CCPA Privacy FAQs: If a business receives a data subject access request, does it have to provide the specific pieces of personal information that it collected about the consumer?

August 23, 2019

Pursuant to Cal. Civ. Code Sections 1798,100(a), and 1798.110(a) and (b), a consumer has a right to request, and a business that “collects personal information about a consumer” has an obligation to disclose and deliver upon a verifiable request, “the specific pieces of personal information the business has collected.”   To the extent it is not readily apparent from the specific pieces of personal information disclosed, a business must additionally disclose (1) the categories of personal information the business has collected about the consumer; (2) the categories of sources from which the personal information was collected; (3) the business or commercial purpose for the collection; and (4) the categories of third parties with whom the business shares the personal information.

A business responding to a verified data subject access request must disclose the personal information collected about the consumer in the 12-month period preceding the business’s receipt of the access request.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.