What do the proposed draft CCPA regulations mean for your….Responses to Consumer Requests under CCPA?
  • Provide initial response within 10 business days
  • May provide response in same manner as the request
  • Don’t need to respond to access request if you:
    • don’t maintain the personal information in a searchable or reasonably accessible format
    • maintain the personal information solely for legal or compliance purposes
    • do not sell the personal information and do not use it for any commercial purpose
      AND
    • describe to the consumer the categories of records that may contain personal information that were not searched because it meets the conditions stated above.
  • Don’t need to list source/purpose by category; but still need to do that for categories of third parties with whom you share/sell information.
  • If you sell personal information and you get a request to delete and the consumer has not already made a request to opt out then ask the consumer if they would like to opt out of the sale of their personal information and include either the contents of, or a link to, the notice of right to opt-out.
  • When responding to a delete request, don’t need to specify the method of deletion

For details, read my in-depth analysis.