As promised, we return with Part 2 of our CCPA Blog Series.
Last time, we looked at the CCPA's scope of applicability, the key definitions/concepts, and the first of the 5 core consumer rights under the CCPA, the Notice requirements. In this second post, we'll be delving more deeply into the next consumer right – the right to access – which, as explained below, comes hand in hand with the right to data portability.
We'll consider how these rights differ to their equivalent counterparts under the GDPR, and what this means from a practical implementation standpoint.
The Access requirements
The consumer's right to access is scattered over several different sections of the CCPA. The main access-related provision states that:
"A consumer shall have the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected." (Section 1798.100(a) - emphasis added)
So, just like the GDPR, the CCPA provides consumers with the right to obtain a copy of the personal information that a business has collected about them.
In subsequent sections, the CCPA stipulates that a business must also disclose to the consumer, upon request:
The categories of personal information collected,
The categories of sources from which the personal information was collected,
The business or commercial purposes for collecting or selling the personal information,
The categories of third parties with whom the business shares the personal information,
The categories of personal information sold and the categories of third parties to whom the personal information was sold (by category of personal information for each third party) and
The categories of personal information disclosed for a business purpose.
(at 1798.110(a) and 1798.115(a))
The CCPA states that the "categories of personal information" required to be disclosed above should follow the Act's definition of personal information – for example, "internet information", "geolocation data", "education information" etc. Aside from this, it isn't clear from the legislation how specific each of these disclosures needs to be, or whether a business could seek to refer the consumer to its online privacy notice which provides these disclosures (as they pertain to consumers generally). Just like the GDPR, businesses will no doubt take a variety of different approaches and levels of transparency on this.
So what additional work is required to meet the CCPA's access rights?
Many companies will already have processes in place under the GDPR – and the Privacy Shield - to respond to subject access requests from EU individuals. In order to expand these processes to accommodate Californian residents' access rights under the CCPA, a business should consider the following:
Designated methods for exercising rights: The CCPA mandates a toll-free number and web address for submitting CCPA access requests. Businesses should therefore register a US toll free number for this purpose, if they don't have one already.
Verifying identity: Unlike the GDPR, which encourages verification of the individual's identity but ultimately leaves it to the business's discretion, the CCPA states that a business is only obligated to disclose information in response to a "verifiable consumer request" and carrying out verification checks are mandatory - this should be incorporated into your access procedures.
Timescale: The copy of the personal information and the information set out above must be delivered to the consumer within 45 days. The deadline can be extended once by an additional 45 days (or 90 days, as it says elsewhere in the Act – no one knows which was the drafting error). The timescale of 45 days is the same as for complaints under the Privacy Shield – however, the GDPR has a tighter timescale of 1 month (with scope for an additional 2 month extension). It probably makes sense to simply align all internal processes to 1 month to be safe.
Scope of the information: The CCPA only requires disclosure of personal information collected, sold or disclosed in the 12 months preceding the request. The GDPR, however, requires disclosure of all of the personal information that a business processes about an individual. A business should consider whether it is going to trouble itself with this cut off date or whether it will simply take a more extensive GDPR approach.
Nature of the disclosures: The CCPA and the GDPR require businesses to make slightly different disclosures to the consumer. Under the CCPA, a business must disclose the categories of third party recipients to whom the information has been "sold" or "disclosed for a business purpose". The GDPR does not require this level of granularity, simply requiring disclosure of the categories of third party recipients more generally. On the other hand, the GDPR requires businesses to disclose certain information not required under the CCPR – such as data retention periods, recipients located outside the EU, details of automated decision-making, and the appropriate safeguards in place for international transfers. Given these subtle differences, it makes sense to prepare different template responses and search parameters for access requests.
The bundled up right to data portability
The right to data portability is worth a separate mention here because it is one of the more striking differences between the CCPA and the GDPR.
Under the CCPA, the right to access has been merged with the right to data portability. See Section 1798.100(d), which provides that where a business responds to an access request "electronically", it is required to provide the personal information to the consumer in "a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance".
This means that a business must automatically provide data to the consumer in a format that is "readily useable" by other competing services, regardless of whether the consumer has requested it. The only circumstances in which they will not need to do this is where this is not "technically feasible" (which sounds like a surprisingly high hurdle). Potentially, this could be quite burdensome, especially on smaller businesses.
By contrast, under the GDPR the right to data portability is a separate right to the right to access which only sophisticated consumers are likely to invoke. In addition, the right only applies in limited circumstances – in particular, to data that the individual has provided to the controller and which has been processed on the grounds of consent or contractual necessity. The CCPA's right to data portability contains no such limitations and seemingly applies to all data collected by a business – which, in principle, could include anything from analytics data, marketing data, profiling data, or inferential data. If this is the case, this is something that will certainly raise a few eyebrows and on which further guidance by the Attorney General would be most welcome.
Businesses which have not yet implemented technical measures for data portability under the GDPR (for example, because they do not process on the grounds of consent or contractual necessity) will need to address this right head on under the CCPA.
We'll follow up soon with more on the remaining consumer rights (deletion, opt out and non-discrimination). Stay tuned!