CCPA Compliance: Request Processing Checklist

• Establish verification procedures

  Consumer requests to know must be verified before the business can respond, but the verification requirements vary depending on the specific type of request.

• Level of Verification

  These requests should be verified to a “reasonable degree of certainty.” Regulations suggest matching two consumer data points provided by the requestor to data maintained by the business.

• Minors under the age of 13

  If it has knowledge that a consumer is under 13 years old, the business must verify that the requestor is the consumer’s parent or guardian.

• Authorized Agents

  Consumers may submit a request through an authorized agent, though businesses may require proof of such authorization, such as signed permission from the consumer.

• Two or more methods

  Businesses must offer two more methods for submitting a request to know, including a toll-free number. At least one of these methods should relate to the business’s normal way of interacting with consumers.

• Exclusively online businesses

  Businesses that operate exclusively online and have a direct relationship with the consumer only need to provide an email address for submitting requests.

• Identify which categories of personal information are associated with each consumer group

  Refer to your business’s data map to determine what information must be provided and where it is maintained.

• Identify sensitive personal information that cannot be provided

  For security reasons, some specific pieces of information should not be disclosed. In these cases, only disclose that your business has collected that specific type of information.

• Draft form letter

  A form letter will help ensure that each response has the required information, as well as reduce the time needed to create each response.

• Response deadline: 45 days
• Confirm receipt of request: 10 days

  This confirmation may be made in the same manner the request was received. If the request was made by phone, confirmation can be made orally at that time.

• Extension: 45 days

  The response deadline can be extended for an additional deadline if necessary and if the consumer is notified before the original 45 days has expired.

• Practice responses

  Responding to a few hypothetical consumer requests will help make sure there are no gaps in the process and staff knows where to find all the necessary information.

• Establish verification procedures

  Consumer requests to delete must be verified before the business can respond, but the verification requirements vary depending on the type of information to be deleted.

• Common personal information

  If unauthorized deletion of the personal information would pose little harm to the consumer (deleting browsing history, for example), the request should be verified to a “reasonable degree of certainty.” Regulations suggest matching two consumer data points, such as an email address and name.

• Sensitive or unique personal information

  If unauthorized deletion of the personal information would potentially cause more harm to the consumer (deleting family photos, for example), the request should be verified to a “reasonably high degree of certainty.” Regulations suggest matching three consumer data points and requiring a signed declaration under penalty of perjury.

• Minors under the age of 13
• Authorized agents
• Two or more methods

  Businesses must offer two more methods for submitting a request to delete. At least one of these methods should relate to the business’s normal way of interacting with consumers.

• Identify which categories of personal information are associated with each consumer group

  Refer to your business’s data map to determine what information must be deleted and where it is maintained.

• Identify personal information that is exempted from deletion requests

  To prevent unnecessary deletions, determine in advance which personal information falls under an exemption.

• Deidentifying or aggregating options

  Personal information that is deidentified or in the aggregate need not be deleted. Explore whether any information can be retained in this way.

• Draft form letter
• Inform the consumer of any personal information that was not deleted and why

  If any personal information is not deleted because of an exemption, this must be explained to the consumer.

• Send deletion request to service providers

  Service providers must also respond to deletion requests. Establish a process for sending notifications to all appropriate service providers.

• Response deadline: 45 days
• Confirm receipt of request: 10 days
• Extension: 45 days
• Practice responses

• Requests from authorized agents

  Requests to opt out need not be verified. Consumers can send requests through an authorized agent, however, so businesses should still have a procedure for verifying this authorization.

• Two or more methods

  Businesses must offer two or more methods for submitting a request to opt out. At least one of these methods should relate to the way the business normally interacts with consumers.

• Interactive form

  If your business operates a website, at least one of the methods should be an online, interactive form accessible via the “Do Not Sell or Share” link.

• Easy to execute, minimal steps

  The process cannot be designed in a way meant to prevent or deter consumers from submitting opt-out requests. It may have no more steps than the process for opting back in to the sale or sharing of personal information.

• Identify any sale or sharing of personal information associated with each consumer group

  Refer to your business’s data map to determine what information is being sold or shared.

• Establish procedures for stopping the sale or sharing of personal information

  Some companies such as Facebook and Google have options for the reduced processing of consumers’ personal information so it is no longer considered a sale. These options can be applied to particular consumers.

• Draft form letter
• Send notification to third parties

  Businesses must notify all third parties to whom they sell or share consumers’ personal information.

• Response deadline: 15 days

  There is no extension for responding to an opt-out request.

• Practice responses

Requests to Correct