- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
If a business receives a data subject access request, does it have to provide the specific pieces of personal information that it collected about the consumer?
Pursuant to Cal. Civ. Code Sections 1798,100(a), and 1798.110(a) and (b), a consumer has a right to request, and a business that “collects personal information about a consumer” has an obligation to disclose and deliver upon a verifiable request, “the specific pieces of personal information the business has collected.” To the extent it is not readily apparent from the specific pieces of personal information disclosed, a business must additionally disclose (1) the categories of personal information the business has collected about the consumer; (2) the categories of sources from which the personal information was collected; (3) the business or commercial purpose for the collection; and (4) the categories of third parties with whom the business shares the personal information.
A business responding to a verified data subject access request must disclose the personal information collected about the consumer in the 12-month period preceding the business’s receipt of the access request. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.1