CCPA Explained: Part 5 - Article 3 -Business Practices for Handling Consumer Requests

 Oct 14, 2019 11:00 AM
by Derek Lackey

§ 999.312. Methods for Submitting Requests to Know and Requests to Delete


A  A business should provide 2 or more designated methods for submitting Requests to Know, at minimum, an 800 phone number or a webpage link to a simple form. Can also provide an email address, the ability to make the request in person or a form submitted via mail.

B  A business should provide 2 or more designated methods for submitting Requests to Delete, at minimum, an 800 phone number or a webpage link to a simple form. Can also provide an email address, the ability to make the request in person or a form submitted via mail.

C These request processes should be similar to the way a business typically does business. 
(1) Example 1: If the business is an online retailer, at least one method by which the consumer may submit requests should be through the business’s retail website.
(2) Example 2: If the business operates a website but primarily interacts with customers in person at a retail location, the business shall offer three methods to submit requests to know—a toll-free telephone number, an interactive webform accessible through the business’s website, and a form that can be submitted in person at the retail location.

D When requesting deletion, a business must use a two-step process: first the consumer must submit the request for deletion and second, they must confirm they want their personal inofrmation deleted.

E  If a business does not interact directly with consumers in it's regular course of business, at least one method must be provided - usually a weblink to a simple form.

F If a request is received without using the provided formats, the business shall either:
1. treat the request as though it was submitted properly, or
2. provide the consumer with the simple forms to properly make the request.

§ 999.313. Responding to Requests to Know and Requests to Delete

A Confirmation of reciept of a request must be provided within 10 days with a clear statement of how the process will unfold, including the verification process to confirm the identity of the consumer making the request. A business should include when the next response should be expected, except in an instance where the business has already granted or denied the request.

B The entire process should not take more than 45 days from the date or reciept, including the verfication process. The business can request - in writing - an additional 45 days if it can provide notifcation of the reasons for the extension, to the consumer.

C Responding to Requests to Know
1. If a business cannot verify the identity of the consumer making the request, no personal information should be disclosed to the consumer.
2. Same for a request to know the categories of data being collected. A business should simply provide a link to their practices regarding the collection, use , disclosure and sale of personal inofrmation on their website.
3. A business should not breach it's own security protocols, nor harm the indidual by revealing personal information.
4. A business shall not at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.
5.  A business can deny a request, in whole or in part, and should explain their actions to the consumer. If it is a partial denial, the rest of the information should be provided in the normal manner.
6.  A business should consider privacy and security when transmitting personal inofrmation to the consumer.
7. Information can be provided via a customer portal if the consumer already has a password, providing it meets security protocols.
8. the 12-month period covered by a consumer’s verifiable request to know referenced in Civil Code section 1798.130(a)(2) shall run from the date the business receives the request, regardless of the time required to verify the request.
9. A business cannot simply refer a request to know to the Corporate Policies regarding the personal information, categories of sources and or third parties involved. Each request requires a personailzed response.
10. In response to a request to know, categories of personal information, the business shall provide details (for every category) of:
a) the categories of sources from which the Personal Information was collected,
b) the purpose it was collected for,
c) the categories of third parties it was sold or disclosed to
d) the pupose of the sale or disclosure (what the buyer intends to do with it)

11. A business must use an easy to understand format of identifying the categories of personal information, categories of sources of personal information, and categories of third parties to whom a business sold or disclosed personal information.

D Responding to Requests to Delete
1. If a business cannot verify the identity of a consumer making a request to delete, they may deny the request, opting instead to simply treat the request as a request to opt-out of the sale of their personal information.
2. To delete means to:
a) permanently and completeyly erasing the data in the sysytem and all back ups.
b) De-identifying the data
c) Aggregating the data
3. Backed data processes may delay response time of a request to delete until the next time the back up is archived.
4. A business should communicte to the consumer, how it deletes the data.
5. It should be clear that the business will maintain a record of the request to delete.
6. When a business denies a request to delete it shall:
a) inform the consumer of the denial and reasons for it.
b) delete any data that is not included in the denial.
c) Not use that consumer's data for anything except the reason it denied the request.
7. A business can offer the option to delete select portions of data rather than the entire file of personal information. A two-step confirmation process should be deployed.


CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

CCPA Explained: Part 4 - Privacy Policy