If a consumer sends a request for deletion or a request for access via Twitter or other social media, does a business have to respond?

As an initial matter, the statutory text of the CCPA is somewhat unclear regarding a business’s obligations when it receives a request for access or a request for deletion in a non-standard format. The statute provides only that a business must “[m]ake available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.”¹

Taken alone, the provision states that businesses may direct consumers to a finite number of “designated methods,” with the implication that requests submitted through non-designated methods are invalid and may be ignored.  The proposed regulations, however, state the opposite—specifically, the regulations require that when a consumer submits a request through a non-standard method, the business must either “[t]reat the request as if it had been submitted in accordance with the business’s designated manner, or . . .  [p]rovide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request, if applicable.”²

Thus, in the case of a request submitted by Twitter, at a minimum the business would be required to provide the consumer who authored the tweet with information about how to submit a valid request.  It is also unclear as to the time period by which a business must respond to a non-standard request, since it is unclear whether a non-standard request, such as a Twitter request, meets the definition of a “request to know” or a “request to delete” under the regulations.³