Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I ignore consumer requests for information or deletion in California? What are the requirements?

Requirements for Responding to Consumer Requests for Information or Deletion in California

Under the California Consumer Privacy Act (CCPA), businesses are required to respond to consumer requests for information or deletion of their personal information. The requirements for responding to these requests are outlined in various sections of the California Code of Regulations.

Requests to Delete

If a consumer requests that a business delete their personal information, the business must comply with the request, subject to certain exceptions [1.3]. The business must:

  • Permanently and completely erase the personal information from its existing systems except archived or backup systems, deidentify the personal information, or aggregate the consumer information.
  • Notify the business’s service providers or contractors of the need to delete from their records the consumer’s personal information that they collected pursuant to their written contract with the business, or if enabled to do so by the service provider or contractor, the business shall delete the personal information that the service provider or contractor collected pursuant to their written contract with the business.
  • Notify all third parties to whom the business has sold or shared the personal information of the need to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort.
  • If a business claims that notifying some or all third parties would be impossible or would involve disproportionate effort, the business shall provide the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot notify all third parties.
  • Inform the consumer whether it has complied with the consumer’s request and maintain a record of the request as required by section 7101, subsection (a) [1.3].

Requests to Know

If a consumer requests that a business disclose the personal information it has collected about them, the business must comply with the request, subject to certain exceptions [1.5]. The business must:

  • Confirm receipt of the request within 10 days and provide information about how the business will process the request.
  • Verify the identity of the consumer making the request.
  • Provide the requested information to the consumer in a readily useable format within 45 days of receipt of the request, subject to extension under certain circumstances [1.5].

Requests to Limit Use and Disclosure of Sensitive Personal Information

Under the CCPA, consumers have the right to request that a business limit its use and disclosure of their sensitive personal information [1.2]. A business that uses or discloses sensitive personal information for purposes other than those set forth in subsection (m) shall provide two or more designated methods for submitting requests to limit. A business shall consider the methods by which it interacts with consumers, the manner in which the business collects the sensitive personal information that it uses for purposes other than those set forth in subsection (m), available technology, and ease of use by the consumer when determining which methods consumers may use to submit requests to limit. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer [1.2].

Businesses cannot ignore consumer requests for information or deletion in California. If a business fails to respond to a consumer request within the required timeframe, the consumer may file a complaint with the California Attorney General’s office [1.3].

Conclusion

Under the CCPA, businesses must respond to consumer requests for information or deletion of their personal information. Businesses cannot ignore these requests and must comply with the requirements outlined in the California Code of Regulations. Additionally, consumers have the right to request that a business limit its use and disclosure of their sensitive personal information.

Source(s):
Jurisdiction

California