CCPA provides consumers with several fundamental rights pertaining to their personal information. Businesses familiar with the data subject rights provided under the GDPR will have little trouble complying with the rights provided under the CCPA. Slight variations exist, but the process flows will be similar.
Prior to honoring a request, organizations must make reasonable efforts to authenticate consumers to ensure the request is valid. This could occur through verifying a customer ID number or using email verification, among other methods.
Businesses have 45 days to respond to consumer rights requests. If reasonably necessary, businesses can extend this timeframe by an additional 45 days but must notify the consumer of the extension within the initial 45-day period. Clarification has not yet been provided regarding when it would be “reasonably necessary” to request the extension. Due to the strict timeframe to review and respond to these rights requests, organizations should have a centralized source for all requests to flow to for review. Records should be retained indicating the day the request was received and the due date for response.
Tip: It is recommended organizations develop templated responses for each type of request to allow for easier and consistent responses. As with most compliance related issues, it will be up to the business to demonstrate that it responded to the request within the allotted timeframe. Therefore, records should be retained documenting the actions taken on the request (i.e., honored the request, denied the request due to an exemption, or requested an extension).
As previously mentioned, a completed data inventory and data mapping exercise will greatly reduce the burden on businesses in the event they receive a rights request. This exercise should document all California personal data collected both directly and indirectly from California residents. Therefore, all business units should be included in the data mapping exercise, including Human Resources, Legal, Business Intelligence, Customer Support, Marketing, Website, Sales, Information Technology, and Information Security. A data mapping exercise will allow businesses to document why personal data is processed and how the data is processed lawfully. As such, the data map will also allow businesses to determine when the various rights apply and must be honored.
This blog is part of an educational series that will explain the fundamentals of California’s upcoming data protection act, CCPA – who it impacts, how to comply, and more. Follow along as our expert team breaks down the complexities of CCPA.