Workflows for Responding to CCPA Requests
Your first CCPA deadline is to acknowledge right-to-know and delete requests within 10 calendar days. In your acknowledgment, let the consumer know about your identity verification procedures and by when they can expect you to fulfill their request. Your second CCPA deadline is to verify and fulfill right-to-know and delete requests within 45 calendar days; however, if you need additional time, you can notify the consumer that you are taking an extension of an additional 45 days (90 days total). When you notify the consumer about the extension—which can be part of your initial acknowledgement or in a later notice—you should explain why you need additional time.
The deadline to fulfill a “Do Not Sell My Personal Information” request is 15 business (not calendar) days, and you do not need to provide the acknowledgement within 10 calendar days.
General principles for responding to requests
You should always comply with CCPA requests to the extent possible. If for some reason you cannot comply, explain why to the consumer and provide them with information about your appeal procedures if you provide a right to appeal (providing a right to appeal is not required).
Do not charge consumers for responding to CCPA requests. In fact, as noted above under principles for verifying requests, if the consumer will incur any fees as part of your verification procedures, you should reimburse them.
However, there is one area where you can impose fees for responding to CCPA requests: if requests from a given consumer are “manifestly unfounded or excessive,” including due to repeat requests, you can either (1) charge a reasonable fee to offset your administrative cost of responding or (2) deny the request and inform the consumer as to the reason for your denial. Note that it is up to you to demonstrate that a request is unfounded or excessive.
How to respond to right-to-know requests
As noted above, right-to-know requests can either ask for the categories of information you maintain about a consumer, or for a copy of the information you maintain about them. Either way, fulfill it based on the information you have collected during the 12 months prior to the date you received the request.
Requests for categories of information
For requests for categories of information, provide the following based on what you collected for the individual consumer (or answer generically if you collect the same information from all consumers):
- the categories of information you collected (e.g., contact information, email analytics)
- the categories of sources you collected it from (e.g., from the consumer directly, email service providers)
- the business purposes for which you collected each category (e.g, providing services to the consumer, marketing)
- the categories of third parties to which you disclosed or sole each category (e.g., operational service providers, ad platforms)
- the business purposes for which you disclosed or sold the information (e.g., providing services to the consumer, marketing)
Requests for copies of information
For requests for copies of the information you collected, include everything that meets the definition of personal information.
However, you should never include sensitive information such as financial account numbers, passwords, biometric data and copies of government identification documents. You may also exclude any information that you cannot readily access if you maintain it exclusively for legal or compliance purposes provided that you notify the consumer about what categories of information you are excluding.
Be sure to use reasonable security measures when sending personal information to consumers. If a consumer has established a password protected account with you, you must use it to provide the information. If not, you must offer the consumer a choice of receiving their information another reasonably secure electronic means (e.g., email attachment containing an encrypted zip file) or delivery via postal mail.
How to respond to delete requests
The CCPA gives businesses a lot of flexibility in responding to deletion requests. You can deny a request to the extent you need the information to provide services to the consumer, to comply with laws, to find or fix errors, to maintain security and for other reasonably anticipated internal uses (e.g, improving your services, maintaining internal controls over financial reporting).
If you deny a request on one of these bases, disclose the applicable bases to the consumer and then make sure to use the information for those purposes only going forward. Since using the information will be restricted going forward, it makes sense to include every permissible purpose for which you are retaining the information in your disclosure to the consumer.
For information that does not fall into one of those exceptions, you must within the 45/90 day deadline:
- Actually delete it, except that for backup copies, you can delay deletion until the next time you access them even if beyond 90 days;
- Render it anonymous or “de-identified” by removing the information capable of being associated with the consumer; or
- Aggregate it with other information so that it cannot be associated with the consumer.
You do not need to inform consumers as to which method you used to delete their information and you should disclose to consumers that you will maintain a record of their deletion request as part of your CCPA compliance records.
How to respond to do not sell delete requests
When you receive a do not sell request, review your relationships with third parties to which the transfer of information constitutes a “sale” and stop transferring the consumer’s information to those parties. Relationships may have both a non-sale or “service provider” component, and also a sale component (e.g., loading Facebook elements on your page without “limited data usage” enabled is deemed a sale, and otherwise it is not a sale). For these relationships, you do not need to stop all transfers to the third party as long as you stop the “sales” to them.
Importantly for do not sell requests, you only need to take action on a go-forward basis—you do not need to inform third parties to which you sold the information previously to stop using it. But, as soon as you receive a do not sell request, if you do sell any information to a third party before you process the consumer’s request, then you must inform the third party that they may not further sell that consumer’s information.
How to respond to household requests
The CCPA provides consumers the right to request information about their entire household instead of about themselves alone.
If the household has a password-protected account with your business, you can process the household requests via that account using your normal procedures. If there is no household account, then you should deny right-to-know or delete requests for household information unless (1) each household member is a party to the request and (2) you can verify the identity of each member and their status as a household member. Note if a household member is younger than age 13, make sure to obtain parental consent before disclosing any household information, being mindful that the parent may not be a member of the household. For more information about requests involving children, see this guide.
Soliciting and Responding to opt-in requests
Once you receive a do not sell request, you must wait at least 12 months before you ask a consumer to opt into sales again. However, if the consumer initiates a transaction or other request that requires a sale of information, you may request an opt in at that time as needed to fulfill the request.
When a consumer opts in to the sale of their information, you should use a double opt-in (two-step) process:
- The consumer should clearly manifest their desire to opt-in via any available method (e.g., webform, email); and
- The consumer should then separately confirm their request, e.g., by clicking a link in an email you send to them asking for confirmation.
Working with requests from authorized agents
The CCPA not only allows consumers to submit requests directly, but it also enables them to appoint a third party “authorized agent” to submit requests for them. For example, firms like Say Mine and Brand Yourself submit requests en mass to businesses on behalf of consumers.
When a right to know or delete request comes from an agent, you should be sure to verify the consumer’s identity in accordance with your usual procedures, and you can also require the agent to demonstrate that the consumer has authorized the agent, e.g., by providing you with a signed authorization document.
When a do not sell request comes from an agent, you can only require the agent to provide proof that they are authorized to act on the consumer’s behalf.
Do Not Track browser settings under the CCPA
Do Not Track (NDT) is a browser setting that consumers can use to indicate they do not wish to be tracked online (see here for details). Recall that the flow of information about consumers or their devices among publishers, ad tech companies and brand advertisers that occurs as part of the routine delivery of interest based advertising (IBA) can be considered a sale under CCPA.
According to the CCPA, if a consumer sets an opt-out status in her or his browser or device, you as a business must respect that choice and you should treat the choice as being made directly from the consumer rather than an agent.