If you’ve been following our CCPA California blog posts, you should know that this new data privacy law grants data subjects, i.e. Californian residents, some new types of consumer privacy rights. It includes the right of consumers to know the kind of personal information that businesses have about them, request for copies or modification of such data, as well as the right to request the deletion of such data. The latter is referred to as Data Subject Access Requests (DSARs). The CCPA California came on the heels of the GDPR – an expansive body of data privacy laws that applies in the EU.
Necessary things to know regarding DSARs under the CCPA California
Identity Verification
To protect private data falling into the wrong hands, the CCPA California obliges the State AG to establish modalities with which businesses would use in verifying consumer identities after DSARs.
DSARs Submission by Third Parties
In a bid to make DSARs easier, the CCPA empowers natural persons i.e. human beings as distinguished from artificial persons such as companies, or a person registered with the Secretary of state, to submit DSARs on behalf of another person, so long as he is authorized by the consumer in question.
DSARs Compliance Period
Businesses are required under the CCPA California to honor DSARs within 45 days of receipt. Where necessary, however, a request for an extension of 90days can be made to the consumer
Categories of Disclosures that DSARs Cover
Below are the categories of private data that DSARs can cover:
(1) categories of personal information collected or sold;
(2) categories of sources;
(3) business or commercial purposes for collecting or selling the information;
(4) categories of third parties with whom the business shares personal information; and
(5) specific pieces of information collected.