Choose Site

Insight

Responding to Requests to Know

Morgan Lewis Practical Advice on Privacy: Guide to the CCPA

November 15, 2019

The California Consumer Privacy Act (CCPA) gives consumers the right to request that a business (1) respond to a consumer with a list of the categories or specific pieces of personal information that the business has collected about that consumer (a request to know); (2) delete any personal information that the business has collected from the consumer (a request to delete); and (3) not sell the consumer’s personal information (a request to opt out). The California attorney general’s proposed regulations implementing the CCPA set forth the requirements for a business to not only receive such requests, but also to respond to such requests. This article in our Guide to the CCPA series explains the requirements and outlines best practices for businesses providing responses to consumer requests to know under the CCPA. 

Timing of the Response

The proposed regulations require that a business[1] confirm receipt of a consumer’s request to know within 10 days of receiving the request.[2] The confirmation must include information about how the business will process the request, including the business’s verification process and the timing as to when the consumer should expect a response from the business (unless the business has already granted or denied the request).[3] 

Both the statute and the proposed regulations require that the business respond to the request within 45 days—beginning on the day the business receives the request, regardless of the time required to verify the request.[4] The business may take an additional 45 days to respond to the  request (for a maximum of 90 days from the day the business receives the request) if the business provides the consumer with a notice that includes the reason the business needs the additional 45 days to respond.[5] 

While this article highlights the requirements in the proposed regulations applicable to responding to requests to know, these response timelines also apply to responding to requests to delete. 

Requirements for Responding to Requests to Know

Scope of Response 

The response must cover the 12-month period preceding the date of the business’s receipt of the request, regardless of the time required to verify the request.[6] 

Excluded Personal Information 

The proposed regulations clarify that a business must not disclose specific pieces of personal information to a consumer if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.[7] The proposed regulations further clarify that a business must never at any time disclose a consumer’s Social Security number, driver’s license  or other government-issued ID numbers, financial account numbers, health insurance or medical ID numbers, account passwords, or security questions and answers.[8]

Security Measures 

A business must use reasonable security measures when transmitting personal information to a consumer in response to a request.[9] If the business maintains a password-protected account with the consumer, the proposed regulations clarify that a response to a request to know that includes personal information may be provided to the consumer through a self-service portal that uses reasonable data security controls and complies with the applicable verification requirements.[10] A secure email transmission system to an email address verified by the consumer should be sufficient as a reasonable security measure, or a password-protected email or link would also likely suffice. The business must only respond to a request to know that is verified to an appropriate level.

Categories of Personal Information 

In responding to a consumer’s verified request to know categories of personal information, categories of sources, and/or categories of third parties, the proposed regulations require that a business provide an individualized and meaningful response to the consumer.[11] The business cannot just refer to the general practices in its privacy policy, unless the privacy policy discloses all the information that would be required to be included in such a response.[12] The proposed regulations clarify that when a business responds to a verified request to know for categories of personal information, the business must provide the following for each identified category: 

  • Categories of sources from which the personal information was collected
  • The business or commercial purpose of the collection
  • Categories of third parties to whom the business sold or disclosed the personal information
  • The business or commercial purpose of the sale or disclosure of personal information[13] 

Addressing Denials: Verified Requests 

The proposed regulations require that when a business denies, in whole or in part, a consumer’s verified request to know specific pieces of personal information because of a conflict with federal or state law or an exception to the CCPA, the business must provide an explanation with that denial.[14] If the request is denied only in part, the business must disclose the other information requested by the consumer.[15] 

Addressing Denials: Unverified Requests 

If a business cannot verify the identity of a person seeking disclosure of specific information about a consumer, the proposed regulations require that the business must not disclose the specific pieces of personal information and must inform the consumer that it cannot verify the person’s identity.[16] 

The proposed regulations clarify that if a request is denied, in whole or in part, the business must also evaluate the request as if the consumer were seeking disclosure of categories of personal information about the consumer. If the business cannot verify the identity of the person seeking disclosure of categories of personal information about the consumer, the proposed regulations require that the business must not disclose the categories of personal information and must inform the consumer that it cannot verify the consumer’s identity.[17] The proposed regulations clarify that if this request is denied, in whole or in part, the business must direct the person to its general business practices set forth in its privacy policy.[18] 

Households 

The proposed regulations clarify that when a business responds to a request to know with respect to a request for aggregate household information, the business may only provide those specific pieces of household information if the business verifies the request comes from all members of the household.[19] 

Recordkeeping 

A business must maintain records of its consumer requests to know and of how it responded to such requests. These records must be maintained for at least 24 months.[20] 

Service Providers 

The proposed regulations require that if a service provider receives a request to know from a consumer regarding personal information that the service provider collects, maintains, or sells on behalf of the business it services, and does not provide that information, it shall explain the basis for the denial.[21] If the information is only available from the business on whose behalf the service provider processes the information, the service provider should advise the consumer and provide the consumer with contact information for that business, if feasible.[22] 

Recommendations and Next Steps 

Businesses should be building or modifying processes to respond to consumer requests to know, particularly given that responses must be individualized in most cases. It may be beneficial to run an internal test to determine whether the business will be able to verify requests and provide individualized responses within the required timeframe, and if not, develop systems and procedures for full compliance. Businesses should also analyze the security controls in place to transmit personal information to consumers in response to requests. Persons responsible for responding to requests to know must be informed of all the requirements in the CCPA and the proposed regulations related to such requests, and be able to respond to consumers’ questions about them. Socializing these requirements and training personnel on how to address these types of requests will help ensure a controlled implementation of these requirements. 

The proposed regulations also have detailed requirements regarding responses to requests to delete and requests to opt out, which will be discussed in upcoming articles in this series. 

The California attorney general issued proposed regulations for the CCPA on October 10, 2019. The proposed regulations are pending public comment through December 6, 2019. As part of the rulemaking process, the California attorney general will then decide whether any modifications should be made to the proposed regulations before they become final. In the meantime, the proposed regulations provide useful guidance as businesses prepare for and comply with the CCPA, which takes effect on January 1, 2020. 

Please visit our CCPA Resource Center for more information and the latest updates. 

How We Can Help 

The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the newly proposed regulations, and how to accept requests. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:

San Francisco
Reece Hirsch
Carla Oakley
Michele Park Chiu
Kevin Benedicto
Gene Park

Silicon Valley
Mark Krotoski

Los Angeles
Joseph Duffy

Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis
Akbar Hossain
Julian Williams

New York
Martin Hirschprung

Washington, DC
Ronald Del Sesto
Dr. Axel Spies

London
Pulina Whitaker

Chicago
Lauren Groebe



[1] In general, the CCPA applies to for-profit organizations or legal entities that do business in California, collect California consumers’ personal information (directly or indirectly), and determine the purposes and means of processing of consumers’ personal information (alone or jointly with others), and that also satisfy one of three annual thresholds: (1) $25 million gross revenue, (2) 50,000-person data volume, or (3) 50% of revenues from sale of personal information. Covered entities include those that control or are controlled by a business with which it shares common branding. See the Morgan Lewis CCPA Checklist for more details on whether the CCPA applies to a given business.

[2] CCPA Proposed Regulations, 11 C.C.R. §§ 999.300, 999.313(a).

[3] Id.

[4] Id. § 999.313(b).

[5] Id.

[6] Id. § 999.313(c)(8).

[7] Id. § 999.313(c)(3).

[8] Id. § 999.313(c)(4).

[9] Id. § 999.313(c)(6).

[10] Id. § 999.313(c)(7).

[11] Id. § 999.313(c)(9).

[12] Id.

[13] Id. § 999.313(c)(10).

[14] Id. § 999.313(c)(5)

[15] Id.

[16] Id. § 999.313(c)(1).

[17] Id. § 999.313(c)(2)

[18] Id.

[19] Id. § 999.318.

[20] Id. § 999.317

[21] Id. § 999.314(d).

[22] Id.