CCPA RESOURCES CENTER › CCPA COMPLIANCE CHECKLIST

CCPA Compliance: Request Processing Checklist

Request Processing

Beyond making the necessary disclosures via the privacy policy, businesses must respond to consumers’ privacy requests as they come in. Not only must they be handled in a timely manner, each type of privacy request has its own set of rules and exceptions. Preparing for these ahead of time will help you create quick, uniform responses that comply with all CCPA requirements.

Right to Know Requests

  • Establish verification procedures

    Consumer requests to know must be verified before the business can respond, but the verification requirements vary depending on the specific type of request.

    • Requests to know categories of personal information

      These requests should be verified to a “reasonable degree of certainty.” Regulations suggest matching two consumer data points provided by the requestor to data maintained by the business.

    • Requests to know specific pieces of personal information

      These should be verified to a “reasonably high degree of certainty.” Regulations suggest matching three consumer data points and requiring a signed declaration under penalty of perjury.

    • Minors under the age of 13

      If it has knowledge that a consumer is under 13 years old, the business must verify that the requestor is the consumer’s parent or guardian.

    • Authorized Agents

      Consumers may submit a request through an authorized agent, though businesses may require proof of such authorization, such as signed permission from the consumer.

  • Two or more methods

    Businesses must offer two more methods for submitting a request to know, including a toll-free number. At least one of these methods should relate to the business’s normal way of interacting with consumers.

    • Exclusively online businesses

      Businesses that operate exclusively online and have a direct relationship with the consumer only need to provide an email address for submitting requests.

  • Identify which categories of personal information are associated with each consumer group

    Refer to your business’s data map to determine what information must be provided and where it is maintained.

  • Identify sensitive personal information that cannot be provided

    For security reasons, some specific pieces of information should not be disclosed. In these cases, only disclose that your business has collected that specific type of information.

  • Draft form letter

    A form letter will help ensure that each response has the required information, as well as reduce the time needed to create each response.

  • Response deadline: 45 days
    • Confirm receipt of request: 10 days

      This confirmation may be made in the same manner the request was received. If the request was made by phone, confirmation can be made orally at that time.

    • Extension: 45 days

      The response deadline can be extended for an additional deadline if necessary and if the consumer is notified before the original 45 days has expired.

  • Practice responses

    Responding to a few hypothetical consumer requests will help make sure there are no gaps in the process and staff knows where to find all the necessary information.

Right to Delete Requests

  • Establish verification procedures

    Consumer requests to delete must be verified before the business can respond, but the verification requirements vary depending on the type of information to be deleted.

    • Common personal information

      If unauthorized deletion of the personal information would pose little harm to the consumer (deleting browsing history, for example), the request should be verified to a “reasonable degree of certainty.” Regulations suggest matching two consumer data points, such as an email address and name.

    • Sensitive or unique personal information

      If unauthorized deletion of the personal information would potentially cause more harm to the consumer (deleting family photos, for example), the request should be verified to a “reasonably high degree of certainty.” Regulations suggest matching three consumer data points and requiring a signed declaration under penalty of perjury.

    • Minors under the age of 13
    • Authorized agents
  • Two or more methods

    Businesses must offer two more methods for submitting a request to delete. At least one of these methods should relate to the business’s normal way of interacting with consumers.

  • Identify which categories of personal information are associated with each consumer group

    Refer to your business’s data map to determine what information must be deleted and where it is maintained.

  • Identify personal information that is exempted from deletion requests

    To prevent unnecessary deletions, determine in advance which personal information falls under an exemption.

  • Deidentifying or aggregating options

    Personal information that is deidentified or in the aggregate need not be deleted. Explore whether any information can be retained in this way.

  • Draft form letter
    • Inform the consumer of any personal information that was not deleted and why

      If any personal information is not deleted because of an exemption, this must be explained to the consumer.

  • Send deletion request to service providers

    Service providers must also respond to deletion requests. Establish a process for sending notifications to all appropriate service providers.

  • Response deadline: 45 days
    • Confirm receipt of request: 10 days
    • Extension: 45 days
  • Practice responses

Right to Opt Out Requests

  • Requests from authorized agents

    Requests to opt out need not be verified. Consumers can send requests through an authorized agent, however, so businesses should still have a procedure for verifying this authorization.

  • Two or more methods

    Businesses must offer two or more methods for submitting a request to opt out. At least one of these methods should relate to the way the business normally interacts with consumers.

    • Interactive form

      If your business operates a website, at least one of the methods should be an online, interactive form accessible via the “Do Not Sell” link.

    • Easy to execute, minimal steps

      The process cannot be designed in a way meant to prevent or deter consumers from submitting opt-out requests. It may have no more steps than the process for opting back in to the sale of personal information.

  • Identify any sale of personal information associated with each consumer group

    Refer to your business’s data map to determine what information is being sold.

  • Establish procedures for stopping the sale of personal information

    Some companies such as Facebook and Google have options for the reduced processing of consumers’ personal information so it is no longer considered a sale. These options can be applied to particular consumers.

  • Draft form letter
  • Send notification to third parties

    Businesses must notify all third parties to whom they sell consumers’ personal information.

  • Response deadline: 15 days

    There is no extension for responding to an opt-out request.

  • Practice responses

CCPA Privacy Request Templates

Responding quickly and properly to a privacy request requires an accurate data map and a thorough understanding of the CCPA. TrueVault Polaris makes it easier to handle these requests. Our templates automatically reflect the information in your data map in order to help you determine the right process for responding to CCPA requests.

Contact our team today to learn more about TrueVault Polaris.

Schedule Call