How Long Do I Have to Respond to CCPA Verifiable Consumer Requests?

The California Consumer Privacy Act (CCPA) gives consumers the right to submit “data access requests.” That is, an individual can ask a business subject to the CCPA to provide a copy of any personal information the business has collected, used, disclosed, and sold about the consumer — and the company must respond to the request.

The CCPA went into effect at the start of 2020. It establishes several rights that California residents have over their personal information and also regulates how California businesses can collect and use personal data for commercial purposes.

One consumer right is the right to file a data access request. The consumer can “request to know” which of his or her information the business has collected, shared, or sold; and can then also “request to delete” specific pieces of personal information.

A business, meanwhile, must confirm receipt of a data access request within 10 days. The business then has 45 days to verify the consumer’s identity and complete the request and can extend that period by another 45 days if it needs additional time to comply (although the business must alert the consumer and explain why it needs more time).

A business may not take more than 90 days altogether to provide the information requested or to delete the consumer’s data.

The CCPA also requires businesses to provide a “Do Not Sell My Personal Information” button on its website and stipulates that certain minors may need to opt in to having their information collected, stored, or sold.

Access Requests

When your business receives a verified information access request from a consumer, you must provide the following information, according to CCPA 1798.110(c):

• The categories and specific pieces of personal information the business has collected about the consumer;
• The categories of personal information the business has sold about the consumer;
• The categories of third parties to whom the consumer’s personal information was sold (identified by category of personal information for each third party); and
• The categories of personal information that the business disclosed about the consumer for a business purpose.

Deletion Requests

In responding to deletion requests, a business must inform the consumer whether or not it has complied.

If the business complies, it must inform the consumer that it will maintain a record of the request and erasure to assure that the information remains deleted from the company’s records. 

If the business denies the deletion request, however, it must: 

• Inform the consumer that it will not comply, and describe the basis for the denial — for example, some conflict with federal or state law, or exception to the CCPA;
• Delete whatever information isn’t subject to the exception;
• Not use the information it keeps for any other reason, beyond those provided for by that exception. 

If a business that refuses a deletion request then sells the consumer’s personal information—and the consumer has not already made a request to opt-out—the business must ask the consumer if he or she would like to opt-out of the sale. The company also must include the contents of, or a link to, the notice of right to opt-out in the response to the request. 

If the business has already shared the consumer’s personal data with service providers and is complying with the consumer’s deletion request, the business must notify the service provider of the consumer’s request and instruct the provider to delete the requestor’s information.

Businesses that receive a verifiable request from a consumer to delete personal information must also direct any service providers to delete the data from their records. The exceptions that allow a business to deny a consumer’s deletion request also apply to service providers.

11 Categories of Personal Information

The CCPA aims to prevent the sale or sharing of California residents’ personal information without their permission. The law defines personal information broadly, well beyond the conventional types of consumer personal information such as name, phone number, and Social Security number.

The CCPA includes 11 categories of personal information, including:

• web browsing and search history; 
• geolocation data; 
• biometrics; 
• IP addresses;
• account numbers; 
• driver’s license number;
• and other types of information that could reasonably be linked with a particular consumer or household.

The CCPA also gives the California attorney general the power to add new categories of personal information to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.

Special Rules for Third Parties

The CCPA imposes special obligations on “third parties” about the handling of consumer requests. Third parties are organizations to which a business collecting California consumers’ personal information sells that information.

The CCPA restricts how third parties might resell any consumer information that they’ve obtained from your business. They must notify consumers if they intend to sell their consumer data, and provide those consumers with the ability to opt-out of the sale of such information.

CCPA Compliance, Simplified

Compliance with the CCPA is no easy task. It’s a complex regulation that changes often, with new amendments proposed every year. Not complying with the law, however, could result in fines, penalties, or civil litigation.

ZenGRC makes CCPA compliance a breeze. Our user-friendly solution has color-coded dashboards that show where your business is or isn’t compliant, and tell you how to close gaps.

Zen tracks where your consumer information is going and helps you verify and fulfill consumer requests. And to demonstrate your compliance, Zen stores all your documentation in a “single source of truth” repository for easy access when you need it.

Worry-free CCPA compliance is the Zen way. Contact us today for your free consultation.