- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Consumer Rights and Information
Exercise of Consumer Rights/Opt-Outs
Definitions
Other statutes and enforcement
Statutory Construction and Regulation
Miscellaneous Provisions
CPRA Only
Full Text
State Privacy Law Tracker
In response to an access request, does a company have to produce its internal notes relating to an individual?
Maybe.
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.
In response to an access request, does a company have to produce information about its transactions and experiences with an individual?
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1.1798.100(b).
2. 1798.145(j).
3. 1798.150(a).
4. 1798.140(e).
In response to an access request, does a company have to produce its own work product?
Maybe.
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background programming
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.
In response to an access request, does a company have to produce all of the information that it has about an individual?
Maybe.
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to CCTV footage if there is a third party in the video, as this would infringe upon the third party’s privacy rights. Similarly, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background programming
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.
CCPA Privacy FAQs: If a company collects personal information through a cookie, is it required to provide a consumer with a privacy policy?
Maybe.
Section 1798.100(b) of the CCPA states that a “business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” Plaintiffs and consumer advocates are likely to argue that this requirement applies to information collected through “cookies” based upon the following:
- The CCPA defines the term “collects” as including situations in which a business “buy[s], rent[s], gather[s], obtain[s], receiv[es], or access[es]” personal information by “any means.”1
- The CCPA defines “personal information” to include “unique identifiers” which includes “persistent identifier[s] that can be used to recognize a . . . device that is linked to a consumer . . . over time and across different services, including, but not limited to . . . cookies.”2
It is worth noting, however, that notifying a consumer about the type of information collected and the purpose of the collection does not necessarily mean distributing to the consumer a full privacy policy. The statute does not require, for example, that the notification must be in writing or that the notification must include other types of information that are typically present in a privacy notice (e.g., information on the company’s practices with regard to sharing, etc.). As a result, it is possible that a company that collects information across websites through the use of cookies is able to fulfill its obligation to inform consumers of the data that it collects and its use for that data orally, contextually, or via a third party (e.g., via the privacy policy of company A that might intend to transmit the information to company B).
Some companies that collect information across websites through the use of cookies (i.e., third party behavioral advertisers) may also take the position that their cookies do not fall within the definition of “unique identifier” (and, through that, the definition of “personal information”) because their cookies are not “persistent.” For example, they may argue that if their cookie is set to expire in 90 days or 60 days it should be considered transient in nature. California’s courts and the California Office of the Attorney General have not interpreted whether cookies with set expiration dates should be considered “persistent” for the purposes of the CCPA.