Starting January 1, 2020, California consumers are allowed to make requests for disclosure of certain information under the California Consumer Privacy Act of 2018 (“CCPA”). This article spotlights several practical issues concerning such requests by considering the text of the CCPA and the proposed regulations published by the California Attorney General on February 10, 2020 (“Proposed Regs”).1
Under Cal. Civ. Code § 1798.100(a), “[a] consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.”2 The Proposed Regs at § 999.301(q) refer to this as a “request to know”, defined as:
a consumer request that a business disclose personal information that it has collected about the consumer pursuant to Civil Code sections 1798.100, 1798.110, or 1798.115. It includes a request for any or all of the following:
- Specific pieces of personal information that a business has collected about the consumer;
- Categories of personal information it has collected about the consumer;
- Categories of sources from which the personal information is collected;
- Categories of personal information that the business sold or disclosed for a business purpose about the consumer;
- Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
- The business or commercial purpose for collecting or selling personal information.
A covered business receiving a request to know shall first, according to the Proposed Regs, “confirm receipt of the request within 10 business days and provide information about how the business will process the request. The information provided shall describe in general the business’s verification process and when the consumer should expect a response, except in instances where the business has already granted or denied the request.” The Proposed Regs further state that “[t]he confirmation may be given in the same manner in which the request was received. For example, if the request is made over the phone, the confirmation may be given on the phone during the phone call.” Proposed Regs, § 999.313(a).
The time to respond substantively also begins on the date of receipt of the request,3 “regardless of time required to verify the request.” Proposed Regs, § 999.313(a). The covered business has 45 days to respond, subject to a 45 day extension, and provide the requested information to the consumer. Cal. Civ. Code § 1798.130(a)(2). The Proposed Regs clarify that the deadlines for a response are calendar days. Proposed Regs, § 999.313(b).4 According to the Proposed Regs, the 45 day extension is available, “provided that the business provides the consumer with notice and an explanation of the reason that the business will take more than 45 days to respond to the request.”5
Assuming a request to know is from a consumer who has been verified and assuming the information to be provided in response has been properly identified,6 the next hurdle is how to deliver the data to the consumer.
The CCPA states that disclosure and delivery is to be “free of charge to the consumer.” Further, it describes: “The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance.” Cal. Civ. Code § 1798.100(d); see also § 1798.130(a)(2).
The Proposed Regs provide some additional guidance, saying that “[a] business shall use reasonable security measures when transmitting personal information to the consumer.” Proposed Regs, § 999.313(c)(6).
“Reasonable security measures” is not a defined term and would vary by method of transmittal. “Reasonable” could also depend on the nature of the information being sent.
Delivery may be via mail or other delivery service. This approach could provide paper copies of information that are “readily useable” by a consumer, but it is possible that a consumer could argue that the data is not presented in an understandable, and thus not “readily useable”, format. Copies of disks or drives containing the information could also be sent this way, although the electronic data may not be “readily useable”, an undefined phrase, by the consumer because of formatting or lack of access to necessary software. In addition, it may be inconvenient or difficult for the consumer to send on the information received to “another entity without hindrance,” which is also an undefined phrase. There is also some security risk around mail or other physical delivery but “reasonable security measures” could include, among other steps, confirming the mailing address, insuring the physical integrity of the package upon sending, and requiring a signature at delivery. As noted, evaluating the reasonableness of security measures may depend on the nature of the responding business, the type of information involved, and other factors.
Alternatively, electronic delivery of the data is an option, but consideration will need to be given to whether to send the information itself by email or to instead send by email instructions for how to access the information. For example, an email could attach documents. This approach could present security concerns, particularly if encryption is not used or if the consumer’s email address is for a free email account. In addition, the consumer may not be able to receive certain kinds of attachments or larger volumes of attachments. Also, as with physical delivery, the consumer may not find the information “readily useable” because of formatting or lack of access to required software.
An email could also provide directions to have the consumer log into an existing account (if one exists) to obtain documents. The Proposed Regs allow the following: “If a business maintains a password-protected account with the consumer, it may comply with a request to know by using a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to under the CCPA and these regulations, uses reasonable data security controls, and complies with the verification requirements set forth in Article 4 [of the CCPA].” Proposed Regs, § 999.313(c)(7). If a consumer did not have an existing password-protected account with the responding business, the business could send a secured link to a portal, whether maintained by the business or by a third-party vendor.
Each electronic method could face security risks, but “reasonable security measures” could include confirming the accuracy of an email address, requiring a password or other access verification, and encrypting the information. Again, reasonableness of security measures will likely be considered in the context of the type of business that is providing the information, the nature of the information being sent to a consumer, and so on.
In addition, whatever electronic approach is employed, the format will also need to be assessed. Although formats such as .doc and .txt are relatively universal and easy to transmit to “another entity without hindrance”, those formats risk being altered. Alternatively, the use of a locked .pdf (portable data format) document may be a more secure possibility.
Regardless of the method of electronic delivery, two things must be certain: (1) the delivery method must utilize “reasonable security measures” to protect the information from, for example, unintended disclosure to unauthorized persons, and (2) the format must be “readily useable”, as required by the CCPA, such that “the consumer [can] transmit this information to another entity without hindrance.”
So, the CCPA invites consumer requests to “show me the data” – but only in a “readily useable” manner that permits sending the data on to another “without hindrance” and only through the use of “reasonable security measures”.
1 See Cal. Code Regs. tit. 11, §§ 999.300 et seq. (proposed Feb. 10, 2020), https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-mod-redline-020720.pdf (last visited Mar. 27, 2020).
2 Such requests are for information collected, disclosed or sold within the preceding 12 months. Cal. Civ. Code § 1798.130(a)(2); Proposed Regs, § 999.313(c).
3 This means that the deadline to confirm receipt of the request and the deadline to respond to a verified request run simultaneously.
4 This calendar day approach for a substantive response to the request (Proposed Regs, § 999.313(b)) is distinct from the business day approach for the confirmation of the receipt of the request (Proposed Regs, § 999.313(a)).
5 See Proposed Regs, § 999.313(b).
6 These are each important topics in their own right but are not discussed in this particular piece.