Insight

Receiving Requests

Morgan Lewis Practical Advice on Privacy: Guide to the CCPA

November 06, 2019

The California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA) on October 10, providing detailed guidance on CCPA compliance for affected businesses. This article, the first in our Practical Advice on Privacy: Guide to the CCPA series, focuses on best practices for receiving consumer requests made under the CCPA.

Background on Requests

The CCPA gives consumers the right to request that a business

  • respond to a requesting consumer with a list of the categories and specific pieces of personal information the business has collected about that consumer (a request to know);
  • delete any personal information that the business has collected from the consumer (a request to delete); and
  • not sell the consumer’s personal information (a request to opt out of sale).

The CCPA and the proposed regulations require different actions for each type of request.

Receiving Requests to Know and Requests to Delete

For both requests to know and requests to delete, the proposed regulations require businesses to provide consumers with two or more methods to submit such requests. At a minimum, a business must provide a toll-free telephone number. If the business operates a website, it must also provide an “interactive webform accessible through the business’s website or mobile application.”[1] Additional acceptable methods of submission include a designated email address, a form submitted in person, or a form submitted through the mail.

The proposed regulations require that a business “consider the methods by which it interacts with consumer[s]” when selecting submission methods.[2] Some businesses may need to offer three or more methods: For example, a retailer that largely interacts with consumers at brick-and-mortar stores but that also has a website should offer a hardcopy form to be submitted in person at the store, in addition to a toll-free telephone number and a web form.[3]

The proposed regulations further require that requests to delete be made through a “two-step process” wherein a consumer first “clearly” submits a request to delete, and separately confirms the request for deletion of the consumer’s personal information.[4]

The proposed regulations require businesses to provide in their privacy policies instructions for submission of a verifiable request to know or request to delete, and to describe the process the business will use for verification.[5]

Finally, if a business receives a request through a method that has not been designated by the business, or that is otherwise deficient, the proposed regulations require the business to either (1) treat the request as if it had been properly submitted, or (2) give the consumer specific directions for how to properly resubmit the request.[6]

Receiving Requests to Opt Out of Sale

A business that sells consumer information must provide two or more methods for consumers to opt out of the sale of their personal information, including, at a minimum, “an interactive webform accessible via a clear and conspicuous link titled ‘Do Not Sell My Personal Information,’ or ‘Do Not Sell My Info,’ on the business’s website or mobile application.”[7] Additional acceptable methods include a toll-free phone number, a designated email address, a form submitted in person or through the mail, or “user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.”[8] Businesses that do not sell personal information must affirmatively state that they do not and will not sell personal information in their privacy policies.[9]

As with requests to know and requests to delete, the proposed regulations require that at least one request method be consistent with the manner in which the business primarily interacts with consumers. With regard to requests to opt out, the proposed regulations require that businesses consider “the manner in which the business sells personal information to third parties, available technology, and ease of use by the average consumer.”[10] The proposed regulations further require that businesses that collect personal information from consumers online “treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request.”[11]

The proposed regulations require businesses to explain the opt-out right in their privacy policies and include the contents of the opt-out right notice in the policy.[12]

Recommendations and Next Steps

At a minimum, businesses should allow consumers to submit requests to know, requests to delete, and/or requests to opt out through a toll-free phone number and web form. Businesses with brick-and-mortar stores should also offer an in-person request option. For requests to opt out, businesses must include a “Do Not Sell My Information” link on the homepage of their websites and/or mobile applications.

Businesses also must be aware that they may not simply ignore requests to know, requests to delete, or requests to opt out that are submitted by means not specifically designated by the business (e.g., requests submitted by mail or in person to a nondesignated address). Instead, the business must treat the request as properly submitted or instruct the consumer on how to properly resubmit the request. With regard to requests to opt out, businesses should be prepared to treat user-enabled privacy controls, such as a browser plugin or privacy settings, that indicate that consumers have chosen to opt out of the sale of their personal information as valid requests to opt out.

The proposed regulations also have detailed requirements regarding verification of these requests and how to respond to requests, as well as notification to consumers of their rights, which will be discussed in upcoming articles in this series.

The California attorney general issued proposed regulations for the CCPA on October 10, 2019. The proposed regulations are pending public comment through December 6, 2019. As part of the rulemaking process, the California attorney general will then decide whether any modifications should be made to the proposed regulations before they become final. In the meantime, the proposed regulations provide useful guidance as businesses prepare for and comply with the CCPA, which takes effect on January 1, 2020. 

Please visit our CCPA Resource Center for more information and the latest updates.

How We Can Help

The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the newly proposed regulations, and how to accept requests. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:

San Francisco
Reece Hirsch
Carla Oakley
Michelle Park Chiu
Kevin Benedicto
Gene Park

Silicon Valley
Mark Krotoski

Los Angeles
Joseph Duffy

Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis
Akbar Hossain
Julian Williams

New York
Martin Hirschprung

Washington, DC
Ronald Del Sesto
Dr. Axel Spies

London
Pulina Whitaker

Chicago
Lauren Groebe



[1] CCPA Proposed Regulations, 11 C.C.R. §§ 999.300, 999.312.

[2] Id. § 999.312(c).

[3] Id. § 999.312(c)(2).

[4] Id. § 999.312(d).

[5] Id. §§ 999.308(b)(1) and (2).

[6] Id. § 999.312(f).

[7] Id. § 999.315(a).

[8] Id.

[9] Id. § 999.306(d).

[10] Id. § 999.315(b).

[11] Id. § 999.315(c).

[12] Id. § 999.308(b)(3).