The California Consumer Privacy Act (CCPA) imparts primary compliance responsibilities onto businesses that collect personal data from California residents. Any company that meets thresholds around revenue and volume of California consumer data needs to comply with CCPA regulations around collecting, using, disclosing, and processing that information.
The CCPA grants California residents certain rights around access and control of their data held by businesses covered by the CCPA. One of these rights is the ability to make verifiable consumer requests to access or delete that information. CCPA compliance means businesses must confirm receipt and fulfill requests within strict legal timelines.
But how long does a CCPA-regulated business have to respond to California consumer requests under this law? What are the specific timelines and requirements? Let’s break it down.
CCPA Compliance, Simplified
The California Consumer Privacy Act (CCPA) allows consumers to submit “data access requests.” That is, an individual can ask a business subject to the CCPA to provide a copy of any personal information the business has collected, used, disclosed, and sold about the consumer — and the company must respond to the request.
The CCPA went into effect at the start of 2020. It establishes California residents’ rights over their personal information and regulates how California businesses can collect and use personal data for commercial purposes.
One consumer right is the right to file a data access request. The consumer can “request to know” which of their information the business has collected, shared, or sold and can then “request to delete” specific personal data.
Meanwhile, a business must confirm receipt of a data access request within ten days. The business has 45 days to verify the consumer’s identity and complete the request. It can extend that period by another 45 days if it needs additional time to comply (although the business must alert the consumer and explain why it needs more time).
A business may not take more than 90 days to provide the requested information or delete the consumer’s data.
The CCPA also requires businesses to provide a “Do Not Sell My Personal Information” button on its website and stipulates that certain minors may need to opt in to collect, store, or sell their information.
11 Categories of Personal Information
The CCPA aims to prevent the sale or sharing of California residents’ personal information without their permission. The law defines personal information broadly, well beyond the conventional types of consumer personal information such as name, phone number, and Social Security number.
The CCPA includes 11 categories of personal information, including:
- web browsing and search history;
- geolocation data;
- biometrics;
- IP addresses;
- account numbers;
- driver’s license number;
- and other types of information that could reasonably be linked with a particular consumer or household.
The CCPA also gives the California attorney general the power to add new categories of personal information to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
Special Rules for Third Parties
The CCPA imposes special obligations on “third parties” to handle consumer requests. Third parties are organizations to which a business collecting California consumers’ personal information sells that information.
The CCPA restricts how third parties might resell consumer information obtained from your business. They must notify consumers if they intend to sell their consumer data and provide those consumers with the ability to opt out of the sale of such information.
What Information May a Consumer Request?
The California Consumer Privacy Act (CCPA) grants California residents specific data privacy and consumer privacy rights regarding their personal information held by businesses. Residents can make verifiable consumer requests asking firms to provide details or delete data. Some key provisions:
- Access requests to view all categories of personal information collected, sources, usage, accuracy, and third-party sharing. Consumers may need to provide additional information or go through identity verification processes.
- Deletion requests to erase any stored personal information, with some exemptions under California law. For example, data needed for legal obligations or health insurance functions may be retained.
Consumers can also submit requests to correct any inaccurate personal information.
The CCPA has data protection provisions similar to those of Europe’s General Data Protection Regulation (GDPR). However, CCPA requests can be made at any time and allow for more disclosure than privacy laws in most other US states. Strict response timelines also apply under CCPA.
When Do I Have to Respond to CCPA Verifiable Consumer Requests?
Once a CCPA-regulated business receives a verifiable CCPA request from a California resident, the response clock starts:
- Confirm receipt within ten business days: Within ten business days of receiving the request, the business must confirm receipt by email or letter (unless the request has already been fulfilled). Additional authentication may be required from the consumer at this stage.
- Respond fully within 45 calendar days: The business has 45 days to comply with access or deletion requests. This 45-day period counts from the day the initial consumer request was received.
Strict timelines like these make having an efficient intake and response process critical for CCPA compliance. Failing to meet them could risk data breaches and the severe financial penalties imposed by the California Attorney General.
Understanding Verified Information Access or Deletion Requests
Under the CCPA, California residents have the right to make verifiable consumer requests to businesses regarding their data, including:
Access Requests
When your business receives a verified information access request from a consumer, you must provide the following information, according to CCPA 1798.110(c):
- The categories and specific pieces of personal information the business has collected about the consumer;
- The categories of personal information the business has sold about the consumer;
- The categories of third parties to whom the consumer’s personal information was sold (identified by category of personal information for each third party) and
- The categories of personal information the business disclosed about the consumer for business purposes.
Deletion Requests
In responding to deletion requests, a business must inform the consumer whether or not it has complied.
If the business complies, it must inform the consumer that it will maintain a record of the request and erase it to ensure that the information remains deleted.
If the business denies the deletion request, however, it must:
- Inform the consumer that it will not comply, and describe the basis for the denial — for example, some conflict with federal or state law or exception to the CCPA;
- Delete whatever information isn’t subject to the exception;
- Do not use the information it keeps for any other reason beyond those provided by that exception.
If a business that refuses a deletion request then sells the consumer’s personal information—and the consumer has not already requested to opt out—the business must ask if they would like to opt out of the sale. The company also must include the contents of, or a link to, the notice of right to opt-out in response to the request.
Suppose the business has shared the consumer’s data with service providers and complies with the consumer’s deletion request. In that case, the company must notify the service provider of the consumer’s request and instruct the provider to delete the requestor’s information.
Businesses that receive a verifiable request from a consumer to delete personal information must also direct any service providers to delete the data from their records. The exceptions that allow a business to deny a consumer’s deletion request also apply to service providers.
Maintain Your CCPA Compliance with Help from ZenGRC
Compliance with the CCPA is a challenging task. It’s a complex regulation that changes often, with new amendments proposed every year. However, not complying with the law could result in fines, penalties, or civil litigation.
ZenGRC makes CCPA compliance a breeze. Our user-friendly solution has color-coded dashboards that show where your business is or isn’t compliant and tell you how to close gaps.
Zen tracks where your consumer information is going and helps you verify and fulfill consumer requests. To demonstrate your compliance, Zen stores all your documentation in a “single source of truth” repository for easy access when needed.
Worry-free CCPA compliance is the Zen way. Contact us today for your free consultation.