How to Respond to Consumer Requests - CCPA (CPRA)
The California Consumer Privacy Act (CCPA) is California’s data protection law, granting data subjects, which it calls ‘consumers,’ a number of rights regarding their personal information. CCPA became effective on January 1st, 2020, and it was expanded by the California Privacy Rights Act (CPRA), effective as of January 1st, 2023.
Under the CCPA a consumer is defined as “a natural person who is a California resident.” Identifying a consumer, regardless of the way you do this, is your responsibility as a business owner, along with protecting their personal information. One way to identify a consumer is through a unique identifier such as, for example, a home address which can be a unique identifier for the consumer who lives there if adequate means are employed for the data processing, whether your records hold that home address linked to a consumer’s first or last name or not.
In order to know how to address consumer requests, it is important to distinguish between who is and who is not a consumer and for that you need to have all the required information in order to determine whether a person is a resident of California or not. A resident of the state is understood to mean an individual who is located in the state for purposes other than transitory or temporary ones, who actually is an inhabitant in the state, even if at the moment of their submission of a consumer request they are temporarily located outside California. That is why it is a common misconception that one can use the IP address to establish residency. Instead, you can verify in advance the residency via the use of a checkbox with a Yes/No option, shipping information, geolocation data, or area code for the phone number of your consumers.
Under the CCPA, and with the additions of the CPRA, consumers have the following rights for which they can submit a request:
- The right to know about personal information a business collects about a consumer and how it’s used and shared;
- The right to delete personal information collected from a consumer (subject to certain exceptions);
- The right to receive a copy of the personal information business has or take information from one business to another;
- The right to opt out of the sale or sharing of their personal information;
- The right to non-discrimination for exercising their CCPA rights;
- The right to correct inaccurate personal information business has about a consumer;
- The right to limit the use and disclosure of sensitive personal information.
You have an obligation to process a consumer request only if it is what the CCPA calls a ‘verifiable consumer request’ defined as
“a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, or by a person who has power of attorney or is acting as a conservator for the consumer, and that the business can verify, using commercially reasonable methods, [...] to be the consumer about whom the business has collected personal information.”
What this means for your business is that you need to verify the identity of the requestor, or, in the case of a minor child or other person authorized by the consumer, you need to verify the relationship between the consumer and the requestor. This is to make sure that the request is not done by a malicious agent and that no unauthorized disclosure of information and no data breaches occur. The way to do this is to use information your business already has to match it to the information provided by the requestor, so as not to seek to obtain more information than what you already have.
Here are a few DOs and DON’Ts for that.
Ask a requestor to verify the request by sending a link to an email address
Ask a consumer to provide their phone number in a request form if you do not have their phone number already in your possession
Ask for the information you have already collected from a consumer before
Ask a consumer to disclose their passport details, social security information or financial data unless (a) it is strictly necessary due to sensitivity of the information and (b) you already have this information in your possession
Ask a consumer to use the same method of authentication as they used when they first provided you with information
Prevent consumers from exercising their rights by creating unreasonable requirements to submit a request
But how can a consumer submit a request? According to the privacy law in California, businesses must have at least two methods in place for consumers to be able to submit requests. In addition to this, a link called “Do Not Sell or Share My Personal Data” has to be displayed on your website, to provide website visitors with an easy and accessible way to submit a request, for your business to be compliant. Given this, one possible approach for your business would be the following.
- Method 1: display the “Do Not Sell or Share My Personal Data” link on your website and connect it to a form where consumers can provide details for their request to be verified.
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.