Understanding The CCPA Data Subject Access Request

By Ketch / November 6, 2021

The California Consumer Privacy Act (CCPA) gives California consumers some rights to  control their personal information. Among these is the “right to know” (or the “right to access [data]”), which grants people the ability to request details about the data that a business collected from them, used, or sold. Businesses must respond to and process these data subject access requests (DSARs) in compliance with the CCPA.

For more help with CCPA compliance, contact the privacy experts at Ketch to learn more about consent management software and how it can help your business. 

What Is A Data Subject Access Request (DSAR)?

A consumer can exercise their right to know by submitting a DSAR. These requests empower people to access the personal information collected from them, the purpose for which it was collected, and details about third parties to whom a business is sharing or selling consumers’ personal information.

Any person protected under the scope of the CCPA—or any other data privacy law with similar statutes, such as Europe’s General Data Protection Regulation (GDPR)—can submit a DSAR, and businesses catering to these consumers must comply with the regulations to fulfill these requests.

What Personal Information Can A Consumer Request Access To?

The CCPA has a broad definition of “personal information” or “information that identifies, relates to, or could reasonably be linked with” a California consumer or household. Under the right to know, a consumer can request access to:

  • the categories of personal information collected
  • specific pieces of personal information collected
  • the categories of sources from which information is collected
  • the purposes for which personal information is used
  • the categories of third parties with whom personal information is shared
  • the categories of information that is sold, disclosed, or in any way made available to third parties

Do All Businesses Have To Respond To DSARs?

The CCPA requires all for-profit businesses that do business in California and either has a gross annual revenue of over $25 million; buys, sells, or receives the personal information of more than 50,000 California residents, households, or devices; or derives at least half of their annual revenue from the sale of California consumers’ personal information must respond to and process DSARs.

Exceptions To The CCPA

Given its nature, does the CCPA apply to government agencies? The answer is no—with the same being true for non-profit organizations. 

That said, if government entities and non-profits are third parties to whom a business shares information, the business must disclose that and list them in the category of third parties.

How To Manage DSARs

The CCPA provides regulations as to how a business must respond to, process, and keep a record of DSARs in a way that fully enables consumers to exercise their afforded rights. Here are some steps that a business must take to comply:

Provide DSAR Channels

A business is required to designate at least two methods for a consumer to submit a DSAR—one being a toll-free number, the other being an email contact address (except if the business operates exclusively online, in which an email address should suffice). These channels should be fit for the nature of the business, and they should be separate from other customer support channels.

Set A Method for Processing DSARs

A business must set a method for processing DSARs and explain it in detail in their CCPA privacy policy.

Upon receipt of a request, a business is required to deliver the information requested within 45 days of receiving a verifiable consumer request (i.e. a request that has been verified to be made by the requester about their own personal information). 

This deadline can be extended another forty-five days when “reasonably necessary”, depending on the complexity and the volume of the DSAR. In this case, the business must inform the consumer about the extension.

A business must provide the requested information through the medium chosen by the consumer, which may differ from the channel used to submit the DSAR.

Train Employees On How To Manage DSARs

Business owners must train employees about the proper management of DSARs to ensure that the handling and processing of consumers’ personal information are managed in a way that is compliant with the CCPA.

Keep Updated On The CCPA

To ensure that your business is always compliant with the CCPA, and thereby reducing the risk of penalties or losing business in California, you must keep informed about the CCPA and other relevant data privacy laws. Furthermore, you should regularly review and update your data practices to comply with the regulations set by these laws.

Share this: