Hello, everyone, and welcome to lessen 3.3.
As we review everything there is to know about the right to access personal information under the California consumer privacy AC,
our learning goals and objectives for this lesson will be to review the scope of an access request. Really review what that means.
will identify the obligations that your business will incur once it receives an access request.
And then number three.
The steps were employer could take when they respond to an access request.
Okay, let's dive into it right now.
What is an access request?
We discussed in the last lesson that individuals under the CCP A. If they live in California,
they have the right to access both the categories of information of business keeps on them as well as the underlying pieces of information.
When we say categories, the CCP A does call out the specific categories.
You should identify for the consumer that these pieces of information are being kept about them.
You can add categories if you wish.
I would like to call out if I Meg items 567 and eight.
If you're collecting information that falls into those categories you definitely need to inform the consumer that this is the case. If, of course, the consumer is submitting the access request
underlying pieces of information.
Now you need to provide this information back to the individual free of charge, and it is recommended that you provide this information
either by mail or electronic Lee.
In my experience, I've seen that doing so. Elektronik Lee is the easiest way to do so.
It needs to be done, however, in a machine readable format.
The definition of machine readable format is obviously going to evolve over time, but make it in a manner in which the consumer can easily open the file and review their information.
Something to help you out here
If the request the consumer is submitting to your business is what the law calls manifestly excessive.
A business can actually charge a reasonable fee if they want to complete that access request.
They're also entitled to, Additionally,
refused to act on the request altogether, but notify they need to notify the consumer the reason for why they are refusing the request.
Please be careful. The business bears the burden of establishing that the request is excessive. So you need to inform them that the request is excessive, and later in time it's going to be a regulator that's going to look at you first to decide whether or not the request was excessive.
The consumer doesn't need to establish that
the business you needs to establish that
now access requests applied to all types of information and information, especially in the modern workplace, tends to sit in different areas within your organization.
I strongly recommend doing data mapping or data inventory exercises to specifically identify where within your company information tends to sit.
There are three general areas. Number one is on prem on your local drives.
Please keep an eye on local office drives. There could be drives in Pittsburgh that the local office uses. And if you have a large company with offices in multiple areas thin, the local drive that's in Tampa may very well not be connected to what's happening up in Pittsburgh. So
please keep an eye on that because in many ways drives are disconnected, especially if they're local ones.
I'll call out your cloud and third party vendors together here,
information that sits with your third party vendors, including and especially office 3 65 in Salesforce.
Those are the big ones I've noticed in my experience are within the scope of a consumer rights request.
So if an individual says hi, please tell me what kind of categories of information you have on me. Hello? Please tell me the underlying pieces of information you have on me
simply going into your local drive is not enough.
If you're saving information in the cloud or if you are using a third party vendor of sorts to maintain information, you need to approach those third party vendors as well. To understand what pieces of information for that specific consumer are sitting in those environments that is normally addressed in what is called a data processing agreement,
We will get to that in further modules, but you do need to be working with your cloud providers in your third party vendors because they are absolutely within the scope of the Consumer Rights Request.
We will discuss more of that in future lessons.
There are a couple additional miscellaneous items that I do need to review for you before we close out the subject.
Access requests apply up to 12 months from the date of receipt.
It's typically known as the 12 month look back, period.
So if someone approaches you in California and they say,
could you please tell me the information you have on me?
You do need to go back 12 months in time.
I am aware that archival processes sometime extend well beyond that, but the minimum is to be able to go back 12 months and identify what information was collected and that you still have on them within that period.
Individuals can also ask for the categories of personal information that your business has disclosed to third parties and why
now? You don't need to identify the specific third parties.
Let's play this out.
I, in the last slide used the example of Salesforce in office 3 65.
You don't need to specifically call out Microsoft and Salesforce,
but you do need to identify that information is sent to a third party to perform and then identify it as you wish
it could be email distribution services, whatever, depending upon the third party vendor, Whatever goal that that third party vendor is achieving for you,
you do need to identify again
the categories of third parties.
The third bullet here. Please don't forget to verify the identity of the consumer.
Ah, huge hot topic. Regrettably, right now is the idea of fraudulent consumer requests. Ah, lot of bad actors in the world are now using privacy, consumer rights, toe access, people's personal information.
So there should be within those 45 days, some sort of internal mechanism you are using to verify the identity of the person that is contacting you.
You're actually permitted under the law to request additional information to verify the identity. But please, please, please do not simply respond back to an access request without verifying the identity of the consumer.
If you do that and it's not actually the individual who's talking to you,
you're actually breaching, and that exposes you to a host of other problems. And I need not tell you, of course, that some of those would be legal.
Please keep an eye on making sure that you verify the identity of the consumer
in summary. In this lesson, we reviewed what an access request is again. It's the category of data as well as the underlying data sets. The pieces of information that sit within your organization.
We also reviewed where data personal information tends to sit within a company.
But again, you're going to need to figure this out for yourself.
If you don't know yet, this is the time to talk to stakeholders within your company.
I'll point out quickly. I t finance Legal Department
They all tend to save information in different places. So please be aware of that.
how to handle an access request?
Make sure Make sure make sure you verify the identity of the consumer.
Don't forget that there is a 12 month look back period
again. I know that archival periods can extend longer,
but it is under the CCP a 12 months and then also keep in eye on the categories of third parties to whom you send information to. And we will look at this further again in module eight.
Thank you very, very much. And I will see you in the next lesson.