Requests for Disclosure of Personal Information

The Statute

Per the CCPA statute §§1798.110 and 130, upon request, a business that holds personal information about a consumer must disclose within 45 days of a verifiable consumer request the following:

1. The categories of personal information it has collected about that consumer;
2. The categories of sources from which the personal information is collected;
3. The business or commercial purpose for collecting or selling personal information;
4. The categories of third parties with whom the business shares personal information; and
5. The specific pieces of personal information it has collected about that consumer.

The statute defines a “[v]erifiable consumer request” as a

means a request that is made by a consumer…that the business can reasonably verify, pursuant to regulations adopted by the Attorney General…to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer…if the business cannot verify…that the consumer making the request is the consumer about whom the business has collected information…. ¹

The Regulations

The CCPA Regulations call this Request for Disclosure a “Request to Know”:

“Request to know” means a consumer request that a business disclose personal information
that it has collected about the consumer pursuant to Civil Code sections 1798.100, 1798.110, or
1798.115. It includes a request for any or all of the following:

1. Specific pieces of personal information that a business has collected about the consumer;
2. Categories of personal information it has collected about the consumer;
3. Categories of sources from which the personal information is collected;
4. Categories of personal information that the business sold or disclosed for a business purpose about the consumer;
5. Categories of third parties to whom the personal information was sold or disclosed for abusiness purpose; and
6. The business or commercial purpose for collecting or selling personal information.

The Regulations provide specifics with respect to effectuating Requests to Know. Per §999.312, a business must provide 2 or more designated methods for a consumer to submit a Request to Know unless it’s an online-only business and has a direct relationship with the consumer.

Per §999.313, businesses have

• 10 business days to confirm receipt of the Request to Know
• 45 calendar days to fulfil the Request to Know
  • Can extend 45 additional days but have to provide a reason within the first 45 days
    [all emphasis added]

The in-scope time period runs 12 months prior to the date of the request.

Per §999.313, for requests that seek the disclosure of specific pieces of information about the consumer, if a business can’t verify the identity of the person making the request, the business shall not disclose any specific pieces of personal information to the requestor and shall inform the consumer requestor that it cannot verify their identity. ² [emphasis added]

Furthermore, “[a] business shall not disclose in response to a request to know a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.” ³ [emphasis added]

However, the business shall (for example), respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data. ⁴

1. Cal. Civ. Code §1798.140(y).
2. The CCPA Regulations §999.313(c)(1).
3. The CCPA Regulations §999.313(c)(4).
4. Id.