Instructions:
Response Overview:
The California Consumer Privacy Act of 2018 (“CCPA”) requires covered businesses to complete all disclosure and deletion requests within 45 days of receipt of a verifiable consumer request. The CCPA allows a single 45 day extension when reasonably necessary and upon notice to the consumer. Please consider the following procedure for such requests:
- Program an automatic response using the email titled “Initial Automatic Response.”
- After receipt of a request, identify the consumer, verify the consumer’s identity by matching the data stored to the information provided, and identify their data.
- Once the request is verified, please respond with the appropriate sample email and follow the instructions included.
- If the request is not verified, please respond with the alternative denial sample email.
Interactive Request Form:
Under the CCPA, a covered business must include an interactive request form as an option for consumers to exercise their rights. Please engage with your IT team to create a webpage based form using the text provided below that will accept requests and send an automated response.
Request to Delete:
Under the CCPA, once a verifiable request has been received, the company must delete all personal information from its records that is not subject to an exception, and notify any service providers to delete the consumer’s personal information from their records. If a consumer makes a request to delete, please respond with the sample “approval” or “denial” email.
Under the CCPA, a business does not need to delete information where it is necessary to (1) complete the transaction or perform a contract for which the information was collect, (2) detect security incidents, protect against malicious, fraudulent, or illegal activity; (3) debug to identify and repair errors that impair existing intended functionality; (4) exercise free speech; (5) comply with laws which allow law enforcement to access data as described in California Electronic Communications Privacy Act; (6) engage in research; (7) to enable solely internal use; (8) comply with legal obligation; or (9) for use internally in the context the consumer provided the information. Further a business does not need to delete the data if the individual is not a California resident or the request is more than twice per year.
Request to Know
If a consumer makes a request to know the information that is collected about the consumer, please respond with the sample “approval” or “denial” email. If approved, the company should compile and send a plain-language list of information that is collected about the consumer. If denied, please respond with the denial email that corresponds with the reason for denial.
Under the CCPA, the consumer is entitled to know (1) the categories of personal information the company has collected about the consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting or selling the information; (4) the categories of third parties with whom the business shares personal information; and (5) the specific pieces of personal information it has collected about that consumer. Despite the above being described in the privacy policy, most companies will provide greater detail when responding to a request for information.
