories of Personal Information it has collected about Consumers in the preceding 12 months either within its privacy policy or, if it does not have a privacy policy, on its website. This information needs to be updated once every 12 months.

Limitations to Disclosures
A Business is not required to retain Personal Information about a Consumer collected for a single one-time transaction if that information would not normally be retained. Nor is it required to reidentify data that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Information.
Not Rated