If a data subject submits an access or deletion request directly to a service provider, is the service provider required to respond to the data subject?

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. If a data subject submits an access or deletion request directly to a service provider, is the service provider required to respond to the data subject? 

The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions.  (You can find a timeline that illustrates the CCPA’s history and development on page 2 of BCLP’s Practical Guide to the CCPA).  Given its hasty drafting there are a number of areas in which the act intentionally, or unintentionally, is at best ambiguous, at worst leads to unintended results.  One of those areas involves how a service provider should respond to a request by a consumer to access or delete their information.

The CCPA states that a consumer has the right to request that a “business that collects a consumer’s personal information” disclose the “specific pieces of personal information . . . collected.”1  The term “business” is defined as any “legal entity” that is “operated for . . . profit” and that:

collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the state of California . . .

The most logical interpretation of the above definition is that the phrase “determines the purposes and means of the processing” applies both to (1) entities that collect personal information and (2) entities on behalf of which such information is collected.  Under such an interpretation most service providers would not be considered a “business” to the extent that they do not determine the purpose and means of processing.  That said, the definition of business appears to be missing a comma after the phrase “or on the behalf of which such information is collected.”  Absent the comma it is unclear whether the clause “determines the purposes and means of the processing” applies only to entities “on the behalf of which such information is collected.”  If the purpose and means qualification only applies to entities on whose behalf information is collected, it might mean that service providers that directly collect consumer personal information fall under the definition of “business.”2

The CCPA also does not explain, or define, what it means to determine the “purpose and means of processing.”  While there is a great deal of interpretation of that phrase under European privacy law (which utilizes a similar phrase) it’s unclear to what degree California courts will defer to European regulators when interpreting a California statute.

The net result is that while the best interpretation of the CCPA is one that holds that consumers have no right to request access or deletion of their personal information directly from service providers, the obtuse language of the CCPA leaves some uncertainty concerning whether California courts will adopt that interpretation.

Under the European GDPR, if a service provider is considered a “processor,” the service provider is not required (or permitted) to substantively respond to a data subject’s request to access, modify, or delete their personal data unless their client (the “controller”) has specifically delegated the authority to act on their behalf in response to data subject requests.  The service provider is required, however, to “assist[] the controller” when requested by the controller with the “controller’s obligation to respond to requests” from the data subject.3  As a practical matter most European drafted data processing addendum require that a service provider forward a request that it receives from a data subject to the service provider’s client for the client to determine how the request should be answered.  If the client determines that the data subject is entitled to access their information, modify their information, or have their information deleted, the data processing addendum also typically requires the service provider to work with the client-controller to carry out that decision.