Your users have the right to know what personal information is being collected about them, and they may contact you with a request to get information about how you handle personal information, ask you to delete it, transfer it to another company, or do something similar. Under the CPRA, you are obliged to respond to them. In this article, we explain how to comply with such consumer requests and the CPRA.
The California Privacy Rights Act (CPRA) is a new law that expands the rights of Californians to know what personal information is being collected about them, request deletion of that information, and opt-out of its sale. The CPRA goes into effect on January 1, 2023.
Your users have the right to know what personal information is being collected about them, and they may contact you with a request to get information about how you handle personal information, ask you to delete it, transfer it to another company, or do something similar. Under the CPRA, you are obliged to respond to them, or the California Privacy Protection Agency will fine you. So, you need to take the CPRA request seriously.
In this article, we explain how to comply with such requests and the CPRA so that you don't get fined by the government and keep your good name.
We’ll delve into the following:
- What are the consumer rights under the CPRA?
- What are consumer requests under the CPRA?
- Who must honor consumer requests under the CPRA?
- How to respond to consumer requests under the CPRA
What Are the Consumer Rights Under the CPRA?
CPRA grants consumers privacy rights. You process their personal information for your business purposes, but that information is theirs, not yours. That’s why they have the right to ask you anything about it and require you to take specific actions.
CPRA grants your users the following rights:
- Right to know. Consumers have the right to know if you process their data, what categories of personal information you process, with whom you share it, and other related information. When you process someone else’s personal information, you must not hide it from them.
- Right to access. Consumers also have the right to access and see a copy of their data being processed by your business.
- Right to erasure. Under certain circumstances, consumers who request their data be deleted shall have it deleted from your servers. You can decline the request under some circumstances, but you’ll have to honor it in most cases.
- Right to correct. If you process users’ inaccurate data, they can ask you to make adequate changes.
- Right to data portability. This right allows consumers to get their personal data transferred to another business. For example, when consumers want to move from one fitness app to another, they can request all their data be transferred to the new app.
- Right to opt-out of the sales and sharing of their personal information. CPRA does not forbid the sale or sharing of personal information unless the user opts out. In such a case, you must honor the request.
- Right to limit the use and disclosure of their personal information. Some consumers are comfortable sharing their sensitive personal information with you but not with your service providers. CPRA allows them to limit the disclosure of their sensitive data.
- Right of no retaliation following opt-out or exercise of other rights. You must not discriminate against users who exercise their privacy rights. The CPRA strictly forbids businesses from giving different levels of service and products to people who use their rights. However, some businesses do this anyway.
What Are the Consumer Requests Under the CPRA?
CPRA consumer requests are the tool that the law grants consumers to exercise their CPRA rights, either by themselves or by an authorized agent. They can submit a request to you at any time. You’ll be obliged to respond, at least.
You likely won’t respond positively to all requests, but you must not remain silent. The procedure is not complicated.
You have 45 days to respond to the request. For complex requests, the deadline is 90 days. You must let the user know that you received it within the first ten days of the deadline.
You must have a designated method for submitting a consumer request, which must be included in your privacy notice on collection. However, sometimes users go their own way and submit requests in non-designated ways. When that happens, you must either guide the consumer on how to submit it properly or act as if it has been submitted correctly.
Who Must Honor Consumer Requests Under the CPRA?
Companies that must comply with CPRA must honor CPRA requests. CPRA applies to for-profit businesses that operate in California and meet certain thresholds.
Regarding the place of operations, CPRA applies to businesses that:
- are from California, or
- offer products and services to California residents.
However, it does not apply to all the companies that operate from or in California in any way. The company shall also meet at least one of the following thresholds:
- have a gross annual revenue of at least $25 million,
- at least half of the company's annual gross revenue is generated by selling or sharing personal information about California residents, or,
- buys, sells, or shares with third parties the personal information of at least 100,000 California residents or households.
If you meet at least one of these thresholds, then CPRA applies to you. That means a duty to honor CPRA consumer requests.
How to Respond to Consumer Requests Under the CPRA
You were served with a CPRA consumer request. Now what?
What you have to do depends on the nature of the request. However, all of them go through the following five steps:
- Assure the customer that you received the request. You have ten days to acknowledge that you are aware of the request.
Sometimes users will submit requests in non-designated ways. When that happens, you must not remain silent or decline the request. You have two options:
- Examine the request. Determine what the consumer wants—is it a request to know, do they want to access their personal information, do they want it erased, or something else? You have to ensure that you understand what the consumer wants, and they are not always clear and concise about that.
- Verify the identity of the consumer. You don’t want to provide access to data to someone who shouldn’t get it. That would be a data breach. That’s why the law allows you to verify the requester’s identity, and if you cannot confirm that they are the right person to get the right of access, correction, or another right, you can decline the request.
You are free to choose the verification methods that suit your business circumstances. If users have user accounts, then you can verify their identity through the account.
For non-accountholders, you should strive to confirm identity through at least two pieces of information provided by the requester and match it with the personal data you have about them.
- Search your records. Now that you know what the consumer wants and you have confirmed their identity, you can proceed with searching through your records to identify the data related to the request.
- Fulfill the request. Finally, you have to do what you have been requested to do: provide the user with access to their own data, correct the data, transfer it to another business, delete it, or do something else.
Although the data coming into effect under the CPRA on January 1, 2023, has a lookback period of one year, This means that requests would pertain to the period starting on January 1, 2022.
Complying with CPRA requests is not hard at all if you know your data flows and are equipped with the right tools to identify data quickly and deliver on the request.
Given the potentially far-reaching implications of the CPRA, organizations doing business in California will need to review their current data governance practices and make sure they are compliant with the new law. For more information on how to do this, please see our previous blog post, What is CPRA and how does it differ from CCPA?
Automating CCPA Risk Assessments and Cybersecurity Audits: Complying with Draft Regulations
The issued draft regulations on CCPA risk assessments and cybersecurity audits by the California Privacy Protection Agency (CPPA) give you an idea of how to comply with imminent obligations
- Data Protection
India Digital Personal Data Protection Act 2023 - All You Need to Know
Discover the India Digital Personal Data Protection Act (DPDPA) 2023 – India's first comprehensive data protection law. Learn how it affects businesses, data principals, and more. Stay informed about the latest data privacy regulations.
- Data Protection
International Privacy Authorities Issue Joint Statement on Data Scraping
Learn about the joint statement issued by global privacy authorities on August 24, 2023, addressing the risks of data scraping to privacy. Discover its implications for businesses and mitigation strategies
- Data Protection