CCPA Landmine No 3
Keep Track of Requests Received and Responses
The law requires you to keep detailed records of the requests that come in and your efforts to address them. That seems easy enough. Just set up a system and follow it. But the proposed regulations accompanying the law requires you to collect and maintain additional materials, categories that are buried throughout the guidelines. For instance, it is imperative to keep records relating to:
- Data obtained from a third party. you must reach out to consumers for consent or obtain and keep attestations from the source of the data stating that it complied with the law in collecting data.
- Your responses to non-conforming requests. You can’t just say “no” to the request and leave it at that. If you receive a non-conforming request, you need to direct the requestor on the requesting process.
- Financial incentives or differing levels of goods or services. You will need to explain and document how the practices are not discriminatory.
- Denials to requests. They must be accompanied by explanations for the denial.
- An inability to verify a request to delete. Failures to verify must be followed by notice to the requestor of the finding and shall treat the request as a request to opt-out of sale.
- User-enabled privacy controls, such as browser plug-ins or privacy settings as valid requests to opt-out of sale.
- Third parties to whom data has been sold.
- Parental affirmance on behalf of minors.