Beyond making the necessary disclosures via the privacy policy, businesses must respond to consumers’ privacy requests as they come in. Not only must they be handled in a timely manner, each type of privacy request has its own set of rules and exceptions. Preparing for these ahead of time will help you create quick, uniform responses that comply with all CCPA requirements.

Requests to Know

• Establish verification procedures
  Consumer requests to know must be verified before the business can respond, but the verification requirements vary depending on the specific type of request.
  • Level of Verification
    These requests should be verified to a “reasonable degree of certainty.” Regulations suggest matching two consumer data points provided by the requestor to data maintained by the business.
  • Minors under the age of 13
    If it has knowledge that a consumer is under 13 years old, the business must verify that the requestor is the consumer’s parent or guardian.
  • Authorized Agents
    Consumers may submit a request through an authorized agent, though businesses may require proof of such authorization, such as signed permission from the consumer.

• Two or more methods
  Businesses must offer two more methods for submitting a request to know, including a toll-free number. At least one of these methods should relate to the business’s normal way of interacting with consumers.
  • Exclusively online businesses
    Businesses that operate exclusively online and have a direct relationship with the consumer only need to provide an email address for submitting requests.

• Identify which categories of personal information are associated with each consumer group
  Refer to your business’s data map to determine what information must be provided and where it is maintained.
• Identify sensitive personal information that cannot be provided
  For security reasons, some specific pieces of information should not be disclosed. In these cases, only disclose that your business has collected that specific type of information.
• Draft form letter
  A form letter will help ensure that each response has the required information, as well as reduce the time needed to create each response.
• Response deadline: 45 days
  • Confirm receipt of request: 10 days
    This confirmation may be made in the same manner the request was received. If the request was made by phone, confirmation can be made orally at that time.
  • Extension: 45 days
    The response deadline can be extended for an additional deadline if necessary and if the consumer is notified before the original 45 days has expired.

• Practice responses
  Responding to a few hypothetical consumer requests will help make sure there are no gaps in the process and staff knows where to find all the necessary information.

Requests to Delete

‍

• Establish verification procedures
  Consumer requests to know must be verified before the business can respond, but the verification requirements vary depending on the specific type of request.
  • Common personal information
    If unauthorized deletion of the personal information would pose little harm to the consumer (deleting browsing history, for example), the request should be verified to a “reasonable degree of certainty.” Regulations suggest matching two consumer data points, such as an email address and name.
  • Sensitive or unique personal information
    ‍If unauthorized deletion of the personal information would potentially cause more harm to the consumer (deleting family photos, for example), the request should be verified to a “reasonably high degree of certainty.” Regulations suggest matching three consumer data points and requiring a signed declaration under penalty of perjury.
  • Minors under the age of 13
  • Authorized agents

• Two or more methods
  Businesses must offer two more methods for submitting a request to delete. At least one of these methods should relate to the business’s normal way of interacting with consumers.
• Identify which categories of personal information are associated with each consumer group
  Refer to your business’s data map to determine what information must be deleted and where it is maintained.
• Identify personal information that is exempted from deletion requests
  To prevent unnecessary deletions, determine in advance which personal information falls under an exemption.
• Deidentifying or aggregating options
  Personal information that is deidentified or in the aggregate need not be deleted. Explore whether any information can be retained in this way.
• Draft form letter
  • Inform the consumer of any personal information that was not deleted and why
    If any personal information is not deleted because of an exemption, this must be explained to the consumer.

• Send deletion request to service providers
  Service providers must also respond to deletion requests. Establish a process for sending notifications to all appropriate service providers.
• Response deadline: 45 days
  • Confirm receipt of request: 10 days
  • Extension: 45 days

• Practice responses

Requests to Opt Out

• Requests from authorized agents
  Requests to opt out need not be verified. Consumers can send requests through an authorized agent, however, so businesses should still have a procedure for verifying this authorization.
• Two or more methods
  ‍Businesses must offer two or more methods for submitting a request to opt out. At least one of these methods should relate to the way the business normally interacts with consumers.
  • Interactive form
    If your business operates a website, at least one of the methods should be an online, interactive form accessible via the “Do Not Sell or Share” link.
  • Easy to execute, minimal steps
    ‍The process cannot be designed in a way meant to prevent or deter consumers from submitting opt-out requests. It may have no more steps than the process for opting back in to the sale or sharing of personal information.

• Identify any sale or sharing of personal information associated with each consumer group
  Refer to your business’s data map to determine what information is being sold or shared.
• Establish procedures for stopping the sale or sharing of personal information
  ‍Some companies such as Facebook and Google have options for the reduced processing of consumers’ personal information so it is no longer considered a sale. These options can be applied to particular consumers.
• Draft form letter
• Send notification to third parties
  ‍Businesses must notify all third parties to whom they sell or share consumers’ personal information.
• Response deadline: 15 days
  ‍There is no extension for responding to an opt-out request.
• Practice responses

Requests to Correct

• Establish verification procedures
  Consumer requests to correct should be verified before the business responds, though it's not required.
• Two or more methods
  Businesses must offer two more methods for submitting a request to delete. At least one of these methods should relate to the business’s normal way of interacting with consumers.
• Draft form letter
  • Inform the consumer of any personal information that was not altered and why
    ‍If, considering the totality of the circumstances, the personal information at issue is not inaccurate, the business can deny the request. If it does so, the business must explain its decision to the consumer.
• Send correction request to service providers
  Service providers must also respond to correction requests. Establish a process for sending notifications to all appropriate service providers.
• Response deadline: 45 day
  • Confirm receipt of request: 10 days
  • Extension: 45 days
• Practice responses

Requests to Limit

• No Verification Required
  Verification cannot be required for a request to limit, though a business may deny a request if it has a good-faith, reasonable, and documented belief that the request is fraudulent. If it denies the request on this basis, the business must provide an explanation to the consumer.
• Two or more methods
  ‍Businesses must offer two more methods for submitting a request to delete. At least one of these methods should relate to the business’s normal way of interacting with consumers.
• Draft form letter
• Send request to service providers
  ‍Service providers must also respond to these requests. Establish a process for sending notifications to all appropriate service providers.
• Response deadline: 15 days
  ‍There is no extension for responding to a request to limit.
• Practice response