Consumer requests to know must be verified before the business can respond, but the verification requirements vary depending on the specific type of request.
These requests should be verified to a “reasonable degree of certainty.” Regulations suggest matching two consumer data points provided by the requestor to data maintained by the business.
These should be verified to a “reasonably high degree of certainty.” Regulations suggest matching three consumer data points and requiring a signed declaration under penalty of perjury.
If it has knowledge that a consumer is under 13 years old, the business must verify that the requestor is the consumer’s parent or guardian.
Consumers may submit a request through an authorized agent, though businesses may require proof of such authorization, such as signed permission from the consumer.
Businesses must offer two more methods for submitting a request to know, including a toll-free number. At least one of these methods should relate to the business’s normal way of interacting with consumers.
Businesses that operate exclusively online and have a direct relationship with the consumer only need to provide an email address for submitting requests.
Refer to your business’s data map to determine what information must be provided and where it is maintained.
For security reasons, some specific pieces of information should not be disclosed. In these cases, only disclose that your business has collected that specific type of information.
A form letter will help ensure that each response has the required information, as well as reduce the time needed to create each response.
This confirmation may be made in the same manner the request was received. If the request was made by phone, confirmation can be made orally at that time.
The response deadline can be extended for an additional deadline if necessary and if the consumer is notified before the original 45 days has expired.
Responding to a few hypothetical consumer requests will help make sure there are no gaps in the process and staff knows where to find all the necessary information.
Consumer requests to delete must be verified before the business can respond, but the verification requirements vary depending on the type of information to be deleted.
If unauthorized deletion of the personal information would pose little harm to the consumer (deleting browsing history, for example), the request should be verified to a “reasonable degree of certainty.” Regulations suggest matching two consumer data points, such as an email address and name.
If unauthorized deletion of the personal information would potentially cause more harm to the consumer (deleting family photos, for example), the request should be verified to a “reasonably high degree of certainty.” Regulations suggest matching three consumer data points and requiring a signed declaration under penalty of perjury.
Businesses must offer two more methods for submitting a request to delete. At least one of these methods should relate to the business’s normal way of interacting with consumers.
Refer to your business’s data map to determine what information must be deleted and where it is maintained.
To prevent unnecessary deletions, determine in advance which personal information falls under an exemption.
Personal information that is deidentified or in the aggregate need not be deleted. Explore whether any information can be retained in this way.
If any personal information is not deleted because of an exemption, this must be explained to the consumer.
Service providers must also respond to deletion requests. Establish a process for sending notifications to all appropriate service providers.
Requests to opt out need not be verified. Consumers can send requests through an authorized agent, however, so businesses should still have a procedure for verifying this authorization.
Businesses must offer two or more methods for submitting a request to opt out. At least one of these methods should relate to the way the business normally interacts with consumers.
If your business operates a website, at least one of the methods should be an online, interactive form accessible via the “Do Not Sell” link.
The process cannot be designed in a way meant to prevent or deter consumers from submitting opt-out requests. It may have no more steps than the process for opting back in to the sale of personal information.
Refer to your business’s data map to determine what information is being sold.
Some companies such as Facebook and Google have options for the reduced processing of consumers’ personal information so it is no longer considered a sale. These options can be applied to particular consumers.
Businesses must notify all third parties to whom they sell consumers’ personal information.
There is no extension for responding to an opt-out request.
Responding quickly and properly to a privacy request requires an accurate data map and a thorough understanding of the CCPA. TrueVault Polaris makes it easier to handle these requests. Our templates automatically reflect the information in your data map in order to help you determine the right process for responding to CCPA requests.
Contact our team today to learn more about TrueVault Polaris.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.