Skip Repeated Content

Are businesses required to offer the same methods for submitting DSR requests under the CCPA as they are under the GDPR?

July 22, 2020

No.

Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.1

Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.2

The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.

Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.

GDPR

CCPA

  • There are no specific requirements governing the methods by which a data subject can submit a request.
  • A business should provide methods for requests to be made electronically, especially where personal data is processed by electronic means.3

Access:

  • If a business only operates online, it is only required to provide an email address.4
  • If a business is not only online, it must provide, at a minimum, a toll-free number and a website address.5
  • If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.6

Opt-out:

  • A business must provide a link on the homepage titled “Do Not Sell My Personal Information.”7
  • A business must provide at least two methods for submitting requests (no exception for online-only).8
  • One of the methods must be an interactive form accessible through the “Do Not Sell” link.9
  • At least one method to opt-out must reflect the manner in which the business primarily interacts with the consumer.10
  • The business must treat user-enabled global privacy controls as a valid opt-out request.11
  • If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.12

Delete:

  • A business must provide at least two methods for submitting requests (no exception for online-only).13
  • If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.14

 

For more information and resources about the CCPA visit http://www.CCPA-info.com.


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

 

1. Cal. Civil Code 1798.100(a); 1798.105(a); 1798.120(a).

2. On October 11, 2019, the Office of the California Attorney General proposed regulations to implement the CCPA. The Proposed Regulations largely add to the CCPA’s access and deletion request requirements.

3. GDPR, Recital 59

4. Cal. Civil Code 1798.130(a)(1)

5. Cal. Civil Code 1798.130(a)(1)

6. CCPA, Proposed Regulation 999.312(e)

7. Cal. Civil Code 1798.135(a)(1)

8. CCPA, Proposed Regulation 999.315(a)

9. CCPA, Proposed Regulation 999.315(a)

10. CCPA, Proposed Regulation 999.315(b)

11. CCPA, Proposed Regulation 999.315(d)

12. CCPA, Proposed Regulation 999.312(e)

13. CCPA, Proposed Regulation 999.312(b)

14. CCPA, Proposed Regulation 999.312(e)

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.