What do the proposed draft CCPA regulations mean for your….Responses to Consumer Requests under CCPA?
- Provide initial response within 10 business days
- May provide response in same manner as the request
- Don’t need to respond to access request if you:
- don’t maintain the personal information in a searchable or reasonably accessible format
- maintain the personal information solely for legal or compliance purposes
- do not sell the personal information and do not use it for any commercial purpose
AND - describe to the consumer the categories of records that may contain personal information that were not searched because it meets the conditions stated above.
- Don’t need to list source/purpose by category; but still need to do that for categories of third parties with whom you share/sell information.
- If you sell personal information and you get a request to delete and the consumer has not already made a request to opt out then ask the consumer if they would like to opt out of the sale of their personal information and include either the contents of, or a link to, the notice of right to opt-out.
- When responding to a delete request, don’t need to specify the method of deletion