- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Do companies have to “flow down” access requests to service providers?
When a business receives a request from a consumer to access the personal information that the business has “collected,” it must decide whether to grant the request or to deny it based upon one of the exceptions to access contained in the CCPA.1 If the business decides to grant the request and provide the personal information in its possession, the CCPA does not specifically state that the business must also direct its service providers to produce the personal information that may be in their possession. This contrasts with deletion requests where the CCPA expressly states that a business which intends to honor such a request must “direct any service providers to delete the consumer’s personal information from their records.”2
Although the CCPA does not expressly state that a business must direct its service providers to search for and produce information collected from a consumer, privacy advocates are likely to take the position that flowing down an access request is implicitly required for the following reasons:
- Service providers are an extension of a business. The CCPA states that a service provider “processes information on behalf of a business.”3 To the extent that a service provider functions as an agent of a business, an argument could be made that a failure by the business to instruct the service provider to search for and produce information could constitute a violation by the business itself.
- The CCPA refers to access to the information “collected.” The CCPA states that a consumer should be able to request access to the “specific pieces of personal information the business has collected.”4 To the extent that a business collects personal information and then transmits it to a service provider for storage or further processing, the personal information was still “collected” by the business and, therefore, may need to be identified and produced regardless of whether it currently resides with the business or with its service provider.
- Access requests under the European GDPR are typically flowed down. Like the CCPA, the European GDPR does not expressly state that a controller must flow down an access request to a processor. In practice, however, it is well accepted in Europe that if a controller grants an access request it should flow down an instruction to its processors to provide the impacted personal information. In turn, the GDPR requires processors to “assist the controller . . . [in] the fulfilment of the controller’s obligation to respond to requests for exercising data subject’s rights . . . .”5
The act of instructing service providers to provide personal information in response to a consumer’s request is often referred to as “flowing down” an access request, or an “access request flow down.”
Do companies have to flow down access requests to service providers that maintain redundant copies of information?
When a business receives a request from a consumer to access the personal information that the business has “collected,” it must decide whether to grant the request or to deny it based upon one of the exceptions to access contained in the CCPA.1 If the business decides to grant the request, the CCPA states only that the “specific pieces of personal information [the business] has collected about that consumer” should be produced.2 It does not mandate that all copies of the information be produced. As a result, if a business collects information about a consumer, transmits a copy of that information to one or more service providers, but maintains the original information in its own files, it can satisfy the access requirements of the CCPA using its own copy and without flowing down the access request.
What does a Human Resources Director need to know about the CCPA?
- Privacy notices. Under the CCPA, employers are required to provide California employees with privacy notices that, among other things, itemize the categories of personal information collected, shared, and sold about the employee.1
- Access rights. Under the CCPA, California employees are permitted to request access to the personal information that the employer has collected about the employee.2
- Deletion rights. Under the CCPA, California employees are permitted to request the deletion of the personal information that the employer has collected from the employee.3 Note that the CCPA does not require that employers grant such requests in all situations.
- HR benefits providers. Under the CCPA, an employer must stake steps to verify that by providing personal information about California employees to benefits providers it is not “selling” personal information as that term is defined in the statute. If a sale does occur, the employer must disclose the sale to the employee and offer them the ability to opt-out of the sale through a “Do Not Sell” mechanism.
- Data security breach. Under the CCPA, if the sensitive information of a California employee (e.g., Social Security Number) is breached as a result of the employer’s inadequate data security, an employee may be able to initiate suit to recover statutory liquidated damages.4
CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to honor an access request?
Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.” 1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligations to disclose to consumers information about their data upon request, or provide “the specific pieces of personal information” collected about a consumer.2
The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4
An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action, and the ability for plaintiffs’ attorneys to seek statutory damages, to all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review. As a practical matter, this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.
The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to honor access requests, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with access requests.
CCPA Privacy FAQs: Is a business required to provide access to all information about the consumer maintained through a loyalty program?
Some of the rights conferred by the CCPA are limited to data collected “from the consumer,”1 whereas other rights apply to data “collected about” a consumer.2 Access rights are part of the latter category. As a result, if a business receives an access request from a member of a loyalty program, the CCPA requires that the business disclose “the specific pieces of personal information it has collected about that consumer.”3 This may be interpreted by courts as indicating that information must be disclosed regardless of whether the information was collected from the consumer directly, was received from a third party (e.g., a retailer, or a commercial partner), or was generated internally by a business.