How to Respond to CCPA Privacy Notices

By MatrixPoint


How should you handle CCPA requests, notices, or complaints? What even is the CCPA, and why does your business need to pay attention to it at all? This article will explain everything you need to know about dealing with CCPA privacy notices.

California became the leader in data privacy rights with the passing of the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (CCPA). 

Referred to as the CCPA, this new law affords bolstered data privacy rights to all residents of California, including several new types of notices used to protect consumer’s data and their privacy.

New rights include the right to request what personal information any business has collected about the consumer, the right to have the business delete any personal information collected, and the right to opt-out of the sale of personal information. 

The CCPA went into effect on January 1, 2020, and will begin getting enforced by the California Attorney General starting on July 1, 2020, which gives time for businesses to update their policies to ensure they’re compliant with the new law, but it’s important to start adapting your business now, as some business will be forced to make major changes to avoid CCPA fines, fees, and penalties. 

To ensure your business is compliant with the new CCPA laws, it’s important to first understand what types of CCPA requests consumers can make, as each type of request comes with different requirements and conditions you’ll need to meet to remain in compliance. Fortunately, this guide explains exactly what types of requests you may be hit by, as well as how to respond to them to avoid facing fines, fees, or penalties.

CCPA compliance is a complicated process, so you should consider hiring a data privacy protection specialist to help you navigate the requirements of this complex legislation. If you’re looking for assistance in getting CCPA compliant quickly, then contact MatrixPoint for a free consultation by calling 800-683-6983, or filling out our contact form


Types of Notices That Can Be Requested

In total, there are three types of CCPA privacy notices that CA consumers can request: 

  1. The right to know what information a business has collected about them
  2. The right to require that a business deletes personal information upon request and under certain conditions
  3. The right to opt-out of the sale of personal information

Businesses will need to respond differently to each of these three types of CCPA notices, and in some cases, they may even be able to simply deny the consumer request.

But we also want to make it clear that the CCPA requires businesses to provide options for consumers, and that under the new regulations, most of the burden for protecting consumer privacy information is now going to be placed on businesses, rather than consumers themselves.


1.     The Request to Know CCPA Notice

California residents may request to know what personal information has been collected about them via this type of CCPA privacy notice, and all businesses regulated by the CCPA will need to be capable of providing that information in a timely fashion. 

The information Californians may request includes:

  • The categories of personal information that a business has collected about them
  • Whether the business has disclosed personal information for a business proposal
    • Under this request, the business will also be required to admit the categories of service providers to whom the business disclosed personal information
  • The business’s purpose for collecting and/or selling their personal information
  • The specific pieces of information that a business has shared about them

The CCPA stipulates several rules around Request to Know notices, including:

  • Consumers should be provided with several ways to make this type of request
  • Consumers who already have an account with your business should be provided appropriate forms to make the request
  • Consumers without accounts cannot be required to create an account before requesting information about their privacy details

Any businesses that don’t provide a form for consumers to fill out are likely to receive Request to Know CCPA notices via mail. These letters will identify who the consumers are and the information they’re requesting, and businesses that receive them will be forced to respond to them appropriately.

Per the CCPA, once a business has received the CCPA Request to Know notice, they are required to respond to the notice within 45 days, but an extra 45 days may be granted as an extension. This will leave businesses with a total of 90 days to respond to the request. After 90 days, no more extensions will be granted.

Businesses will also be allowed to ask the consumer for additional information to verify the request. However, businesses can’t use this information for anything other than verification purposes.

To respond to the request, businesses will need to contact the consumer who submitted the request and provide them with the information they requested.

If businesses are unable to verify the request, they are allowed to respond with only the categories of information that have been collected (like First Name, Last Name, Address, etc., instead of personally identifiable details). This is to protect both the business and the individual from having sensitive information revealed to the wrong party. 

Where businesses feel that the request is coming from someone other than the person whose information is being requested, businesses will need to provide the requestor with a list of additional information needed to verify their identity before their request can be acted upon.


2.     The Request to Delete CCPA Notice

Under specific circumstances, consumers may request that businesses delete their personal information. Once verified, businesses must delete the personal information.

However, there are 9 exceptions businesses can use to deny consumer data deletion requests, including: 

  1. In the case of security
    1. Businesses can maintain server logs and other information used in the detection and prevention of security incidents
    2. This information can range from facial recognition information to cybersecurity data
  2. In the case of errors
    1. A business can keep server logs and other data to fix errors within its software
    2. This information may only be kept to fix current problems and can’t be saved for future issues
  3. In the case of Free Speech
    1. This exemption is meant to protect discourse published online
  4. In the case of CalECPA Compliance
    1. The California Electronic Communications Privacy Act requires some information to be kept under certain circumstances, and it may be used as an exemption for a business
  5. In the case of Research in the Public Interest
    1. This mainly focuses on peer-reviewed scientific, historical, or statistical research that has public interest in mind
    2. If you collect data about users for this purpose, you may be allowed to deny the request for deletion.
  6. In the case of legal compliance
    1. If there is a legal obligation that must be met that pertains to keeping information, this may be used as an exception
  7. In the case of transactions
    1. If personal information is needed to complete a transaction, further the existing business relationship, or perform a contract, an exception of deletion may be made.
  8. In the case of expected internal uses
    1. This protects businesses in the case of personal information being used internally
    2. This use must be reasonably aligned with the expectations of the consumer based on their relationship with a given business
  9. In the case of other internal uses
    1. This acts as a catch-all exception and adds another layer of protection for businesses using personal information internally

If businesses receive a request that falls into one of these categories, they’ll be allowed to deny the request for deletion. However, if denied, the business must state why the request has been refused, and this explanation must be provided to the consumer.

To delete the consumer’s data, a business must permanently and completely erase the personal information on existing systems. The exception is for archived or backup systems. The business must also de-identify personal information or aggregate personal information. 

Beyond the qualifications for deletion, there are some other stipulations businesses should know regarding this type of CCPA privacy notice.

First, the consumer does not need to have a direct relationship with a business to request the deletion of their data - so businesses must be prepared for notices from anyone, including people they’ve never heard from before.

Even if a business doesn’t sell any personal information, but simply collects it, CA consumers now have the right to request deletion, and the business must respond all the same.

You also can’t charge anyone for deleting their personal information.

Finally, businesses must provide two or more methods for a consumer to request that their personal information be deleted. 


3.     The Request to Opt-Out

Consumers may also request to opt-out of the sale of personal information.

Businesses that sell information will be required to provide at least two ways for a consumer to request the opt-out. This can be an online form, a physical mailing system, or several other options.

Businesses should note that one of these methods must be through a link on the homepage or on a mobile app that specifically says, “do not sell my personal information,” or “do not sell my info.”

If your business receives one of these notices, be prepared to respond quickly, because the Attorney General’s guidelines state that a business must respond as soon as possible, but no later than 15 days after the Request to Opt-Out has been received. 

Below are additional stipulations businesses need to be aware of:

  • A business can’t discriminate against a consumer, but they may offer financial incentives to sell personal information based on the value of the information
  • The definition of “sell” includes “sharing for valuable consideration” 
  • A business may still share personal information with service providers to perform business purposes, even after a consumer opts out
  • In this case, the service providers aren’t allowed to use personal information for anything further

Once your business has received an opt-out request, you must respond to the consumer request, verify the individual is requesting information about themselves, then remove them from all sales of personal information unless their situation meets one of the exceptions listed above.


Does a User Need to Prove That They Are Who They Say They Are?

Yes, absolutely. Consumers who send in CCPA notices are going to have to prove they are who they claim to be, as this is the only way to protect businesses and individuals from being scammed by identity thieves.

The process for verifying a consumer will vary from one business to another, but in general, businesses can choose to verify notices themselves or outsource that work to a third party company.

CCPA also stipulates that the more sensitive or valuable information that a business collects, the more stringent the verification process will need to be.

Stronger verification processes will also be required of businesses where there is an increased risk of harm to the consumer over unauthorized access or deletion of their data, or if the likelihood that fraudulent or malicious actors would seek their personal information. 

If the consumer has an account with the business, the verification process may be performed within the existing consumer portal. If your business suspects malicious activity from the account that submitted the privacy notice, then you will not be permitted to comply with the consumer’s request until a full verification of their identity can be completed. 

If the consumer doesn’t hold an account with your businesses, then they must verify themselves to a reasonable degree of certainty. CCPA guidelines stipulate that consumers should be capable of providing at least two data points and three pieces of personal information to prove their identity, so you’ll need a process in place for verifying (or denying) requests.

If a business has no reasonable method by which they can verify consumers, then they must state this in their response to the consumer’s filed privacy request. Afterward, the business will be required to evaluate whether a method can be established on an annual basis. This includes documentation of the evaluation. 


How Do I Validate That It’s the User?

To expand more on the previous paragraph, there is a two-step authentication process that consumers may go through to validate themselves.

This includes submitting an email or address that a business can respond to. This ensures an established line of communication with the actual consumer. 


How Do I Communicate With the User?

Businesses are afforded several pathways of communication with their users.

This includes email, phone, or direct mail. You’ll likely want to adjust your preferred communication methods depending on the type of request received, as some of these channels work better than others.

Requests that demand responses as soon as possible will best be conducted via phone or email.


What Information Do I Store about Their Request?

Businesses will be required to store relatively little information about the CCPA privacy requests that they receive, but in general, you should prepare to store at least the most basic information associated with the request, like when it arrived, who it came from, what it was for, and whether or not you were able to comply with the consumer’s request.

This can include the documentation of contact via email, phone, or direct mail. Saving these transcripts will prove businesses have done their due diligence in taking CCPA notices seriously and having these materials on hand may help prevent future CCPA fines, fees, or penalties. 


Contact MatrixPoint for Assistance

Any business that is not prepared to handle CCPA requests will be leaving itself open to legal repercussions in the form of major fines, so it’s important to pay close attention to the CCPA regulations and ensure that your business has a plan in place for dealing with all of the new CCPA requirements.

One of the best ways to ensure compliance is to hire a data protection agency to analyze your current processes and determine where there may be shortfalls with the new CCPA regulations.

For assistance in ensuring that your company is able to quickly become CCPA compliant, schedule a free consultation with MatrixPoint. Call us at 800-683-6983, or simply fill out our contact form.

Ready to get started?
Get in contact with us
Get Started