What is my Workflow for Responding to a Privacy Request?
We automate certain steps, and the remaining steps are handled outside of the CCPA Toll Free platform. Here is a step-by-step guide to responding to a privacy request:
- Review the Request—we’ll email you when you receive a request; click the View Request button in email to see the Details screen for the request. On this page, for voicemail requests, you can listen to the request and categorize it as belonging to one of the for core CCPA rights by checking the corresponding boxes:
If the request pertains to a different type of valid CCPA request (e.g., opt-in to data sales), you can document that in the compliance notes section of the Details screen. Note: Compliance notes are internal only; we do not email them or any documents you attach to them to consumers. When you check off one of the boxes shown above, we both mark an entry in the Audit Trail and also execute a webhook event as recorded in the Webhooks / API tab. In advanced CCPA Toll Free implementations, you can use these events to automate responses to various request types (e.g., adding a consumer to your external opt-out list when you check off a request as a Do Not Sell request).
For web form requests, the details page will show you the boxes the consumer checked when they submitted the request. As with voicemail requests, you can trigger a webhook/API event upon receipt to take automated action in response to requests.
Once you have reviewed a request, you may wish to update its Completion Status shown in the Details screen for the request to “Pending” as shown in Step 6 below. This can be helpful if you have multiple persons responsible for checking and fulfilling requests in CCPA Toll Free dashboard, as it will let them know that a request is in process. You may also wish to add a Compliance Note to the Details screen acknowledging which dashboard user is handling the request.
- Acknowledge the Request—CCPA regulations require you to do so within 10 days of receipt of the request. For webform requests, we automatically send the consumer an email as shown here acknowledging the request. For toll-free number requests, we send the same email when you listen to a voicemail and type the consumer’s email into the “Requestor Email to Verify” field on the details page for the request and click “Send Verification Email” as shown here:
If a consumer verifies their email by clicking the “Verify Email Address” button in the verification email within 7 days of receipt, we automatically check off Acknowledged in the dashboard, and make a corresponding entry in the Audit Trail under the username Automated Workflow:
We also update the Details page for the request with the consumer verified their email and the IP address of the device they used to verify it:
If automatic email verification does not occur for any reason, you may wish to take additional steps to acknowledge the request. If those steps succeed, you should manually check the “Acknowledged” box and you may wish to leave a compliance note at the bottom of the Details page to document how you provided the acknowledgement.
- Verify the Consumer’s Identity—required for all request types except Do Not Sell requests and Tell Me More requests where you are responding with general information only (i.e. no disclosure of personal information to the consumer).
If your method of verifying requests consists of verifying the consumer’s email address, you can check off a request as Verified as soon as you have obtained an email verification as per Step 1 above. If you have a different method of verifying the consumer’s identity, you can handle that as needed outside of the CCPA Toll Free platform. We recommend including in any communications with the consumer the CCPA Toll Free assigned unique Request ID so that you can tie those communications back to the corresponding request in the dashboard (cut and paste the ID provided in the Details screen for the request).
If an agent has made the request on behalf of the consumer, you should follow your internal procedures for verifying these requests (e.g., you can require the consumer to demonstrate that they’ve authorized the agent in a signed document by collecting a copy of it, and you can separately verify the consumer’s identity). You may wish to attach any agent authorization documents to a compliance note using the Add Document button.
If you need further assistance with verifying requests, including automating request verification that is not based on an email address, contact firstname.lastname@example.org.
- Extend the Deadline (optional)—if you need more than 45 days to complete a request, tell the consumer why you need more time, and per the CCPA you can extend the completion date by an additional 45 days to 90 days in total. You can inform the consumer via email from your normal customer support email or a call back. If you email, copy and paste the Request ID shown in the Details screen for the request into your email so that you can tie that communication back to the request in the dashboard. After you inform the consumer, check off the Extended box in the CCPA Toll Free dashboard and we will automatically update the due date for the request to 90 days from receipt.
- Complete the Request—fulfill any valid request you receive from a verified consumer (if verification is required), or let the consumer know why you cannot fulfill their request. For sample request denial emails, see our CCPA Email Response Templates.
To fulfill a request, you may need to take different actions outside of the CCPA Toll Free dashboard based on the request type and the information you collect about consumers.
To fulfill a Data Access request, be sure to send the data via a secure method. We recommend adding the data to an encrypted a zip file and sharing it with the consumer using the following process: (1) go to onetimescret.com and click the “generate a random password” button; (2) note the password shown and use it to encrypt the zip file; (3) copy the link provided by onetimescret.com and email it to the consumer, asking them to confirm when they have written down the password shown at the link (hint: remind them to write the password down the first time they click the link because the link will only work once); (4) email the consumer the encrypted zip file along with instructions for decrypting it.
For Tell Me More, Data Deletion and Do Not Sell requests you will need to take other appropriate action based on the data you collect. For help automating responses to all request types, contact email@example.com.
Whenever you email a consumer about their request, copy and paste the Request ID shown in the Details screen for the request into your email so that you can tie that communication back to the request in the dashboard.
- Document the Request Disposition—after you fulfill or deny a request, use the Completion Status field in the Details screen for the request to select the final disposition of the request as shown here:
For example, marking a request as Fulfilled, or if you are denying a request, mark it as Spam (i.e. not a privacy related request), Withdrawn by the consumer, Unverifiable or Other. We also recommend creating a brief compliance note upon completion detailing the action taken (e.g. “Fulfilled by firstname.lastname@example.org on 08.14.20 by emailing requested information to email@example.com”). For a more complete compliance record, you can also use the Add Document button to include with any compliance note a copy of the data distributed to fulfill the request.