Most provisions of the California Privacy Rights Act will become operative Jan. 1, 2023. This leaves just under two years for businesses subject to it to develop a compliance program or update their existing California Consumer Privacy Act compliance program to conform with the amendments introduced by CPRA. This piece is the seventh in a ballot initiative analogizes the rules it promulgates to something like providing a privacy nutrition label: just as “ingredient labels on foods help consumers shop more effectively, disclosure around data management practices will help consumers become more informed counterparties in the data economy, and promote competition.” This analogy reflects the CPRA’s notable expansion of the CCPA’s right to know.
Indeed, one of the most important business obligations introduced by the CCPA and expanded by the CPRA concerns consumers’ right to know. Responding to consumer requests to know what information about them is being collected and what information about them is being sold or shared and with whom are at the heart of compliance with both laws. These obligations on businesses are underpinned by the first consumer right enumerated within the Purpose and Intent section of CPRA: “Consumers should know who is collecting their personal information and that of their children, how it is being used, and to whom it is disclosed so that they have the information necessary to exercise meaningful control over businesses' use of their personal information and that of their children.”
Importantly, the CPRA amends Section 1798.100, now entitled General Duties of Businesses that Collect Personal Information, to eliminate the requirements related to consumer request and disclosure previously found there under the CCPA. Therefore, once the CPRA becomes operative and supersedes the CCPA, the requirements regarding requests to know and how businesses must respond to them will be found primarily within the following two sections of the law:
- 110. Consumers’ Right to Know What Personal Information is Being Collected; Right to Access Personal Information.
- 115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom.
In addition, Section 1798.130, Notice, Disclosure, Correction, and Deletion Requirements, is referenced and further specifies the requirements of these sections, so it is important to understand, as well.
Section 1798.110: Consumers’ Right to Know What Personal Information is Being Collected; Right to Access Personal Information
Section 1798.110(a) of the California Civil Code as amended by the CPRA lays out five types of information of which consumers have the right to request disclosure from a business that collects personal information about the consumer. These are:
- “The categories of personal information it has collected about that consumer.”
- “The categories of sources from which the personal information is collected.”
- “The business or commercial purpose for collecting, selling, or sharing personal information.”
- “The categories of third parties to whom the business discloses personal information.”
- “The specific pieces of personal information it has collected about that consumer.”
A business must provide this information upon receipt of a verifiable consumer request. However, the CPRA also adds language to Subdivision (b) of this section that indicates a business “shall be deemed to be in compliance” with the disclosure requirements of (1) through (4) if it has already complied with the disclosure requirements of Subdivision (c), which requires a business to disclose this information in its online privacy policy or website pursuant Section 1798.130(a)(5)(B). That suggests a business need not provide (1) through (4) in response to a verifiable consumer request but would still need to provide (5) so long as it has already disclosed (1) through (4) in some manner as specified in Section 1798.130.
In addition, a business must provide the information requested by a consumer via Section 1798.100 pursuant to Section 1798.130(a)(3)(B), which essentially lays out a three-step process:
First, to identify the consumer, the business should:
- “Associate” the information provided in the verifiable consumer request “to any personal information previously collected by the business about the consumer.”
Second, the business should “identify”:
- The personal information (“by category or categories”) collected about the consumer during the applicable period of time.
- The “categories of sources” from which the consumer’s personal information was collected.
- The “business or commercial purpose” for the collecting, selling or sharing the consumer’s personal information.
- “The categories of third parties” to whom the business has disclosed the consumer’s personal information.
Third, the business needs to “provide the specific pieces of personal information obtained from the consumer”:
- “In a format that is easily understandable to the average consumer.”
- “And to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance.”
Any data generated to help ensure security or integrity or “as prescribed by regulation” is excluded from this requirement as is any personal information transferred from one business to another to “switch services.”
Section 1798.115: Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom
Section 1798.115 remains mostly unchanged from its CCPA incarnation. Regarding personal information that is sold or shared by a business, consumers have the right to request that a business disclose:
- “The categories of personal information that the business collected about the consumer.”
- “The categories of personal information that the business sold or shared about the consumer and the categories of third parties to whom the personal information was sold or shared, by category or categories of personal information for each category of third parties to whom the personal information was sold or shared.”
- “The categories of personal information that the business disclosed about the consumer for a business purpose and the categories of persons to whom It was disclosed for a business purpose.”
As in Section 1798.110, the business must disclose (1) through (3) upon receipt of a verifiable request from a consumer. It must do so pursuant to Section 1798.130(a)(4), which lays out a three-step process:
First, to identify the consumer, the business should:
- “Associate” the information provided in the verifiable consumer request “to any personal information previously collected by the business about the consumer.”
Second, the business should:
- “Identify” the personal information (“by category or categories”) about the consumer that the business sold or shared during the applicable period of time.
- The business must then “provide” the “categories of third parties” to whom the consumer’s personal information was sold or shared during the applicable time period, and it must be disclosed in a separate list.
Third, the business should:
- “Identify” the consumer’s personal information “by category or categories” that the business disclosed for a “business purpose” and provide “the categories of persons” to whom the consumer’s personal information was disclosed.
- The business must also disclose this information to the consumer in a separate list.
Moreover, any personal information collected from the consumer to verify the request may solely be used for the purpose of verification and may not be disclosed or retained longer than necessary for verification or used for other purposes. Businesses are not obligated to supply the information from Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.
Section 1798.130: Notice, Disclosure, Correction, and Deletion Requirements
The CCPA’s Section 1798.130 on Notice, Disclosure, Correction, and Deletion Requirements has been left intact insofar as a business must still, in a form that is “reasonably accessible” to consumers, make available “two or more” of the designated methods for requests for information pursuant to Sections 1798.110 and 1798.115, as well as requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, “including, at a minimum, a toll-free telephone number.” The CCPA’s requirement for the requested information to be delivered to consumers “free of charge … within 45 days of receiving a verifiable request” remains unchanged by the CPRA.
However, the section has been amended by the CPRA to allow a business that operates “exclusively online” and has “a direct relationship” with the consumer from whom it collects information to “only … provide an email address for submitting requests” pursuant to the right to know Sections 1798.110 and 1798.115, as well as the sections on requests for deletion and correction (1798.105 and 1798.106). Separately, Section 1798.130(a)(1)(B) requires businesses that maintain an “internet website” to make the website “available to consumers to submit requests for information” pursuant to Sections 1798.110 and 1798.115, as well as deletion and correction requests pursuant to 1798.105 and 1798.106.
The CPRA adds language allowing businesses to “require authentication of the consumer that is reasonable in light of the nature of the personal information requested.” In addition, although businesses may not require consumers to create an account to generate a request, the CPRA allows a business to require consumers who already have an account with it to use that account to submit their verifiable requests.
The CPRA has also introduced a clause stating that any personal information a business has collected about a consumer, “directly or indirectly, including through or by a service provider or contractor” shall be subject to the verifiable consumer request sections, including 1798.110 and 1798.115. Relatedly, a service provider or contractor is not required to comply with any such requests they receive “directly from a consumer or consumer’s authorized agent,” but it must “provide assistance to a business with which it has a contractual relationship with respect to the business’s response to a verifiable consumer request,” as discussed in look back” at data collected by a business on or after Jan. 1, 2022. Moreover, for any personal information collected starting Jan. 1, 2022, the CPRA gives consumers the right to make a request to know beyond the CCPA’s standard one-year look back. The exception to this expanded right is if such a look-back request would be “impossible” or require “disproportionate” effort. Nevertheless, nothing in the CPRA requires businesses to keep personal information for any specified length of time or to retain personal information about a consumer if it otherwise would not in its “ordinary course of business,” as specified in Section 1798.145(j)(2).
Conclusion
The right to know or right of access initially enshrined by the CCPA and amended by the CPRA will form a central part of any legal compliance program. Undoubtedly, those businesses with an already-existing CCPA compliance program will have a head-start in bringing their consumer request process into line with the CPRA. Organizations that already have a process in place for responding to data subject access requests pursuant to Article 15 of the EU General Data Protection Regulation will also be able to leverage such a process for CPRA compliance. Whether a company is seeking to update its CCPA compliance program, leverage its GDPR compliance program or build a CPRA compliance program from the ground up, understanding the law’s requirements regarding the right to know will be central to its efforts.
Photo by Joseph Barrientos on Unsplash