CCPA Explained: Part 7 - Article 3 -Business Practices for Handling Consumer Requests

 Oct 14, 2019 2:00 PM
by Derek Lackey

§ 999.317. Training; Record-Keeping

A All individuals who handle consumer inquiries about privacy for the business must be trained in all aspects of CCPA.

B A business must retain records of all responses for at least a 24 month period.

C A business can use a ticket or logo format but should include the following details: the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.

D As long as this retained data is not used for anything other than recordkeeping, keeping this data does not violate CCPA.

E This data shall not be used for any puprose other than recordkeeping.

F Aside from this purpose, CCPA does not require a business to keep any other details about a consumer.

G If you manage 4,000,000 data files or more in a single year:
1. you must compile, for the previous calendar year:
a. the # of requests to know recieved, including denials
b. the # of requests to delete recieved, including denials
c. the # of requests to opt-outs recieved, including denials
d. the median #of days a business required to respond to all requests.
2. Include the above details in their Privacy Policy or linked to a page on their website informing the public of the details.
3. A business must Establish, Document and Comply with a training policy to ensure that all individuals involved are properly trained to manage requests under CCPA.


§ 999.318. Requests to Access or Delete Household Information

A  A business may respond to a Request to Know or Request to Delete, as it pertains to household personal information, by providing aggregate household information, subject to verification requirements set forth in Article 4.

B If all consumers of the household jointly request access to specific pieces of information for the household or the deletion of household personal information, and the business can individually verify all the members of the household subject to verification requirements set forth in Article 4, then the business shall comply with the request.


CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

CCPA Explained: Part 4 - Privacy Policy

CCPA Explained: Part 5 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 6 - Article 3 -Business Practices for Handling Consumer Requests