Data Portability for CCPA DSAR Access Responses
The California Consumer Privacy Act (CCPA) provides for data portability for consumers accessing their personal information in certain circumstances. The privacy right for consumers is currently scheduled to go into effect on January 1, 2020 along with the other data subject access rights (DSARs) provided by the California legislature in the CCPA. Businesses have until six months after the California Attorney General issues the final regulation, or July 1, 2020 (whichever is sooner) before enforcement of the CCPA begins on this provision.
The relevant text of the CCPA for data portability is contained in Section 1798.100(d):
“A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.”
If a consumer requests their information under the right to access and it is delivered electronically, the business must provide it in a portable format that, if technically feasible, will enable them to transmit the information to another entity due to its readily useable format.
The section is further clarified by Section 1798.130(a)(2) which says in relevant part:
“The disclosure shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.
Technically Feasible and Readily Useable – There is currently no guidance in the California privacy law on what is to be considered “technically feasible” or “readily useable”. Organizations may wish to look to Article 20 of the GDPR, along with interpretations of it, for guidance on this section. Article 20 provides for it to be in a “structured, commonly used and machine-readable format” and also provides for direct transmissions from one controller to another upon request “where technically feasible.” Organizations should also closely review the California Attorney General’s final regulations, when issued, for any mentions of this language and data portability in general.
Data Portability and Mailing – There may be some conflict between sections 1798.100 and 1798.130 on when the information may be mailed and whether that information must be portable. Section 1798.100 suggests that the information only needs to be portable if it is electronic. However, Section 1798.130 suggests that individuals who do not hold an account may choose to have their information mailed and that information must meet the portable format requirement. For the moment, organizations need to be prepared to deliver portable information both electronically and, for at least some individuals, by mail.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
What is a CCPA business purpose or commercial purpose?
The Broad CCPA Definition of Sale
CCPA Definition of Consumer
CCPA Look Back Period Requirement
CCPA Household Definition & Challenges
CCPA Training Requirement – Section 1798.130(a)(6)
CCPA Regulations: Coming Soon from the California Attorney General
Loyalty Programs, AB-846, and the CCPA Anti-Discrimination Clause