If a consumer sends a request for deletion or a request for access via Twitter or other social media, does a business have to respond?

Yes, if currently pending regulations are made final.

As an initial matter, the statutory text of the CCPA is somewhat unclear regarding a business’s obligations when it receives a request for access or a request for deletion in a non-standard format. The statute provides only that a business must “[m]ake available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.”¹

Taken alone, the provision states that businesses may direct consumers to a finite number of “designated methods,” with the implication that requests submitted through non-designated methods are invalid and may be ignored.  The proposed regulations, however, state the opposite—specifically, the regulations require that when a consumer submits a request through a non-standard method, the business must either “[t]reat the request as if it had been submitted in accordance with the business’s designated manner, or . . .  [p]rovide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request, if applicable.”²

Thus, in the case of a request submitted by Twitter, at a minimum the business would be required to provide the consumer who authored the tweet with information about how to submit a valid request.  It is also unclear as to the time period by which a business must respond to a non-standard request, since it is unclear whether a non-standard request, such as a Twitter request, meets the definition of a “request to know” or a “request to delete” under the regulations.³

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.130(a)(1).

2. Proposed Regulation, 999.312(f).

3. Proposed Regulation 999.301(n)-(o).