Since January 1, 2020, the much-awaited CCPA (California Consumer Privacy Act) is already in effect. This means that organizations should have already determined by then whether their business is affected by or subject to the CCPA Regulations and take actions necessary to ensure compliance. On the other hand, consumers residing in California should have already understood their privacy rights and its limitation and extent. For companies, to be compliant with CCPA is highly critical because a failure to be so will cost staggering amounts of penalties that can even shut a business down.
On the other side, Californian consumers must know, understood, and maintain their rights to privacy. CCPA declares that every Californian customer has the right to know what information a company has gathered about them and the right to delete their personal information. They also have the right to prohibit companies from selling or using their personal information for cross-context behavioral ads, and to hold companies responsible if they do not take appropriate measures to protect their personal information.
The Challenge of Consumer Requests
But a consumer’s access to their personal information, the processes it undergoes, its deletion, and the prohibition not to sell it must be requested from the organization that gathered that information. And the response to that request is one of the most challenging areas to comply with CPPA.
Under the CCPA, customers have the right to know what personal information an organization collects about them. The information requested must be made available within 45 days since the request was received, free of charge. There are extensions, however, in special circumstances, such as the difficulty in verifying the identity of the requestor. The business’s response to this request must be in a “readily useable format” that allows the verified consumer to use this information for their purposes (e.g., transmission to other entities) without any hindrance. Furthermore, as required by the CCPA in October 2019, AG Xavier Becerra released the Proposed Regulations that made the new law operational and provided clarification to assist in the implementation of the CCPA.
The CCPA has a broad definition of “personal information,” which is why consumer demands to know are especially burdensome for corporations. According to the law, personal information is anything that can be used to identify, describe, associate with, or reasonably link a specific consumer or household. CPPA even includes the phrase “directly or indirectly” to further clarify the extent of its definition. This broad view of personal information includes the Social Security number, driver’s license number, name, etc., of an identifiable individual. Moreover, the less apparent identifiers such as browsing history, cookies, biometric data, and geolocation are included as personal information.
On the other hand, the timeframe to which an organization must comply with a consumer’s request to delete their personal information is the same.
Here are some practical tips in handling consumer’s data and response to disclosure and deletion requests:
Things to Prepare
- Identify who owns the process: Companies should appoint an individual or team to handle the disclosure and deletion requests.
- Create an efficient process: Organizations should have specific internal policies and procedures to respond to requests. Like the litigation’s discovery process, it can be extremely burdensome to undergo data reviewing in response to a request. Personal information must be transmitted with reasonable security measures, and any information that has been deleted must be completely erased. Organizations may want to hire independent experts to make this process less costly and to avoid conflicts of interest. Additionally, records of customer requests have to be kept by businesses for at least 24 months, and in general, such records should be used for any other purpose.
- Data mapping: Businesses should create a mapping system that provides an easy-to-access file of all the personal information they keep. That includes why it is kept, how it is used, to whom it is sold, how long it is stored, and where it is stored.
- Training: The people involved in handling requests must undergo training on what types of requests they may receive and on the policies and procedures concerning those possible requests. Those people are the organization’s response team, the management, and other key employees. Third-party service providers may also be included.
- Provide request methods: CCPA requires businesses to provide at least two approved methods for the consumer to submit their requests, including at least one toll-free number and another appropriate form, such as an email address. But those who operate their business exclusively online are not required to provide more than an email address. Organizations should have clear instructions on how to submit disclosure and deletion requests and should not complicate the procedure. Failure to do so will result in fines.
- Validating the requests: Organizations need verification and authentication procedures to validate the identity of the user who submits the request and the validity of the request to comply with the request. Third-party requests on behalf of the consumer should be denied without written authorization. The Proposed Regulations require entities to create, record, and abide by appropriate methods in verifying customer identity. There are also several factors which determine the “reasonable” method of identity verification:
- How the company interacts or communicates with the consumer; and
- Accessible verification technology.
If the consumer’s identity can not be confirmed, the person who submits the request must be told that the request cannot be accepted. Organizations must also introduce fair security procedures to detect fraudulent identity authentication activities and avoid unauthorized access to such records. Note that if the company maintains a password-protected account with the consumer, there are different authentication criteria. In the testing process, organizations do not obtain additional data. They should depend, instead, on established credentials. For example, if the company needed a different user name during the time it collected the data, it would use that to validate the requestor.
- Advising the consumer to narrow the search: Ideally, information requests should be as broad as possible, and organizations will collaborate with the requestor to narrow the categories as far as possible. For instance, if a customer demands all personal information that the company has ever collected, the search may be lengthy. But if the organization works with the consumer to determine the specific issue of the consumer’s concern, the applicant may agree to narrow the scope of the application. The request to delete is much easier if they want to delete all of the consumer’s personal data
- Determining the universe of data to be searched for: these can include electronic documents, emails, historical information, organizational database information, and paper files. In response to a request to know, the CCPA requires disclosure of certain information, including the source, collection intent, and any third parties with whom the data is exchanged, among others; organizations should ensure that they disclose all of the relevant details.
- Responding as soon as possible: Upon receiving the request to know and request to delete, organizations must send confirmation to the requestor within 10 business days. The response should be within 45 calendar days from receipt of the request, regardless of the time required for request verification. Responding to a request may take a substantial amount of time, and this is a limited period. Therefore, organizations should start working on the request as soon as possible. Nonetheless, CPPA provides consideration to extend for another 45 calendar days, for a maximum of 90 calendar days in total, provided that the consumer will be notified and given a clear explanation of why it would take more time.
- Checking the response to ensure that it does not include other consumer’s personal information: A person is only entitled to their own personal data, and organizations must censor any documents or information relating to another individual unless that individual granted their permission. In the instance of joint household requests, this becomes even more complicated. Under the CCPA, all members of a household can collectively request the disclosure or deletion of specific pieces of the household’s personal information. Although the household request was discussed in the CCPA, protocols for this request have only been clarified in the update in the Proposed Regulations – an organization can only respond to household requests if the request is collectively made by all household consumers, can verify each consumer’s identity, and proves that each is a current member of the household. If a household member is under the age of 13, parental consent must be verified before complying with the request.
- Monitoring process compliance: Regularly audit the compliance of the response team and the whole organization with the written policies and procedures.
Right to Opt-Out of the Information Selling
The CPPA further illustrates the right of Californian consumers to opt-out of the selling of their personal information. There are clear and specific regulations for the businesses in the Proposed Text of Regulations relating to the manner in which businesses will give consumers the option to opt-out and other details. But in regards to time, the most recent document, Final Text of Regulations (June 1, 2020), maintains that organizations must comply with a consumer’s request to opt-out as soon as possible, but not longer than 15 business days from the date the request was received.
Ideally, consumers will be given a confirmation of receipt of the request to know or request to delete within 10 business days and a response to that request within 45 calendar days. But of course, since CPPA provides a total of 90 calendar days for businesses to respond, provided that conditions are met, this might often happen, especially in the early stages of adapting to this complicated law. But at least, the right of California citizens to opt-out of the selling of their data should get a response no longer than 3 business weeks.