Understanding Consumer Rights/DSAR Compliance Recommendations and Solutions
The EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other privacy regulations seek to protect the personal data and privacy of consumers. These regulations significantly increase the requirements on businesses regarding how they address consumer rights/data subject access requests (DSAR) – for example, to access or delete personal information. Specifically these regulations define the types of consumer rights/DSARs that need to be addressed and the timeline and process that needs to be followed to fulfill the requests. For example, GDPR requires that DSARs be addressed within one month, CCPA within 45 days (with some exceptions and extensions permitted).
Sanctions for non-compliance can be significant. For example, under the CCPA, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. The CCPA also provides a private right of action to California residents where their personal information is subject to unauthorized access, theft, or disclosure. Businesses would face paying between $100 to $750 per resident or incident, regardless of whether actual damages are shown.
Consumer Rights / DSAR Compliance
The privacy experts at TrustArce suggest you follow the below steps to support compliance with regulatory requirements around consumer rights requests/DSAR.
- Ensure understanding of what data you collect and process and where it resides.
- Establish a process to intake individual rights requests that is easy on the individual and ensure this process is well- communicated throughout the organization. A request may come in from many routes and the person receiving that request needs to understand that a request is being made. Individuals typically won’t understand or use the exact verbiage in the law.
- Validate the individual’s identity.
- Once the request is validated, have a process to review it, evaluate the data referenced, the reasons for processing the data and evaluate any exceptions.
- Have a response process.
- Put in place an appeals process for denied requests. Retain documentation throughout the process.
What are CCPA timelines for requests to know and delete?
The CCPA Regulations added a new requirement to confirm receipt within 10 days of receiving requests to know or to delete. Such confirmations may be automated, but must describe the business’s verification process and when the consumer should expect a response. The rules also clarify that responses to requests to know or to delete must be responded to within 45 days — beginning on the day that business receives the request, “regardless of time required to verify the request.” Moreover, where necessary, an additional 45 days may be taken to respond to a request — “for a maximum total of 90 days from the day the request is received” — if proper notice and explanation for the delay is provided.
What does the CCPA say about "Do Not Sell"?
The CCPA provides consumers with the right to direct a business that sells a consumer’s PI to other businesses or to third parties to stop selling that information. This “right to opt-out” must be further reinforced by a “Do Not Sell My Personal Information” link on a company’s webpage, and a 12-month requirement to honor a consumer’s opt-out decision (by no longer selling their PI and by not requesting them to opt back in for the year timeframe).
Individual Rights Manager, a module of the TrustArc Privacy Platform, can help your company comply with privacy regulations that have consumer rights / DSAR requirements. The solution enables consumers to easily submit DSARs and companies to efficiently manage, evaluate and resolve requests within required timelines. Integration with TrustArc Data Inventory Hub allows a company to easily locate an individual’s data within systems, which speeds up response times. In addition, companies can use the solution to maintain an audit trail that demonstrates accountability and regulatory compliance. TrustArc privacy consultants can also help you to develop your consumer rights/DSAR program and processes.