Consumers have long been entitled to transparency regarding businesses’ privacy practices. But the California Consumer Privacy Act for the first time gives consumers a right to request specific information about how their personal data is processed, for what purposes, and with whom it is shared. The law also gives consumers the right to receive answers to these requests, free of charge within 45 days, in an electronic format they can transfer to another business.
This third installment in the five-part series, Top Five Operational Impacts of CaCPA, addresses how businesses should prepare for consumers’ personal information access requests. If you have followed the steps outlined in parts one and two of the series – determining if you’re a business collecting California consumers’ personal information, conducting data inventory and mapping exercises, and updating privacy notices to comply with the law’s transparency obligations at data collection – then building a system to respond to access request will be a lighter lift.
Consumers’ rights to request information about the processing, disclosure and/or sale of their personal information include being notified of this right in the public-facing privacy notice (see here for a handy chart of all the notification requirements in CaCPA). As well, Section 1798.130(a) requires businesses to make available to consumers two or more designated methods for submitted access requests including “at a minimum,” a toll-free telephone number and a website address. This latter requirement may involve submitting a form online, or perhaps sending an email to a designated address made available on the business’s website.
The consumer’s request must be “verifiable,” defined in Section 1798.140(y) as a request the consumer makes on her own behalf or that of her child that the business can “reasonably verify” pursuant to regulations the Attorney General of California will adopt in the coming months. One authorized delivery mechanism for the response is via the consumer’s account with the business, which may provide a means for verification via the consumer’s unique login credentials.
Businesses that have built systems for receiving (and even automatically responding to) data subject access requests pursuant to the EU General Data Protection Regulation will likely have also developed means for authenticating the consumer’s request.
Consumers’ rights to request – and businesses’ corresponding obligations to respond — are set forth in three separate sections of CaCPA, triggering slightly differing response obligations depending on the circumstances.
- Business that collects a consumer’s personal information
Pursuant to Section 1798.100(a), (b), and (c), a consumer has a right to request, and a business that “collects a consumer’s personal information” has an obligation to disclose upon a verifiable request, (1) the categories of personal information the business has collected; and (2) the specific pieces of personal information the business has collected.
- Business that collects personal information about a consumer
Pursuant to Section 1798.110(a) and (b), a consumer has a right to request, and a business that “collects personal information about a consumer” has an obligation to disclose upon a verifiable request, (1) the categories of personal information the business has collected about the consumer; (2) the specific pieces of personal information the business has collected; (3) the categories of sources from which the personal information was collected; (4) the business or commercial purpose for the collection; and (5) the categories of third parties with whom the business shares the personal information.
- Business that sells a consumer’s personal information or discloses it for a business purpose
Pursuant to Section 1798.115(a) and (b), a business that sells a consumer’s personal information, discloses it for a business purpose, or both, is required to provide a consumer with the following information when they submit a verifiable request: (1) the categories of personal information it has collected about the consumer; (2) the categories of personal information it has sold about the consumer; (3) the categories of third parties to whom the personal information was sold (organized by category of personal information for each third party); and (4) the categories of personal information it disclosed about the consumer for a business purpose.
Categories of personal information
Some of the more confusing provisions in the statute — and there are many — are those specifying what belongs in the “categories of personal information” response, discussed for Section 1798.110 (collection about consumers) and Section 1798.115 (selling or disclosing for business purpose) responses in Section 1798.130(3) and (4). Those provisions reference “the enumerated category in subdivision (c) that most closely describes the personal information” without clearly specifying which subdivision (c). The most logical choice is Section 1798.130(c), which in turn references the statute’s definitions section (1798.140), in which “personal information” is defined in subsection (o) with 11 “categories” (a through k).
A business responding to a Section 1798.110 (collection about consumers) request must identify the category or categories of personal information collected about the consumer in the preceding 12 months by referencing the information defined in one of those sections. A business responding to a Section 1798.115 (selling or disclosure) request must: (1) identify the category(ies) that most closely describes the personal information sold, as well as the categories of third parties to whom it was sold, on one list; and (2) on a separate list (if applicable), do the same thing for personal information disclosed to third parties for a business purpose.
Response timing and methods
Although Section 1798.100(d) requires a business to disclose and deliver the personal information “promptly,” more specific guidance may be found in Section 1798.130(a)(2), which also applies to consumer access requests under 1798.100 (as well as .110 and .115). In short, responses should be:
- Free of charge.
- Delivered within 45 days of receiving the verifiable request (which may be extended by an additional 45 days “when reasonably necessary,” or up to 90 additional days “where necessary” under Section 1798.145(g)(1) “taking into account the complexity and number of requests” and provided the consumer is notified within 45 days of the extension and its reasons).
- For the 12-month period preceding the access request.
- Made in writing, in a “readily usable format” that allows the consumer to transmit the information from one entity to another “without hindrance.”
- Delivered through the consumer’s account, by mail, or electronically at the consumer’s option.
Businesses may not require consumers to open an account just to receive their personal information report. They also may not extend the 45-day response period to accommodate a lengthy verification process.
Businesses are not obliged to respond to a consumer’s requests more than twice in a 12-month period. In addition to having verification procedures, therefore, businesses will also want to track when access requests are received, when responses are sent, and how often the same consumer requests her personal information. Of course, this may itself constitute “personal information” subject to disclosure.
CaCPA contemplates that in certain circumstances a business may elect not to respond substantively to the consumer’s request for access to personal information. Pursuant to Section 1798.145(g), the business must inform the consumer (1) of its reasons for not taking action; and (2) of any right to appeal that decision. The statute does not clearly give the consumer a right to appeal, but it appears the business might, especially to avoid an action under Section 1798.150(b)(1).
CaCPA also permits the business to either charge a fee or refuse to respond (upon notifying the consumer of its reasons) if the consumer’s requests are “manifestly unfounded or excessive, particularly because of their repetitive character.” The burden to demonstrate the request’s character rests with the business.
A final operational requirement – applicable not just to consumer access requests but to other aspects of consumers’ privacy rights under the law – is to ensure that “all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with [CaCPA] are informed of all requirements” in the law’s transparency and access request provisions. Pursuant to Section 1798.130(6), employees should also be trained in how to help consumers exercise their rights.
Photo credit: Makaristos [Public domain], from Wikimedia Commons
If you want to comment on this post, you need to login.