Responding to CCPA Requests

Published November 19, 2020 by 4 min read

Responding to consumer requests for personal information filed under the California Consumer Privacy Act (CCPA) may seem overwhelming at first. The CCPA was adapted to protect consumer’s private, personal information, but the law is still new and some companies struggle not only with how to reply to requests but also how to receive and process the requests in a safe and responsible manner. 

The CCPA applies foremost to California residents, but as a practical matter, it extends to a large swath of Americans no matter where they live. So any business of appreciable size needs to consider this issue. (If you’re new to CCPA regulations, you may want to spend some time with our complete guide to CCPA compliance before you read on.) 

What data can a consumer request to see?

According to the CCPA, which applies to companies with more than $25 million in annual revenue or that manage data from more than 50,000 people, consumers have a right to know what data businesses collect from them. The relevant data are grouped into various categories of personal information under the CCPA. 

First, consumers can ask a company which categories of personal information it maintains. They can also ask which specific pieces of data-name, address, biometric information, Social Security number, and more—the company is storing. 

The CCPA also allows consumers to know whether their personal data has been sold or otherwise shared with a third party for business purposes (say, to perform a credit check) or for any other reasons. Consumers can then request that their data not be sold to other businesses, and they can file a request to delete data that’s already been collected.

How do consumers request a business to delete their personal information?

The CCPA gives a consumer the right to file a “request to delete,” comparable to the so-called “right to be forgotten” established in the European Union under the General Data Protection Regulation (GDPR). (It’s important to know that these two data privacy laws differ on some points; this piece focuses on the CCPA.) 

To file “deletion requests,” a consumer must use one of the filing methods provided by the business. The business must validate the consumer’s identity at the time of the request and again before any files are deleted. The business must also acknowledge the request within 10 business days. 

If a consumer does not follow the filing method provided by the business or omits some required information, the business can choose either to ignore the request or to let the consumer know how to file a request properly. 

What are the request methods?

Consumers may file a “right to know” personal information access request up to twice a year, and a business must respond without any charge to the consumer. A business has to offer at least two ways that a request can be submitted, and consumers must use one of the methods provided. 

Common request methods are: 

  • An online form that’s always available on a business’s website and may be completed by the consumer at any time.
  • An online form accessible through the consumer’s already existing, password-protected account. 
  • A toll-free phone number for consumers to call. 
  • A designated email address by which a consumer can contact the company’s designated CCPA compliance officer or some other appropriate staff member.
  • A hard-copy form to print, fill out, and mail or deliver in person. 

The business must respond to the consumer’s request within 45 calendar days. The CCPA does include an option for a 45-day extension for especially complex requests, but no response can take more than 90 days in total. 

A business may require that consumers file “right to know” requests via their existing accounts, but a business may not demand that a consumer opens an account to file a request. 

How do I verify consumers’ identities?

Businesses maintain different methods to confirm the identity of their customers, and they can use these same methods to confirm a consumer’s identity when that person submits a “request to know” or a “request to delete.” There are also third-party contractors who provide this service.

Verifying the consumer’s identity is important, to safeguard against the illegal activity such as an impersonator trying to steal someone’s private data. Verification reduces the risk of such security incidents and data breaches, plus subsequent regulatory enforcement or litigation costs that might follow.

Verification guidelines for password-protected accounts: 

In general, password-protected accounts can be verified through a business’s existing authentication practices, as long as those practices are already compliant with the CCPA.

Businesses can face monetary penalties if they mistakenly release information to the wrong consumer, so security measures are critical when someone asks for specific personal information. These are some ways a consumer’s identity can be verified: 

  • A business can ask the consumer to confirm his or her identity during the usual login method by asking the person to provide a piece of information already stored by the business—for example, a driver’s license number or a personal phone number.  
  • A business may also ask a consumer to verify his or her identity through a secondary level of security such as a two-step process. This process is becoming more and more common as businesses seek to increase data security and protect their customers from third-party hacking or data theft. 
  • Remember that consumers under 16 years of age may need parental consent for opt-out requests or requests to delete information. 

Verification guidelines for accounts not protected by password: 

CCPA regulations require that before a business releases personal data to fulfill a right-to-know request, that business must verify a consumer’s identity to a “reasonable degree of certainty.” One way to do that is to match two pieces of information provided by the consumer to the same two pieces of information maintained by the business. 

If the consumer requests specific categories of personal information, however, the business must obtain and compare three pieces of personal information provided by the consumer with information already maintained.  

If a consumer is filing a request to delete data, the consumer’s identity must be verified at the time of the request and again before any data or files are deleted. In these instances, it’s up to the business to decide whether to use a two- or three-step verification process.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

See ZenGRC in action!

Get a demo