How to Respond to Data Subject Access Requests Under the CCPA and GDPR

If you’re looking to build out your GDPR compliance and response process, you’re not alone. Since the landmark European privacy law went into effect last year, it’s occupied a special place in many legal professionals' minds. Well, special might not be the right word. Vexing, perhaps. Maybe even terrifying. That’s because the GDPR creates a right for data subjects to access their data, free of charge, and to request its correction or deletion. And it imposes potentially massive penalties for noncompliance, just in case you weren’t thinking of taking it seriously.

The GDPR isn’t the only new regime around data privacy, however, nor is it the only one that allows individuals to request the personal data businesses have collected.

Over here in the Greatest Nation on Earth (cue eagles soaring), California has taken the lead in creating new, broad consumer privacy rights that impose significant data disclosure obligations as well. (Cue surfboards, palm trees, and a looming risk of litigation.)

The ability for individuals to access the personal data that organizations collect about them is a central feature of each law. In requiring organizations to hand over consumer data to the consumer, both the GDPR and the new California Consumer Privacy Act (CCPA) create significant obligations with regard to collecting, reviewing, and producing data.

That’s a process readers of this blog might find quite familiar, as it mirrors many discovery processes. As such, data subject access requests can benefit from the tools and approaches perfected in the discovery sphere.

So, what do such requests require and how are they done?

The Expanding Consumer Data Privacy Regime: GDPR and the CCPA

The California Consumer Privacy Act has been called the GDPR for the U.S. of A. That’s true in some respects. Both laws establish broad privacy protections and both allow “data subjects” (for the GDPR) or “consumers” (for the CCPA, defined as any California resident) to access the data collected about them.

Both contain significant penalties for noncompliance, with GDPR fines reaching up to €20 million or 4 percent of an organization’s worldwide annual revenue from the preceding fiscal year, whichever is greater. CCPA violations, in turn, can cost up to $7,500 per violation. The CCPA also contains a private right of action that is a class action attorney’s dream.

Though while the GDPR is currently in effect, Californians and organizations doing business in California have a bit more time to prepare for their new law. The CCPA goes into effect at the stroke of midnight on January 1, 2020, with enforcement actions following six months later.

The California Consumer Privacy Act: The Basics

The CCPA applies to any business that operates in California and meets any of the following thresholds:

• Has annual gross revenues in excess of $25 million;
• Buys, sells, or shares the personal information of 50,000 or more consumers, households, or devices
• Derives half or more of its annual revenues from selling consumer information

In addition, the CCPA also covers entities that control or are controlled by a covered business or share common branding (think trademarks, names, etc.,) with a covered business.

The CCPA grants consumers significant rights when it comes to understanding, requesting, collecting, and protecting their personal information. These rights, enumerated in Section 2 of the Act, include:

1. The right of Californians to know what personal information is being collected about them.
2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
3. The right of Californians to say no to the sale of personal information.
4. The right of Californians to access their personal information.
5. The right of Californians to equal service and price, even if they exercise their privacy rights.

It’s that fourth provision that we’re concerned with today, as it grants consumers the right to request information from businesses. That information must be made available, free of charge, within 45 days (with extensions possible), and in a form that is “in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.”

It’s worth noting, too, that the CCPA defines “personal information” broadly, as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

These include the usual suspects like names, Social Security numbers, and email addresses, but also data that might not be so obvious, such as biometric information, browsing history, and geolocation data.

If that information is not linked to a specific individual, that does not mean the CCPA is not implicated; the law is broad enough to encompass data collected at the household and device level as well.

Examples of personal information protected by the CPPA:

• Real name
• Alias
• Postal address
• Unique personal identifier
• Online identifier Internet Protocol address
• Email address
• Account name
• Social Security number
• Driver’s license number
• Passport number
• Personal property, products or services purchased
• Purchasing history
• Consuming histories or tendencies
• Biometric information
• Internet or other electronic network activity information
• Browsing history
• Search history
• Geolocation data
• Professional or employment-related information

GDPR: What You Need to Know

If the CCPA is new, legal professionals might be more familiar with the GDPR. GDPR, which stands for General Data Protection Regulation, regulates the collection, storage, and usage of personal data of EU citizens.

Under the GDPR, organizations handling personal data are broken into two groups: data controllers, who control personal data and make decisions regarding how it is used, and data processors, companies that process the data as directed by another company.

Though the GDPR is a regulation of the European Union, its reach extends beyond the limits of the EU. Under the GDPR, businesses that process the personal data of EU citizens must comply with the law, regardless of the company’s location or the location of the data processing. If you are an EU-based business storing and processing data outside of the EU, for example, or a Canadian-based organization doing business with EU residents, the GDPR may apply.

Under the GDPR, data subjects— those whose personal information is collected, held, or processed—have a right to access the personal data collected about them, free of charge.

The mechanism for obtaining that information is through “data subject access requests,” or DSARs.

Data Subject Access Requests: Best Practices

Start With Understanding the Data in Your Possession

When collecting and using information relating to data subjects or consumers (anyone really), you’ll need a clear understanding of that data—where it is, what it contains, etc. Answering the “Five W’s and How” and mapping your results can help you establish that understanding as well as help ensure that you are properly informing data subjects and obtaining proper consent.

• Who: With whom do you share the data?
• What: What data do you collect?
• When: When is the data deleted? Are there applicable retention periods?
• Where: Where will the data be transferred and stored?
• Why: Why do you need this data?
• How: How will you use the data?

Plan Your Request Process: Accepting and Verifying Requests

When a data subject or consumer wants to exercise their right to access, how will they do so? Under the CCPA, covered businesses are required to create two designated methods for submitting disclosure requests, including, at minimum, a toll-free number and web site address.

Under the GDPR, data subjects may make a request by nearly any means—whether by letter, email, or even verbally. Organizations with a preferred submission method should make that apparent in their documentation, providing individuals clear directions on how to submit access requests.

Only verified requests have to be completed, however, under both the GDPR and CCPA. Thus, organizations will want to establish a process for verification. The CCPA allows the Attorney General to create rules “to govern a business’s determination that a request for information received by a consumer is a verifiable request”—a rulemaking process that is just beginning. But the GDPR offers some important lessons, whether you’re acting under the European regime or the Golden State’s:

• Don’t make it too hard to obtain data. Unreasonable and disproportionate requirements are forbidden and may result in fines.
• Minimize additional data collection. If further information is needed to verify a request, that information should be limited to the least amount of information necessary and relevant given the context.
• Rely on existing authentication credentials. If you employed identification requirements when collecting data, such as a dedicated user name, those would likely be sufficient to verify the identity of a DSAR requester.

Make Sure You Are Disclosing Required Information

Both the GDPR and CCPA require disclosure of certain information in response to an access request.

Under the CCPA, that can include:

• The categories and specific pieces of personal information collected
• Sources from which personal information is collected
• Purposes for collection
• Third parties with which the data is shared
• The business’s personal information collection practices

Information, in addition to personal data, that needs to be disclosed under the GDPR includes:

• Purposes of the data processing
• Categories of personal data
• Recipients to whom that data has been disclosed
• Period for which data will be stored
• Source of the data, if not the data subject
• Additional information about a data subject's rights, such as the right to have data corrected or erased, to place restrictions on its processing, or to lodge a complaint

Institute an Effective Process for Reviewing Data

Organizations subject to the GDPR and CCPA will need clear internal policies and procedures for responding to access requests. Those policies should include who is responsible for collecting the data, reviewing it, removing information that is not subject to disclosure, fulfilling the request and delivering the information, and, finally, documenting the organization’s process.

As with the discovery process in litigation, reviewing data in response to DSARs can be an incredible burden without an efficient approach and the proper tools. But as with discovery, the right technology can help transform a slow, costly process into something much more efficient.

Without simple, efficient tools and processes, teams may default to manual review of documents when responding to DSAR requests, especially when processes are new or not completely fleshed out. Or they may outsource the work to third-party vendors.

Both are bad choices—incredibly slow in the first case, incredibly expensive in the second. In one recent subject access request case, brought under the United Kingdom’s Data Protection Act, the process of reviewing 500,000 emails was estimated to cost £116,116, or just under $150,000—a large bill to foot for a single SAR and a striking illustration of the costs that can arise under inefficient processes.

Instead of relying on slow, expensive approaches, teams can turn to the same software that is used to accelerate the discovery process.

With cloud-based discovery software, for example, the time from project initiation to document review can be reduced to a matter of minutes, rather than hours or days. Data can be collected and uploaded via simple drag and drop, launching automated processing the covers more than 3,000 steps in minutes. That includes everything from OCRing to make files searchable, to metadata extraction to expose valuable information, to deduplication, in which copies of files are automatically removed from the review set in order to eliminate redundant efforts.

Once loaded, that data can be quickly filtered by metadata, keywords, date ranges, etc. DSAR teams can narrow documents by file type, sender, recipient, date range, and more. Extraneous information can be “culled,” or excluded, from the data set, and documents quickly redacted of any information that should not be disclosed.

In many cases, effective search and culling can eliminate the need to review more than 95 percent of a data corpus, drastically reducing the burden associated with fulfilling DSARs.

Once that data has been reviewed, culled, and is ready to distribute, it can be produced via a secure, access-controlled link for the subject to review. Having quick, secure access is a benefit for the requester, but also carries the additional advantage of creating a built-in audit trail showing the request’s fulfillment and completion.

Consider Expanding Access Beyond the Requirements of the CCPA and GDPR

It goes without saying that the rights created by the GDPR and CCPA are not global. But for some organizations, it might make sense to open their data access process to all consumers and data subjects, regardless of whether they have a legal right to the data. Many international companies, for example, have opened the data access process to all comers.

Organizations building out their DSAR process would want to consider who will have access to those services, balancing the goodwill that could be engendered by a transparent approach with the potential extra workload that could require.

Whatever approach you take, you’ll want to make sure you have the proper policies, processes, and tools in place so that providing access to data is secure, defensible, consistent, and, perhaps most importantly, as unburdensome as possible.

‍