How to Handle Consumer Requests Under CCPA
If you’re a frequent social media user, you’ve probably come across those Buzzfeed listicles or Twitter threads that detail unusual customer requests from food service workers. These bemused employees take to the internet to share quirky dietary preferences, unexpected oversharing of personal information, and experiences that, quite frankly, test the limits of what you expect to experience at work.
Fortunately, most restaurants have policies established to help their employees handle difficult requests. Whether it’s boilerplate language for politely declining a request or a procedure for escalating difficult conversations, these processes ensure employees are empowered to do their jobs and that the workplace doesn’t run afoul of the law.
Customer interactions regarding off-menu ordering and inappropriate behavior are one thing—but what about consumer requests regarding personal information?
No matter what industry you work in, handling consumer requests about personal information is a more complex process than figuring out how to respond when your customer asks for a peanut butter and pickle milkshake.
What’s more, the impact of not handling requests correctly can have massive consequences for your business under privacy regulations like the California Consumer Privacy Act (CCPA). But while compliance with consumer requests may sound like a complex and difficult situation to navigate, it’s not impossible. In fact, with some well-mapped-out procedures and good communication practices, handling data privacy compliance is entirely manageable for businesses of all sizes and industries.
As a business or organization, your first step toward compliance is understanding some of the key components in the data request and response process. Let’s dig a little deeper into what goes into handling consumer requests under the CCPA.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is the most comprehensive data privacy bill of its kind to pass in the United States—and the most comprehensive thus far. While the CCPA puts forth a broad range of requirements for businesses, it also provides consumers with detailed rights with regard to their personal data.
CCPA secures six specific privacy rights for consumers including:
- The right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom
- The right to delete personal information collected from the consumer
- The right to opt-out of the sale of personal information (if applicable)
- The right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable)
- The right to non-discriminatory treatment for exercising any rights
- The right to initiate a private cause of action for data breaches
The CPRA creates two additional rights:
- The right to correct inaccurate personal information
- The right to limit use and disclosure of sensitive personal information.
Under the CCPA and the “right to know” provision, consumers can file a personal information access request up to twice a year, and a business must respond without any charge to the consumer.
What does CPRA mean for CCPA?
In 2022, California passed the California Privacy Rights Act (CPRA), which amended key parts of CCPA. The regulatory changes, which will become enforceable on January 1, 2023, include changes to individual rights, such as:
- New categories of sensitive information, such as
- Social security or ID number
- Geolocation data, racial or ethnic origin, religious beliefs, union membership
- Genetic data
- Account access information
- Content of mail and messages
- Right to direct a business to limit use of consumer sensitive information
- Expanded obligation to notify consumers “at or before point of collection” of:
- Sensitive information collected
- Purposes of collection and use
- Whether information is sold or shared
What data can a consumer request?
A consumer can request to know what categories of personal information an organization is storing. They can also ask which specific pieces of data are being stored.
A critical component of understanding what a consumer can request is being aware of the categories of personal information that the CCPA covers. These include:
- Customer records information
- Characteristics of protected classifications under California or federal law
- Commercial information
- Biometric information
- Geolocation information
- Internet activity information
- Audio, electronic, visual, thermal, olfactory, or similar information
A lot of the data from these categories are pretty intuitive, such as name or social security number, but there are some more technical or vague items in this category to be aware of, such as an Internet Protocol (IP) address or internet browsing activities.
In other words, your organization is going to have to know exactly what is collected from consumers, and where and how it is stored, transferred, shared, accessed, retained, or deleted.
What data is exempt from consumer requests?
You might be wondering right now, “what isn’t considered personal information?”
The CCPA’s definition of personal information does not include publicly available information. This means that anything contained in publicly available federal, state, or local government records would fall outside the scope of personal information protected under the CCPA.
Furthermore, there are also a few types of information that are exempt from CCPA regulation including certain financial information regulated by the Gramm-Leach-Bliley Act and medical information regulated by the Health Information Portability and Accountability Act (HIPAA).
How are consumer requests made?
The CCPA requires organizations to offer at least two ways for consumers to submit requests and one of those must be with a toll free number (except for online only businesses that have direct relationships and except for deletion requests where the toll free number is not required). Consumers must use one of the methods provided, so you should keep in mind the feasibility, scalability, and accessibility of these methods.
Some examples of common request methods include:
- An online form publicly available on a website (this is required if you have a website)
- An online form accessible only through a consumer’s existing, password-protected account
- Providing a dedicated privacy email
- A toll-free phone number for consumers to call A designated email address for contacting the organization’s CCPA compliance officer or some other appropriate staff member
- A hard-copy form that consumers can print, fill out, and mail or deliver in person to a specified address
- A fax number for sending a hard-copy form. (Just kidding—unless your organization is really into the ‘90s.)
While the CCPA has requirements surrounding requests for information, it does not mandate which of these methods should be used to facilitate requests to delete. That said, requests to delete should be made possible through at least one method offered for information requests, and must reflect a primary method of communication between the consumer and the organization.
Finally, keep in mind that organizations can provide a request method through the consumer’s existing account, but cannot demand that a consumer opens an account just to file a request.
How do you verify the consumers’ identity?
Verifying a consumer’s identity is a highly important part of the consumer request process. Imagine if someone could request personal data and there was no safeguard against an impersonator trying to steal your consumer’s private data. You can see how that would just lead to data loss and breaches, litigation, and, in general, regulatory nightmares.
There are numerous processes for verifying your customer’s identity when processing consumer requests:
- Email verification
- One-time passcodes
- Phone verification
- Face or ID verification
- Identity questionnaires
Which options you choose will depend in part on types of consumer accounts you have.
Considerations for verifying consumer identity
There are really just two situations to consider when looking for verification methods: when the consumer has and uses a password-protected account for the request, and when they do not.
Note: no matter how you choose to verify consumer identity, don’t ask for more information than you already have. If you only collect email addresses, don’t ask for social security numbers to assist with verification.
Requests submitted through password-protected accounts
In general, these requests are simpler. The consumer’s identity can be verified through existing authentication methods, as long as they are already compliant with the CCPA.
Requests through accounts not protected by password
Now consider that an organization may not maintain password-protected accounts for all their consumers, but may collect consumer information. This means consumer requests need to be verified some other way, to a “reasonable degree of certainty.” The standard for this is to match two pieces of information provided by the consumer to the same two pieces of information that the organization maintains.
Requests to delete information
Verifying requests to delete data are slightly different than requests to know. In this case, the consumer’s identity must be verified at the time of the request, and then again before any data is deleted. However, when it comes to how many pieces of information an organization uses for verification, it is the organization’s discretion whether they use two or three pieces of information.
Once a consumer’s identity is verified, an organization can satisfy the request in three different ways to meet CCPA compliance requirements:
- Permanently and completely erasing data from existing systems (to include back-up and archives)
- De-identifying personal information
- Aggregating personal information
When responding to a request for delete, an organization must specify how it has deleted the personal information and keep a record of the request.
Requests to access or delete household information
Personal information under the CCPA also includes information that could be linked with a household. This means that requests to know, delete, or opt out may involve personal information that includes other consumers living in the same household.
The CCPA regulations attempt to address the issue of household information by balancing individual and group privacy rights. This means allowing responses related to aggregate household information. However, if individualized information is requested, an organization must be able to verify the identity of all the members of the household individually.
A consumer has made a request. Now what?
Now that the methods for requests have been covered, what about the response to a request? First of all, you must confirm receipt within ten days of receiving a request. A great way to take care of this quick turnaround is to automate confirmations—but remember to include in the confirmation the verification process and when the consumer can expect a response.
An organization must respond to the consumer’s request within 45 calendar days, but the CCPA does include an option for a 45-day extension for especially complex requests. The total time to respond, even in the case of an extension, can take no more than 90 days total.
The CCPA addresses several key security concerns related to not disclosing specific pieces or even categories of personal information These include a responsibility to refrain from completing a request except in cases when any of the following apply:
- The consumer’s identity cannot be verified
- Disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, a consumer’s account, or the organization’s systems
Organizations must never disclose a consumer’s Social Security number, driver’s license number, other government-issued ID, financial account number, health insurance or medical ID number, account password, or security questions and answers.
In any event, you must make sure reasonable security measures are being applied when transmitting personal information to the consumer or disclosing personal information through a consumer portal.
Red Clover can help you navigate consumer requests
The experts at Red Clover Advisors can help you navigate some of the murky waters of consumer requests. Like an iceberg, there is plenty below the surface that we explored here. But remember, icebergs can be deep, and it's important to have experts helping you to identify the best ways to achieve compliance with CCPA in a scalable and effective way.
Schedule a call and let Red Clover be your guide.