- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
If a business receives an access request, does it have to provide information that it collected more than a year ago about the consumer?
The CCPA contains four references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.1 Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business in response to an access request “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request . . . ”2 The statute reiterates that access is limited to a 12 month lookback in California Civil Code Section 1798.130(a)(3)(B) by stating that access requests which seek information about a business’s collection practices (as opposed to requests that seek the specific pieces of information held by the business) are similarly limited to “the preceding 12 months.”3 It is unclear, from this text, whether the legislature intended that a company provide access only to data that was collected during the 12 month lookback period, or provide access to data that was held by the company during some portion of the 12 month lookback.
Can a company be sued under the CCPA for failing to honor an access request?
Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.” 1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligations to disclose to consumers information about their data upon request, or provide “the specific pieces of personal information” collected about a consumer.2
The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4
An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action, and the ability for plaintiffs’ attorneys to seek statutory damages, to all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review. As a practical matter, this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.
The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to honor access requests, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with access requests.
If a company receives a data access request from an employee, will it have to share with them performance reviews and other notes and comments in their HR file that implicate other employees?
The CCPA requires that a business provide a California resident with the “specific pieces of personal information it has collected about that” individual.1 There are two main exceptions to this right. Information does not need to be disclosed to an employee if it would “restrict” a business’s ability to [c]omply with federal, state, or local laws” or if it would interfere with the “rights and freedoms of other consumers.”2 That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021. 3
With regard to the first exception, if the access request of one California employee would require an employer to disclose information about a second employee for which the employer has a legal obligation of confidentiality the request could be refused. While that may protect some information that an employer maintains about its other employees, an employer is not mandated by law to keep much of the information that it collects about its other employees confidential
With regard to the second exception, the language suggests that a company could object to an access request from one employee that would require the production of information relating to a second employee based upon the supposition that the disclosure would interfere with the “rights and freedoms” of the second employee to privacy. It is important to note, however, that the term “consumer” is defined within the CCPA as including only “a natural person who is a California resident.”4 As a result, on its face this exception would allow an employer to refuse to honor an access request that would interfere with the rights and freedoms of another California employee; it would not necessarily allow the company to refuse to honor an access request that would disclose information about an employee who was the resident of a different state or country.
In comparison, the European GDPR contains a broader exception to rights of access that allows a controller to refuse an access request if honoring it would “adversely affect the rights and freedoms of others” – regardless of their nationality or residency.5
The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
1. Cal. Civil Code 1798.110(a)(5), (b).
2. Cal. Civil Code 1798.145(a)(1), (j)
3. See Assembly Bill 25 passed on November 13, 2019.
4. Cal. Civil Code 1798.140(g) (emphasis added).
5. GDPR, Article 15(4).
Access Requests – the right to access data
The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive – and complex – data privacy regulation in the United States. The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects. As a result, United States companies that thought that they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute. While the CCPA was drafted with an eye toward the GDPR, it also differs from that regulation in many respects. As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.
To help address the confusion caused by the CCPA, Bryan Cave Leighton Paisner is publishing this multi-part Practical Guide to the California Consumer Privacy Act.
The right to access data refers to the ability of a person to request that a company confirm whether it has personal information about him or her, the type of personal information that the company keeps about the individual, and/or a copy of the specific information that the company keeps on file. Access requests are sometimes referred to as Data Subject Access Requests or SARs.
Comparison to Other Privacy Laws
The right of access is not a new concept. For example in Europe, the European Union Charter of Fundamental Rights, which was adopted in 2000, states that “[e]veryone has the right of access to data which has been collected concerning him or her . . . .” That right was further codified in the European Privacy Directive of 1995 and, more recently, in the European GDPR. The majority of data privacy laws in the United States do not include a right to access personal data, but there are some notable exceptions. For example the Health Insurance Portability and Accountability Act (“HIPAA”) and the Family and Educational Rights and Privacy Act (“FERPA”) confer rights of access in the context of health related data and student records.
To Do List
- Review existing methods for submitting access requests to your organization to verify that they comply with the CCPA.
- Review existing policies or procedures for authenticating individuals that make access requests.
- If no authentication policy exists, draft an appropriate policy for authentication of individuals that make data subject requests.
- Draft a “play book” that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
- Train employees on the handling of access requests.
- Verify that the policy in-place facilitates the fulfillment of access requests within the time period permitted by the statute.
How We Can Help
Companies across the globe have retained BCLP to draft their internal protocols for handling consumer requests for information about themselves, or to review existing protocols to spot any red flags that might be of concern to a court or a regulator. You can find out more about how we help companies handle requests from data subjects for access to their information here.
|Cal. Civil Code 1798.100(a)
Cal. Civil Code 1798.110(a)(1)-(5), (b)
Cal. Civil Code 1798.130(a)(1)-(7)