In response to an access request, does a company have to produce information about its transactions and experiences with an individual?

The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.

Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:

  1. The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
  2. Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3

A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.

A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:

[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4

Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:

  • Inferences about a consumer
  • Background responses (e.g., internal responses to consumer requests and/or consumer activity)
  • Internal notes about a consumer

For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase  ̶  such as the consumer’s name, phone number, mailing address, and the request made  ̶  is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made  ̶  such as internal return protocols, the refund date, the retailer’s response to the consumer,  fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ­ ̶  is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.

For more information and resources about the CCPA visit

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.


2. 1798.145(j).

3. 1798.150(a).

4. 1798.140(e).