CCPA One-time Transactions (100.e)

Overview:
This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.

Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Review existing policies or procedures for authenticating individuals that make access requests.
5) Train employees on the handling of access requests.
6) Create a means to provide requested Personal Information in a portable and readily usable format. The Personal Information, if provided electronically, should be in a portable and in a readily usable format that allows the consumer to transmit this information from one entity to another entity "without hindrance." If the Consumer has an account with the Business the Personal Information should be delivered through that account. If the Consumer does not have such an account, it can be delivered by mail or electronically at the Consumer's option. Note that a Business cannot require a consumer to create an account in order to submit a VCR.
7) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.

Related Documents:
1) Privacy Notice

Additional Guidance:
Deletion Exceptions
Deletion is not required where the Personal Information is necessary to:
1) complete the transaction for which the Personal Information was collected; provide a good or service requested by the Consumer or reasonably anticipated within the context of a Business' ongoing relationship with the Consumer; or otherwise perform a contract between the Business and a Consumer
2) detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity
3) debug and to identify and repair errors that impair functionality
4) exercise or ensure free speech or other legal rights
5) comply with the California Electronic Communications Privacy Act
6) engage in certain research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair such research, if the Consumer has provided informed consent
7) undertake internal uses that are reasonably aligned with the expectations of the Consumer's relationship with the Business
8) comply with a legal obligation
9) otherwise undertake internal uses in a lawful manner that are compatible with the context in which the Consumer provided the information.

Right to Refuse a Consumer Request
A business can refuse a request for the deletion or disclosure of Personal Information in two situations:
1) A Business can determine it has a basis not to comply with the Consumer's request provided it promptly informs the Consumer of that decision (and at least within the time periods required under the applicable CCPA provisions). That notice must explain the Business' rationale and any rights the Consumer may have to appeal that decision to the Business. Note that the CCPA does not seem to mandate that the Business provide an appeal right. In order to be able to invoke this exception, a Business should have a documented policy for when they will refuse a Consumer request and a mechanism to inform the Consumer of that decision within the required time frame.
2) A Business can determine that a request from a Consumer is "manifestly unfounded or excessive, in particular because of their repetitive character." In such a case, the Business can (i) refuse the request provided it promptly informs the Consumer of that decision (and at least within the time periods required under the applicable CCPA provisions), and (ii) can charge a reasonable fee to comply with the request, based on its costs. Although the Business bears the burden of demonstrating that a request is "manifestly unfounded or excessive," the CCPA offers no guidance on how that decision should be made. In order to be able to invoke this exception, Businesses should have a documented policy to determine when a request is excessive so it is not doing so on an ad hoc basis. The Business should also establish a policy as to whether it will charge for the request or refuse it, and if it does charge, have a method for determining a reasonable fee.