- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
How much time does a company have to respond to an access request?
The CCPA requires that a business “deliver” the information that is required to be produced under the Act within “45 days of receiving a verifiable consumer request.”1 The 45 day time period can be extended by an additional 45 days when “reasonably necessary.”2 If a business seeks to rely upon the extension it must inform the requestor of that fact within the first 45 day period.
The CCPA does not specify what type of situations might qualify as “reasonably necessary” to extend the response time period. It is possible that a court, or the California Attorney General, could look to the GDPR for guidance. The GDPR similarly allows an organization to extend the time within which information must be provided by an access request and specifies that two factors that might contribute to the need for an extension would be the “complexity and number” of requests that a person makes.