Overview:
A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: The categories of sources from which the personal information is collected.
Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Draft a "play book" that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
5) Train employees on the handling of access requests.
6) Verify that the policy in place facilitates the fulfillment of access requests within the time period permitted by the statute.
7) Create a process to readily access the specific Personal Information the Business has about each Consumer. This includes knowing what Personal Information is held and what "category" it falls into; where it is stored; and having the ability to extract it.
8) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.
Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data
Additional Guidance:
In order to comply with many of the CCPA requirements, a Business must first have ready access to certain facts about the Personal Information it collects. This includes:
1) What Personal Information it has collected about a Consumer (both by "category" and specific information), taking into account the broad definition of "collection"
2) The source of that Personal Information (e.g., did the Business collect it directly or obtain it from a third party); If from a third party, is there an agreement with that party as to Personal Information use or collection?
3) How that Personal Information was collected (e.g., as part of an online application, in the course of a sales transaction, as part of a marketing campaign, etc.)
4) Where that Personal Information is stored and when it is deleted
5) How Personal Information is used by the Business and who has the authority to determine or change that use
6) What Personal Information, if any, was "sold" to a third party (including the identity of those third parties, the method of "sale" and what rights they were granted in the Personal Information), taking into account the broad definition of a "sale"
7) Whether the business knows, or can reasonably ascertain, the age of the Consumer
8) Whether the Consumer has any type of account with the Business
A best practice to gather and sort this information is by creating a "data map" that traces what Personal Information is ingested by the company and how it is "collected," used, processed, stored and "sold." While there are a variety of ways to organize a data map, most Businesses will find that organizing this information in a way that mirrors how the Businesses itself is organized will capture the necessary data.
Article ID: 2
Created: September 24, 2022
Last Updated: September 24, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/ccpa-right-to-disclose-sources-of-collection-110-a-2-2.html