How to respond to a Consumer Access Requested under the CCPA?

by | Mar 31, 2020 | Consumer Rights Request, Data Requests

Under the California Consumer Privacy Act, consumers have the “right to access” their personal information. What does this mean and what do businesses need to do to ensure they comply with this new law? LDM Global can help to make the process as efficient as possible.
Read on to learn the basics about Consumer Access Requests

What is a Consumer Access Request?

A Consumer Access Request is a written request from an individual to a data controller (company holding personally identifiable information) asking for the information held about that individual. There is no prescribed form and the request should have a reasonable explanation as to why the request is being made.

How long do I have to respond to a request?

The data controller has 45 days to respond to a request and provide the data requested.

What should I do next?

When you receive a request, there are a few steps to take immediately. Forward the request to your organization’s Data Protection Officer. He or she should have a protocol in place of how to respond.
Additionally, you need to verify that the person making the request is indeed the person named in the request. You wouldn’t want to mistakenly hand over personal information to the wrong person. Some requests may come through third parties, such as lawyers or unions. Here companies will need to be satisfied that the request has been duly authorized by the individual.
You should also check that you have all the information needed to locate the data and respond to a request.

How do I respond to the request?

Once you have verified the source of the request, set a goal of when you would like to respond to ensure you meet the 45-day deadline. Then set up your plan for finding the relevant information and reviewing the information.

Once you have identified all of the documents containing information about the individual, you need to review them to ensure:

  1. The documents do not contain privileged information
  2. The documents do not contain information about third parties

If the documents do contain information that should not be disclosed, that information will need to be redacted before they can be given to the individual or body who made the consumer access request.

Can I amend the data?

No, the data should be provided as it was at the date of the request.

How can I make the process easier?

Service providers such as LDM Global can streamline the process and increase efficiency. LDM Global can assist in locating and collecting your documents, before uploading them into a secure, easy-to-use platform. We use standard workflows built on common request types to help organize the data for you. LDM Global can then review the documents easily, redacting out privileged or personally identifiable information of third parties before responding. Alternatively, your company lawyers can perform the document review if you prefer.

For more information, please contact us.