Most for-profit businesses that collect personal information about consumers in California must implement and demonstrate CCPA compliance.
Although enforcement began on July 1, 2020, many organizations are still implementing processes for compliance.
Best practices to address consumer requests under CCPA
A major factor for those seeking to comply is implementing a process for managing consumer requests under CCPA – similar to data subject access requests under GDPR.
Noncompliance with these guidelines can result in significant penalties and fines.
The California Consumer Privacy Act (CCPA) gives consumers the right to request a business disclose what personal information it holds about them, plus related rights to have that information deleted and to opt-out or opt-in to having information collected, shared, or sold.
CCPA requests to know or delete
Methods for submitting requests to know
Businesses must provide two or more designated methods for submitting requests to know, including a toll-free telephone number (the minimum requirement).
If the business operates a digital property, it must provide an interactive web form accessible through its website or mobile application.
Methods for submitting requests to delete
Although the CCPA regulations do not prescribe a particular method for submission of requests to delete, at least one method offered must reflect the main communication methods between the consumer and the business, such as a webform, email or phone number.
For more information, see Section § 999.312.
Requests to access or delete household information
The definition of personal information under the CCPA includes information that could reasonably be linked with a household.
Therefore, requests to know, delete and opt-out may involve personal information not only of individual consumers, but also other consumers living in the same household.
The CCPA regulations attempt to address this by balancing individual and group privacy rights.
Businesses are allowed to respond to a request to know or to delete related to household personal information by providing aggregate household information, subject to verification, rather than individualized personal information.
If individualized personal information is requested, it may only be disclosed if the business can accurately verify all the members of the household individually.
The rules qualify this with the condition where a consumer does not have a password-protected account with a business, to make sure there is no disruption to procedures for accessing personal information a business may have for account holders of password-protected accounts.
Responding to requests to know and delete
Business must meet the following CCPA requirements when responding to requests to know and delete.
Confirm receipt within 10 days of receiving these requests. Confirmations may be automated, but they must describe the business’s verification process and when the consumer should expect a response
Responses to requests to know or to delete must be provided within 45 days beginning on the day that business receives the request, regardless of time required to verify the request.
If more time is needed to deliver an accurate response, then the business must give proper notice and a valid explanation for the delay.
The rules state that if there is a delay, the response to a request must be completed within a maximum total of 90 days from the day the request is received.
Special considerations for requests to delete
Requests to delete can be handled in three different ways to meet CCPA compliance requirements:
- Permanently and completely erasing the personal informal from existing systems (note: delays are allowed for archived or back-up systems, provided the personal information is deleted the next time these systems are accessed or used)
- De-identifying the personal information or
- Aggregating the personal information.
For any response to a request for delete, a business must specify how it has deleted the personal information and keep a record of the request.
Separately, the rules clarify that deletion requests should be a two-step process: consumers must first submit the request to delete and then separately confirm their desire for all consumer identifiers (PI) to be deleted.
CCPA definitions and requirements for service providers
Section § 999.314 of the CCPA regulations addresses several concerns raised by the public about what organizations qualify as service providers.
This is an important issue, as the CCPA does not classify personal information used by or shared with a service provider to perform a business purpose as a sale.
The CCPA defines a service provider as a for-profit legal entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.” (Civil Code, § 1798.140, subdivision (v)).
The CCPA regulations clarify the definition of a service provider as:
- A person or entity providing services to a person or organization that is not a business as that term is defined in Civil Code Section 1798.140, subdivision (c), but otherwise meets the requirements of a service provider, shall be deemed a service provider for purposes of the CCPA
- Entities that process personal information on behalf of non-profit and government entities are service providers, even though the non-profit and government entities are not subject to the CCPA, and
- A person or entity that collects personal information directly from a consumer on the business’s behalf that otherwise meets all the other requirements of a service provider, will still be considered a service provider
- Despite the CCPA definition of service provider referring to an entity “to which the business discloses a consumer’s personal information.
The CCPA regulations note that a service provider’s use of personal information collected from one business to provide services to another business would be outside the bounds of a necessary and proportionate use of personal information, as it would be advancing the commercial purposes of the service provider rather than the business purpose of the business.
However, there is now an exception in the CCPA regulations to allow some use of personal information to the extent necessary to detect data security incidents or protect against fraudulent or illegal activity.
The CCPA regulations also address the situation where a service provider may not be contractually allowed to disclose or delete the personal information it handles on behalf of businesses.
In such cases service providers are required to respond to a consumer’s disclosure or deletion request by:
- Explain the basis for the denial of the request
- Directing the consumer to the business in control of their information and
- When feasible, giving the consumer the contact information for the business in control of their information.
Note: an organization that acts as both a business and as a service provider under the CCPA is required to comply with CCPA and the CCPA regulations relating to any personal information it collects, maintains, or sells outside of its role as a service provider.
Methods for submitting opt-out requests
Consumers can tell a business ‘do not sell’ personal information by submitting an opt-out request, which directs a business that has previously sold their personal information to stop selling it.
A consumer’s right to opt-out must be reinforced by:
Providing two or more methods for submitting requests to opt-out, including a conspicuous do not sell my personal information message (or similar words) on the business’s homepage which links to an opt-out request form; a toll-free number, a designated email address, or a form that can be submitted in person or via post.
And honoring a consumer’s opt-out decision by no longer selling their personal information for 12-months, along with a 12-month requirement to not request them to opt back in.
Businesses are allowed to give consumers granular opt-out options, such as for sales of certain categories of personal information, but only if a global option to opt-out of all the collection and sale of personal information is more prominently presented than the other choices.
The CCPA regulations also describe other ways consumers may signal or communicate their choice to opt-out of the sale of their personal information, such as user-enabled privacy controls, such as the Global Privacy Control signal (GPC).
Business must treat these signals as a consumer exercising their right to opt-out.
Business must meet the following CCPA requirements when responding to Requests to opt-out:
- Act on a request for opt-out no later than 15 days from the date the business receives the request
- Notify all third parties to whom it sold the consumer’s personal information in the last 90 days before the opt-out request was made and instruct those parties not to sell the personal information
- Notify the consumer when the do not sell instruction has been completed.
The rules also clarify that opt-out requests, unlike requests to know and requests to delete, need not be verified.
Managing requests to opt-in
The CCPA regulations rules for requests to opt-in are like those for requests to delete: consumers must first submit the request to opt-in and then separately confirm their choice to opt-in.
Where the sale of personal information is a condition of completing a transaction, but the consumer has already opted-out of the sale of their personal information, a business must:
- Inform the consumer they have previously opted-out and
- Give clear instructions on how the consumer can opt-in.
Note, opt-in requests can be actioned even if the required 12 month period (to abstain from requesting the consumer opt back in) has not passed.
Security considerations
The CCPA rules address several key security concerns related to not disclosing specific pieces or even categories of personal information:
- When the consumer’s identity cannot be verified by the business
- Where disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, a consumer’s account or the business’s systems or networks
- Business must never disclose a consumer’s Social Security number, driver’s license number, other government-issued IDs, financial account number, health insurance or medical ID number, account password, or security questions and answers
- In any event, CCPA Section 1798.150 states that businesses must use reasonable security measures when transmitting personal information to the consumer and reasonable data security controls when disclosing personal information through a consumer portal.