CCPA Access Requests: Tips Learned from the GDPR Trenches

August 1, 2019Alerts

A complaint by public interest organization NOYB against media streaming services shines a spotlight on the General Data Protection Regulation's right of "data subject access." While some aspects are GDPR-specific, much of the complaint provides insight into how to properly structure your access request process under the California Consumer Privacy Act (CCPA).

  • Respond without undue delay, and in any case, within 45 days of receipt.
  • Upon receipt of request, acknowledge receipt.
  • If seeking extension (45 days where reasonably necessary, 90 for complexity/number of requests), inform consumer within 45 days from date of receipt of the extension and reason.
  • Provide the personal information in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
  • Intelligible form: understood by an average member of the intended audience.
  • Raw data in a unintelligible and machine readable format alone will not qualify.
  • Provide an explanation, software or other means to make the data readable and understandable for the average consumer.
  • Provide the business or commercial purpose for collecting or selling the information in the form of a conclusive list.
  • Indicate the specific information or information categories used for each purpose.
  • A generic statement that does not allow the data subject to verify the lawfulness of the processing for each data category and purpose will not suffice.
  • Disclose the categories and specific pieces of personal information collected and sold (separately).
  • Make sure to include: cookies, online identifiers, tracking technologies, beacons, IP addresses, pixel tags or device identifiers.
  • It is not enough to say "see my online privacy notice."
  • When disclosing categories of recipients with whom information was shared or sold, it is not enough to state that the information is shared with "third parties," "service providers," "other companies" or another general category.

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR and CCPA compliance issues, including data subject access requests, contact Odia at [email protected] or 215.444.7313.