- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
In response to an access request, does a company have to produce all of the information that it has about an individual?
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to CCTV footage if there is a third party in the video, as this would infringe upon the third party’s privacy rights. Similarly, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background programming
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.