Addressing CCPA Requests
If you are like most businesses, you spent time and resources aligning your business practices to address consumer choice under the California Consumer Privacy Act (CCPA). With the CCPA fully enforceable, many businesses subject to the law have now shifted their attention towards validating their compliance efforts and working out any noted operational issues. To facilitate your validation efforts, consider how your business is addressing CCPA requests.
Request response times
You are subject to specific response time frames when addressing requests under the CCPA. Be sure to confirm your receipt of the CCPA requests within 10 days. Address requests to opt out of the sale of personal information within 15 days, and all other requests within 30 days. Always inform consumers of any delays, explain the reasons behind the delays and seek to resolve them within 90 days.
Requests to know about the categories of PII processed
You are required to provide consumers with a meaningful understanding of what sort of personally identifiable information (PII) you are processing — and how. Make sure your response details the categories of sources where such information originates, the categories of third parties to whom it is sold (if applicable) or disclosed and the reasons behind the disclosures.
Requests to access PII
You are required to provide consumers access to their personal information — after validating their identity. Also, be sure you have a plan in place for addressing access requests associated with personal information specific to a household.
- Validate the identity of consumers seeking access to personal information based on your written authentication procedures for account holders and non-account holders.
- When the consumer’s identity cannot be verified, do not disclose personal information. Tell the consumer why you can’t address their access request and then process the request the way you would address requests to know about the categories of PII processed.
- When the consumer’s identity can be verified, securely provide the consumer with access to all the PII processed about them over the last 12 months.
- If you are using a self-service portal to deliver the requested information, make sure it aligns to the CCPA information security mandates and can fully address the consumer’s request.
- If you are delivering the requested information in an electronic file, make sure you include simple descriptions of the information processed and secure the delivery to the consumer.
- Not all email platforms are secure so beware of relying on email to transmit personal information. Also note that email may create unnecessary copies of personal information.
Addressing requests to opt out of the sale of PII
If applicable, you are required to give consumers the ability to prevent the sale of their personal information.
- If you allow consumers to prevent the sale of discrete personal information elements, be sure you also have a more prominent mechanism to apply the opt-out request to all their personal information.
- If you share personal information with recipients at a rate faster than you process Do Not Sell requests, be sure you have a mechanism in place to instruct the data recipients to not further sell the personal information of any consumer who has a pending Do Not Sell request.
- Notify consumers when their Do Not Sell requests are complete.
Requests to delete PII
You are required to give consumers the ability to request that their personal information be deleted, after validating their identity based on written authentication procedures appropriate for your business and the kind of PII processed. Also, be sure you have a plan to address deletion requests associated with personal information specific to a household.
- Be sure your deletion process results in the personal information being de-identified, aggregated or permanently erased such that it cannot be reconstituted from active systems and archives.
- If you offer the ability to request the deletion of discrete personal information elements, be sure you also have a more prominent option to apply the deletion request to all their PII.
- When you offer the ability to submit deletion requests online, be sure the mechanism is easily accessible and you appropriately authenticate requests originated from the consumer described.
- If you cannot validate the authenticity of the request or the consumer’s identity, be sure to tell them you are unable to facilitate their request. Instead, offer the consumer the ability to opt out of the sale of such information and describe how to do so.
- If you cannot comply with a legitimate deletion request due to another law requiring you to keep PII, be sure to tell the consumer why and don’t subsequently use their PII for other purposes.
Authorized agent requests
You are required to facilitate consumer requests submitted by authorized agents. In general, requests from authorized agents to opt out of the sale of PII are not subject to authentication procedures — unless there is a good faith, reasonable (and documented) belief the request is fraudulent. However, you may deny requests to opt out of the sale of PII from agents in the event the agent is unable to demonstrate the consumer’s signed, written permission. Finally, you should consider choices expressed via user-enabled privacy controls (such as plug-ins, privacy settings, etc.) as a direct expression of the consumer’s choice and not as being submitted by an authorized agent.