Similar to the EU's General Data Protection Regulation (" GDPR"), the California Consumer Privacy Act ("CCPA") grants consumers the right to submit an information request to (and obtain certain information from) businesses with respect to how those businesses collect, store, process, use and share the subject consumers' personal information. Under the statute, in order to properly respond to CCPA-related consumer information requests, businesses must be prepared to provide a summation of all relevant consumer data collection/storage/use during the prior twelve (12) month period from the date of request.

Thus, while the CCPA is not due to go into effect until January 1, 2020, businesses should already be engaged in internal data mapping to ensure that they will be able to comply with consumer information requests, including where such requests apply to data collection/usage during the twelve (12) months prior to January 1, 2020.

Should I Begin Mapping My Business's Internal Data Collection and Usage Activities?

Compliance with CCPA Consumer Information Requests

When a California State resident submits an information request to an entity that is subject to the CCPA, that business must provide that consumer with certain information regarding its collection, storage, processing, use and sharing of that consumer's "personal information" during the prior twelve (12) month period. Under the CCPA, "personal information," is defined as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Below is a partial list of the information that a covered business must include in response to a properly submitted information request:

  • what personal information it has collected about the subject consumer (both in terms of what categories of personal information it has collected, as well as what specific pieces of information);
  • the sources of the personal information it has collected (including whether the information was collected directly or from third-party sources);
  • the method by which the personal information was collected (including whether the information was submitted by the consumer on a registration form, in connection with a purchase or collected via some other method);
  • where the entity stores consumer personal information and when it will be deleted;
  • the business or commercial purpose for collecting and/or using the personal information; and
  • what personal information, if any, was "sold" to third parties (including the categories of those third parties, the method of "sale" and what rights they were granted in/to the personal information). The CCPA has an expansive definition of the "sale" of personal information, which includes the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means" the personal information of a consumer to a third-party "for monetary or other valuable consideration."

Liability for Failure to Properly Respond to Information Requests Under the CCPA

The CCPA requires that businesses respond to all information requests by providing the above-listed information (as well as additional information not listed above) within forty-five (45) days of receipt of the subject information requests. Failure to respond within that period could expose a business to significant liability. In order to have the information requested readily available within that forty-five (45) day period (which may include certain personal information collection/storage/usage activities that occurred prior to January 1, 2020), it is advisable that businesses immediately commence the creation of an internal "data map" that charts the ways in which consumer personal information has been, and continues to be, collected, used, processed, stored and/or shared/sold.

Given the importance of implementing a comprehensive data mapping framework sufficient to track all of the required information, for the time periods applicable to each information request, it is essential that businesses consult with experienced counsel now to commence the data mapping process.

Similar blog posts:

CCPA Compliance: Service Provider Agreements and the California Consumer Privacy Act (CCPA)

Privacy Policies and the California Consumer Privacy Act (CCPA)

Does the California Consumer Privacy Act Apply to Your Business?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.