Overview:
A business that collects personal information about a consumer shall disclose to the consumer, pursuant to paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable request from the consumer.
Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Review existing policies or procedures for authenticating individuals that make access requests.
5) If no authentication policy exists, draft an appropriate policy for authentication of individuals that make data subject requests.
6) Draft a "play book" that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
7) Train employees on the handling of access requests.
8) Establish a means to establish a request is a proper Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer's behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.
9) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.
Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data
4) List of third parties with whom consumer personal data is shared with, and why.
Additional Guidance on Verifiable Consumer Requests (VCRs)
Businesses must only provide this information after receipt of a Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer's behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.
Right to Refuse a Consumer Request
A business can refuse a request for the deletion or disclosure of Personal Information in two situations:
1) A Business can determine it has a basis not to comply with the Consumer's request provided it promptly informs the Consumer of that decision (and at least within the time periods required under the applicable CCPA provisions). That notice must explain the Business' rationale and any rights the Consumer may have to appeal that decision to the Business. Note that the CCPA does not seem to mandate that the Business provide an appeal right. In order to be able to invoke this exception, a Business should have a documented policy for when they will refuse a Consumer request and a mechanism to inform the Consumer of that decision within the required time frame.
2) A Business can determine that a request from a Consumer is "manifestly unfounded or excessive, in particular because of their repetitive character." In such a case, the Business can (i) refuse the request provided it promptly informs the Consumer of that decision (and at least within the time periods required under the applicable CCPA provisions), and (ii) can charge a reasonable fee to comply with the request, based on its costs. Although the Business bears the burden of demonstrating that a request is "manifestly unfounded or excessive," the CCPA offers no guidance on how that decision should be made. In order to be able to invoke this exception, Businesses should have a documented policy to determine when a request is excessive so it is not doing so on an ad hoc basis. The Business should also establish a policy as to whether it will charge for the request or refuse it, and if it does charge, have a method for determining a reasonable fee.
Article ID: 6
Created: September 24, 2022
Last Updated: September 24, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/ccpa-disclosure-after-receipt-of-a-consumer-request-110-b-6.html