The Tip of the Night for December 31, 2019, discussed the California Consumer Privacy Act (CCPA) which became effective in 2020. Under the CCPA consumers must be informed when their data is used for ends that are different then those specified in the original disclosure notice. See, Cal. Civ. Code § 1798.140,"If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. "
The CCPA also sets a specific deadline for businesses to respond to requests from individuals for their personal data that the business have collected. See, Cal. Civ. Code § 1798.130(a)(1)(2), "Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’ duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. " A business has to set up a process for individuals to submit Data Subject Access Requests (DSARs),
The regulations for the CCPA set sets specific retention requirements for DSARs. Records of DSARs must be kept for two years, and a log should be prepared showing the date and subject of the request and response, and the basis for denying a request, if it is actually denied. See, 11 CCR § 999.317.