The California Consumer Privacy Act gives California residents the right to know what personal information a business collects about them and how it is used. The law likewise imposes obligations on businesses to ensure consumers can exercise this right. Although the CCPA and its regulations provide a framework, operationalizing the consumer request process can be complex.
Two compliance issues that present challenges for organizations covered by the CCPA are:
- The scope of information subject to disclosure.
- The use of third parties to submit consumer requests.
The landscape regarding these topics continues to change. Recent developments include:
- Inferences subject to disclosure: the California attorney general’s opinion regarding internally generated inferences and the scope of the disclosure obligation.
- Employee information will be subject to requests to know: the CCPA employee exemption set to expire Jan. 1, 2023.
- Use of authorized agents: the advocacy work being done by Consumer Reports regarding the use of authorized agents.
Framework for CCPA requests to know
Similar to the EU General Data Protection Regulation Article 15, the CCPA gives consumers (defined as a natural person who is a California resident) the right to request that businesses disclose the personal information collected about the consumer. Section 1798.110(a) specifies a consumer is entitled to request the disclosure of:
- The categories of personal information the business has collected about the consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information the business has collected about the consumer.
Businesses have obligations to respond, subject to the receipt of a “verifiable consumer request” from the consumer. The disclosure is required to cover the 12-month period prior to the business receiving the verifiable consumer request (Section 1798.130(a)(2)).
If a business sells the consumer’s personal information or discloses it for a business purpose, the consumer can request additional information, including the categories of personal information sold about the consumer and the categories of third parties to whom it was sold (Section 1798.115).
Müge Fazlioglu, CIPP/E, CIPP/US, explored how these rights and obligations will change when the California Privacy Rights Act amendments to the CCPA become fully operative Jan. 1, 2023.
Operationalizing the request process
The CCPA regulations provide important details regarding how the consumer’s right to know must be operationalized, including:
- Section 7021: Timelines for Responding to Requests to Know and Requests to Delete, which mandates a business confirm receipt of the request within 10 business days and provide information about how it will be processed.
- Section 7024: Requests to Know, which identifies when a business is not required to search for personal information, what information should not be disclosed in response to a request to know and obligates a business to use reasonable security measures in transmitting personal information to a consumer.
- Section 7060: General Rules Regarding Verification, which requires businesses to “establish, document, and comply with a reasonable” verification method. There are additional regulations regarding verification for password-protected accounts, non-account holders and authorized agents (Sections 7061-7063).
The CCPA regulations were recently reordered and renumbered as part of the California Privacy Protection Agency assuming rulemaking authority. The formal rulemaking process to implement the CPRA has not begun, but the CPPA has shared draft proposed CCPA regulations. The draft is a “redline document” of the current CCPA regulations and includes proposed changes to existing provisions, as well as additional regulations to address new rights and obligations in the CPRA.
One proposed modification to the consumer request process would extend the time period for information subject to disclosure beyond the 12-month period required by the CCPA. CPRA Section 1798.130(a)(2)(B) permits consumers to request information beyond the 12-month period, providing “a consumer may request that the business disclose the required information beyond the 12-month period, and the business shall be required to provide that information unless doing so proves impossible or would involve a disproportionate effort.” Proposed draft regulation Section 7024(h) would require a business to provide “all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.” Whether this proposed draft regulation is revised during the formal rulemaking process remains to be seen.
Scope of 'personal information' subject to disclosure
Even with the detail provided by the regulations, there are still nuances in the request-to-know process to be resolved, including the scope of information subject to disclosure.
In March, the California attorney general issued an opinion in response to a question about the disclosure of internally generated inferences. The opinion analyzes the CCPA’s definition of “personal information,” which includes “(i)nferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” (1798.140(o)(1)(K)). The attorney general concluded internally generated inferences, even if based upon publicly available information, are subject to a consumer’s right to know under the CCPA unless a statutory exception applies.
Several statements in the opinion offer important insight into how the Office of the Attorney General construes data collected about consumers by businesses and the obligation to respond to access requests:
- The scope of personal information subject to requests to know will be construed broadly. “(F)or purposes of responding to a request to know, it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof. If the business holds personal information about a consumer, the business must disclose it to the consumer on request” (Opinion, pp. 11-12).
- “(T)he CCPA gives consumers the right to receive all information collected ‘about’ the consumer, not just information collected from the consumer” (Opinion, p. 13, citing Section 1798.100(a)(5)).
- Inferences are personal information subject to disclosure. “(O)nce a business has made an inference about a consumer, the inference becomes personal information — one more item in the bundle of information that can be bought, sold, traded and exploited beyond the consumer’s power of control” (Opinion, p. 12).
- Even inferences based on publicly available information are subject to disclosure. “A business might draw an inference about a consumer based in whole or in part on publicly available information, such as government identification numbers, vital records, or tax rolls. Under the CCPA, the inference must be disclosed to the consumer, even if the public information itself need not be disclosed in response to a request for personal information” (Opinion, p. 12).
- Trade secrets are not subject to disclosure, but the burden is on the business to prove the data is a trade secret. “A business that withholds inferences on the ground that they are protected trade secrets bears the ultimate burden of demonstrating that such inferences are indeed trade secrets under the applicable law” (Opinion, p. 15).
Businesses will need to keep these conclusions in mind as they develop their CCPA and CPRA compliance programs. The opinion states “None of the amendments to the CCPA introduced by the CPRA changes the conclusion presented in this opinion” (Opinion, p. 4).
Employee information will be subject to requests to know
The scope of information subject to consumer requests to know will expand in January 2023 when the exemptions for employee and business-to-business data in CCPA Sections 1798.145(m) and (n) (as amended by the CPRA) become inoperative. There are bills pending in the California legislature to extend these exemptions, including AB 2871 and SB 1454 (extend indefinitely) and AB 2891 (extend until January 2026). Politico reported lawmakers are working on the issue of employee privacy, but it is unclear if their efforts will be successful.
Practitioners have raised concerns about the impact of this change on existing California employment law rights and obligations, noting potential confusion for employers and employees as “most of the rights under the CPRA either are already addressed or do not make sense in the employment context.” Notably, the other comprehensive state privacy laws — Colorado, Connecticut, Utah and Virginia — don’t apply to employment data. These four states exclude individuals acting in an employment context from the definition of “consumer” and exempt data processed or maintained in the employment context (Virginia, Utah and Connecticut) or employment records (Colorado).
Use of authorized agents
One aspect of the consumer request process receiving increased attention is the use of third-party “authorized agents” to make requests to know, delete and opt out on behalf of consumers.
The requirements regarding the use and treatment of authorized agents are not in the CCPA but are in the CCPA regulations as a topic identified for rulemaking in CCPA Section 1798.185(a)(7)). Section 7001(c) defines an authorized agent as “a natural person or a business entity registered with the Secretary of State to conduct business in California that a consumer has authorized to act on their behalf. ...”. The regulations obligate businesses to include instructions regarding how authorized agents can make requests in their privacy policies (Section 7011(c)(5)(A)) and allow consumers to use an authorized agent to submit an opt-out request if the consumer provides signed written permission (Section 7026(f)). Section 7063, Authorized Agent, provides further guidance for both businesses and authorized agents regarding verification and the treatment of a consumer’s personal information.
Consumer Reports is a strong advocate for the use of authorized agents and standardizing the consumer request process. In October 2020, Consumer Reports Digital Lab launched a pilot project to act as an authorized agent for California residents, submitting requests to opt out of the sale of their personal information to various companies. The following year, it launched another authorized agent pilot, this time to send requests to know (data access requests) on behalf of consumers. The results of the request-to-know project were mixed, with Consumer Reports finding “most volunteers in our research did not receive meaningful access to their data” and “most companies are not yet fully prepared to handle authorized agent requests to help consumers get access to their own data.”
Based on its work, the Consumer Reports Digital Lab Team made recommendations for regulators regarding the authorized agent process in April. These include:
- Letting consumers choose who receives the data (consumer or agent).
- Giving consumers additional time to verify their identity.
- Requiring “public documentation of data formats” (giving consumers an explanation of how to interpret the data or a data dictionary, offering an example that Netflix provided in response to an access request).
- Exploring digital identity verification.
Consumer Reports’ Digital Lab is also working on its own “Permission Slip” mobile application “to help consumers manage the data companies may have about them” and a Data Rights Protocol technical standard to “standardize and simplify” consumer requests under the CCPA. The first end-to-end interoperability test of the Data Rights Protocol was successfully completed May 12.
Practitioners have identified potential operational and compliance issues with having third parties involved in the consumer request process. Anecdotally, some authorized agents are submitting consumer requests indiscriminately, sending bulk requests to companies that have never interacted with the consumer and asking businesses to respond using the authorized agent’s website. It also may not be clear from the authorized agent’s request whether the consumer is a California resident even entitled to assert the privacy right.
It will be interesting to see how the use of authorized agents develops over time. There is incentive for businesses and consumer advocates to improve the consumer request process — the implementing companies in the Data Rights Protocol project are Consumer Reports Digital Lab, DataGrail, Ethyca, Incogni, Mine, OneTrust, Sourcepoint, Spokeo, Transcend and WireWheel. Regulators may choose to address the use of authorized agents as part of the rulemaking process. As Jennifer Bryant reported, the CPPA recently hired former Consumer Reports Senior Policy Analyst Maureen Mahoney as its deputy director of policy and legislation. In her previous role, Mahoney said “The authorized agent provision in the CCPA is key to making the law more workable for consumers.”
Consumer request process likely to change
Businesses can expect compliance obligations related to consumer rights requests in California to evolve as the CPPA engages in formal rulemaking, enforcement continues and stakeholders look at ways to improve the process. If federal privacy legislation in the U.S. becomes a reality, the lessons learned from the consumer request process under CCPA presumably can inform operationalizing any similar federal requirements.
Photo by Humberto Portillo on Unsplash