- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
CCPA Privacy FAQs: Is a company required to respond to a data subject access request electronically?
Sometimes.
The CCPA states that a business should disclose any information that it is required to disclose in response to an access request “in writing” and “delivered through the consumer’s account with the business.”1 The requirement, of course, assumes that a business maintains an “account” or portal through which it typically communicates with a consumer. For businesses that do not maintain consumer portals, the CCPA requires the business to provide the requested information “by mail or electronically at the consumer’s option.”2 As a result, businesses should first attempt to leverage any customer portal that they maintain; absent such an option, they should defer to any request from the consumer to receive the data electronically or by mail. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.3
In comparison, the European GDPR gives individuals two separate rights – a right to access the personal data that a company holds about them,4 and a right to receive personal data in a “portabl[e]” format.5 While those rights are interrelated, they are not co-extensive.
An individual’s right of “access to the personal data” that a company holds about them (or at least to receive a description of the type of personal data that a company holds about them) applies regardless of why a company that is considered a “controller” maintains personal information about the individual. When a request relating to this right is received, the GDPR does not mandate that a company provide the information to the data subject in any particular format. Some supervisory authorities have recognized that while a data subject may prefer a response electronically, a company can satisfy its obligation by producing the information in any “intelligible form” including by providing a “photocopy or print-out of the relevant information.”6
In contrast, an individual’s right to receive their personal data in a portable format only applies when a company’s processing is based either on the fact that the data subject provided their consent for the processing, or the data subject entered into a contract with the company.7 When a request relating to the portabiltiy right is received, the company is obligated to provide the data in an electronic format.