How businesses should respond to consumer requests under CCPA

Published on


Under the California Consumer Privacy Act (“CCPA”), businesses are required to respond to verifiable consumer requests. Consumers can request the following:

  • The categories of personal information you keep
  • The sources from which the personal information was collected
  • The categories of third parties with whom you share personal information
  • The specific piece of personal information you collected about the consumer
  • (If a business sells or shares consumer information with third parties) the categories of personal information sold or shared and the categories of third parties to whom it was sold.

The CCPA and relevant regulations also layout how businesses should respond to consumer requests. To begin, businesses must respond within 10 business days with confirmation of receipt of a request to delete, request to correct, or request to know and provide information on how it will be processed. Businesses must also keep in mind that CCPA regulations detail instances when a business does not need to respond to consumer requests.

What should businesses be ready to disclose

When responding to consumer requests, businesses may have to disclose more than what was collected from the consumer. The Office of the Attorney General (who regulated CCPA prior to the CPRA establishing the CCPA Board) broadly interpreted the scope of personal information. They found that it does not matter whether the business gathers the information from the consumer or from public sources, purchased sources, or inferred the information processed through the business’s proprietary processing systems. Essentially, all consumer data is subject to disclosure. Trade secrets do not need to be disclosed, but the burden is on the business to demonstrate that information is a trade secret under applicable law.

Employees requests under CCPA

The CCPA broadly interprets consumer as any California resident. The current exemption for employees is currently set to expire in January 2023. While there are bills pending to address this, employees are set to be included under CCPA. Thus, business should position themselves to comply with CCPA obligations.

For more information and advice to maintain compliance with CCPA, please contact a knowledgeable attorney. Scali Rasmussen privacy attorneys standby to assist you.