CCPA Data Access Requests: The 5 Key Do's and Dont's
The California Consumer Privacy Act (CCPA) is scheduled for enforcement as from January 1, 2020.
The California Consumer Privacy Act (CCPA) is scheduled for enforcement as from January 1, 2020. Since its enactment on June 28, 2018, CCPA has opened up discussions about the future of consumer data protection in the US.
Essentially, CCPA allows consumers to be in charge of their privacy by obliging businesses to reveal the categories of personal information they have collected about their clients. Additionally, consumers have a right to opt-out, assess, rectify, delete, or port their information.
This obligation applies to both consumers and non-consumers. Consequently, managing subject rights requests under CCPA is challenging, especially if your business happens to receive thousands of monthly requests. This article puts together five crucial Do's and Dont’s of managing Subject Rights Requests
- Adopt a Customer-Focused Authentication Framework
Don’t; you should not compel a consumer to set up an account, surrender unwarranted personal information to validate their identity, or undergo a tedious verification procedure.
Additionally, you should not hold extra information about the consumer that is obtained during the validation procedure. Similarly, do not fail to offer vivid direction and communication during the authentication process
Do: Create a system that allows customers to send requests without needing to create an account with your company. Primarily, put in place practical authentication standards to help you determine whether a consumer is requesting good faith, and is the owner of the information in question.
Furthermore, explore ways through which you will authenticate the different categories of information you collect and introducing a signed affidavit to formalize the entire process. In this way, you can easily deny the request if you are unable to determine a suitable degree of confidence during the authentication procedure.
- Obtain and Share Personal Information in a Compliant Way
Don’t; avoid sharing unencrypted personal information via electronic mail. According to CCPA, when your business is processing Subject Rights Requests, the personal data involved is potentially critical. Consequently, transmitting such data via unencrypted e-mail exposes to several safety risks.
Do; create a safe way of relaying information back to the requestor. In this case, you can establish a temporary account that a consumer can access or coming up with limited-use cryptographic keys.
- Reduce the Volume of Personal Data your Business Collects
Don’t; avoid requesting unnecessary data, especially if you don't already have it in your database. For example, if you do not require a surname in your data collection procedures, do not compel a requestor to provide their full name to address a request.
Do; Request the data that can help you uniquely pinpoint the persons who are subjects of a rights request. This information could comprise multiple categories because a name alone is not sufficient to identify a person. This aspect calls for the use of other identifiers to differentiate two parties that have the same name.
It is also vital to ensure that the data you gather comprises an avenue for correspondence with the requestor such as an email address
- Delete Important Information
Don’t; Refrain from going over the top to delete every backup where personal data is held. Instead, center your efforts on ensuring that you have mechanisms that can flag data from backups or cold storage when it reappears to avoid reusing it.
Do; remain vigilant of where your data is held, and when a deletion request arrives, respect it by making an effort to remove it from all the databases in which it is stored and processed.
Ensure that you have instituted mechanisms to stop re-emergence of information about a person who opts out of your service.
- Automate Crucial Practices
Don’t; Avoid automating information pulls from all your systems at once unless you are confident that the effort is crucial and cost-effective. Although businesses are concerned about requests, automating everything is not always the solution.
Go step by step and establish extra automation as a component of a long-term plan to improve your program
Do; Embrace a risk-focused plan by carrying out data inventories to identify the kind of information that will be subject to a rights request.
Focus on automating data pulls from systems that have security, performance, or cost implications while also examining approaches through which you can deal with parts that cannot be automated.
- Don’t Hurry to Reject Improperly Submitted Requests
Don’t; deny consumers’ data requests if submitted by a method that is not designated for such purpose. If you have an online form and an email address designated for submitting requests, but the consumer has submitted the request over the phone, you must not deny such request.
Do; treat every single request as if it has been submitted by the designated method or guide users how to submit the request properly.
Just don’t deny the request right away because it is a violation of the CCPA.
- After Denying a Request to Delete, Ask Consumers If They Want to Opt-Out
Don’t; In some cases, you may deny consumers’ request for deletion of data. You have responded to the request, but your duties do not end there.
Do; After denying the request to delete, ask the consumers if they want to opt-out from the sale of their personal information, if you sell such data.
Build trust with your customers and avoid incurring costly penalties by using Secure Privacy’s solutions to comply with CCPA. These solutions are easy to use and integrate with any website seamlessly.
Want to try
Get your free cookie banner up and running today!
That also interest you
Data Subject Access Requests: Do's and Don’ts in Handling GDPR DSARs
Data Subject Access Requests (DSARs) are one of the less-talked-about GDPR requirements, but failure to handle them correctly could land your company in trouble.
ePrivacy Regulation vs GDPR: 4 Key Differences
The ePrivacy Regulation was set to come into force alongside the GDPR on May 25, 2018, but delays in the approval phase meant its implementation was delayed.
EDPB Guidelines on Targeting Social Media Users: 4 Quick Compliance Tips
EDPB guidelines on targeting social media users published in September 2020 bring new GDPR compliance obligations that social media service providers and targeters need to adopt.