Tags
Read time
5 min read
Last updated
June 24, 2024
🆕 Are hidden website trackers putting your brand at risk? Find out now! 🔎
The California Consumer Privacy Act (CCPA) gives California consumers some rights to control their personal information. Among these is the “right to know” (or the “right to access [data]”), which grants people the ability to request details about the data that a business collected from them, used, or sold. Businesses must respond to and process these data subject access requests (DSARs) in compliance with the CCPA.
For more help with CCPA compliance, contact the privacy experts at Ketch to learn more about consent management software and how it can help your business.
A consumer can exercise their right to know by submitting a DSAR. These requests empower people to access the personal information collected from them, the purpose for which it was collected, and details about third parties to whom a business is sharing or selling consumers’ personal information.
Any person protected under the scope of the CCPA—or any other data privacy law with similar statutes, such as Europe’s General Data Protection Regulation (GDPR)—can submit a DSAR, and businesses catering to these consumers must comply with the regulations to fulfill these requests.
The CCPA has a broad definition of “personal information” or “information that identifies, relates to, or could reasonably be linked with” a California consumer or household. Under the right to know, a consumer can request access to:
The CCPA requires all for-profit businesses that do business in California and either has a gross annual revenue of over $25 million; buys, sells, or receives the personal information of more than 50,000 California residents, households, or devices; or derives at least half of their annual revenue from the sale of California consumers’ personal information must respond to and process DSARs.
Given its nature, does the CCPA apply to government agencies? The answer is no—with the same being true for non-profit organizations.
That said, if government entities and non-profits are third parties to whom a business shares information, the business must disclose that and list them in the category of third parties.
The CCPA provides regulations as to how a business must respond to, process, and keep a record of DSARs in a way that fully enables consumers to exercise their afforded rights. Here are some steps that a business must take to comply:
A business is required to designate at least two methods for a consumer to submit a DSAR—one being a toll-free number, the other being an email contact address (except if the business operates exclusively online, in which an email address should suffice). These channels should be fit for the nature of the business, and they should be separate from other customer support channels.
A business must set a method for processing DSARs and explain it in detail in their CCPA privacy policy.
Upon receipt of a request, a business is required to deliver the information requested within 45 days of receiving a verifiable consumer request (i.e. a request that has been verified to be made by the requester about their own personal information).
This deadline can be extended another forty-five days when “reasonably necessary”, depending on the complexity and the volume of the DSAR. In this case, the business must inform the consumer about the extension.
A business must provide the requested information through the medium chosen by the consumer, which may differ from the channel used to submit the DSAR.
Business owners must train employees about the proper management of DSARs to ensure that the handling and processing of consumers’ personal information are managed in a way that is compliant with the CCPA.
To ensure that your business is always compliant with the CCPA, and thereby reducing the risk of penalties or losing business in California, you must keep informed about the CCPA and other relevant data privacy laws. Furthermore, you should regularly review and update your data practices to comply with the regulations set by these laws.
Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.
