BusinessPrivacy LawUncategorizedPrivacy Data Requests: Do you have a plan?

by Eric D. Morton

More new privacy laws are being enacted.  Virginia recently enacted the Consumer Data Protection Act which will take effect on January 1, 2023.  Colorado passed its Colorado Privacy Act which is take effect on July 1, 2023.  The California Consumer Privacy Act is already in effect.  The European Union’s General Data Protection Regulation (“GDPR”) governs data protection for citizens of EU countries.  The United Kingdom has its Data Protection Act of 2018 which parallels GDPR.

All of these laws have similarities, including the right of an individual to contact a company subject to these laws and request information or action regarding the individual’s personal information or data held by that company. The rights generally include the right to know, access and confirm, deletion, opt-out of sale (defined as the exchange of personal data for monetary consideration), opt-out of processing for targeted advertising, opt-out of profiling, nondiscrimination, data portability, and correction.

A company subject to these laws must respond to a consumer request within 30 to 45 days. We recommend that companies have a plan in place to deal with such requests. Below is a list of steps for responding to a consumer data request. This is not a plan but a guide of tasks to take. Each company must develop a plan specific to it.

Planning

1. Where is the data? The first order of business is to determine what data the company stores and where is it stored.  We discussed this in a previous article.  Where is your data?
2. Recognize the request.  A company must respond to a consumer request even if the request is not obviously a request on its face. Requests may cite the wrong law and/or be vague.  A company must respond anyway, if it falls under the jurisdiction of privacy laws that allow these requests.
3. Assign someone to the request.  An individual should be assigned to handle the request from start to finish. This person must be familiar with these requests and the company’s policies and protocols.
4. Clarify the request.  If the request is vague, clarify what the consumer desires.
5. Track all requests.  A company should have a log of all requests which includes dates, names, nature of the request, and resolution of the request.
6. Verify the identification of the consumer.  This is required by law and giving information to the wrong person is illegal and can subject a company to fines and legal action.  What is required to verify a request can vary depending on the consumer’s relationship with the company and the law. A log-in to an account might be sufficient, or photo identification might be needed.
7. Identify the data to be disclosed. Conduct reasonable and proportionate searches of paper documents and electronic filing systems in order to identify the personal data belonging to the individual. This may include client / employee files, email accounts and data held by data processors.  Personal data is broadly defined as information through which an individual can be identified.  This includes user names, email addresses, and initials. Information in documents must be disclosed although not necessarily the document itself.
8.  Identify exemptions.  Not all information must be disclosed. You are not required, and should not, disclose an individual’s personal data if this would adversely affect the rights of other individuals. This issue frequently arises with respect to mixed data such as email communications and meeting notes which are the personal data of the individual, as well as the others in the email chain or at the meeting. In determining whether to disclose this mixed data, consideration must be given to whether the third parties have consented to its disclosure or whether it is otherwise reasonable to disclose it.  There are other exceptions such as disclosure of trade secrets or confidential information, legally privileged information and others.
9. Securely disclose the data.  Produced data must be securely released to the consumer.  Sending data in an unencrypted email is illegal.  A company must have a way to transmit the data securely.
10. Complete documentation.  Ensure that the log is complete and there is a file with a record of the data released.

The above is an overview of steps to take.  Exactly how a company responds will depend on the laws to which it is subject, what data it stores, the relationship with the consumer, and other factors.  A professional can help formulate a plan and an attorney should be consulted if questions arise about the process or the data to be disclosed.

Eric D. Morton is the principal attorney at Clear Sky Law Group.  He can be reached at 760-722-6582, 510-556-0367, and emorton@clearskylaw.com.