Right of Access Under CCPA and GDPR

Global privacy regulations have given consumers a number of rights to ensure they have more control over their data. This control is important because this data can be stored by an organization and used for research or even sold to advertisers or data brokerages. The CCPA and GDPR classify consumers as “data subjects” and provide them various data privacy rights such as right of access, right to deletion, right to opt-out and several more.

Among these rights is a right called “right of access,” which allows data subjects to request access to all data an organization holds on them.

What Is Right of Access?

A right of access is known as the individual’s ability to request access to a copy of his/her personal information as well as any supplementary information being held by an organization and how it is being used. This gives the consumers a clear picture of the type of information an organization holds and whether it is being used lawfully.

Personal information in this regard can include:

  • Real Name
  • Alias
  • Postal Address
  • A Unique Personal Identifier
  • Online Identifier
  • Internet Protocol Address
  • Email Address
  • Account Name
  • Social Security Number
  • Driver’s License Number
  • Passport Number

Supplementary data includes information on how the data is being stored, processed and safeguarded.

Right of Access Under the GDPR

Under the GDPR, a consumer can send in an access request to the organization and the organization is obligated to send back any and all information pertaining to the consumer, as well as other information that is related to the consumer’s personal information under Article 15. Personal information under the GDPR can include name, identification number, location data and an online identifier. This can also include other factors that can be used to identify an individual.

Along with this data, consumers have the right to request supplementary data, which includes:

  • The purpose of processing.
  • Categories of personal data in concern.
  • Recipients that the personal data is disclosed to.
  • The retention period for storing personal data or determining how long data will be stored.
  • Reiterate the consumer’s right to request rectification, erasure or restriction or to object to such processing.
  • The right to lodge a complaint with the ICO or another supervisory authority.
  • Information about the source of the data, where it was not obtained directly from the individual.
  • The existence of automated decision-making.
  • Safeguards an organization provides if they transfer personal data to a third country or international organization.

Right of Access Under the CCPA

The CCPA requires businesses to accept a consumer’s request exercising the right of access to their personal information under article AB-375.

Businesses will have to implement a process by which they can verify that a request is made by the consumer or an authorized representative about the personal information a business has collected. The verification process will be in accordance with regulations adopted by the California Attorney General.

The CCPA defines personal information extensively that organizations need to disclose to consumers if the information is being collected. Under the CCPA, personal information includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The following is a partial list of personal information specified by the law:

  • Identifiers such as real name, postal address, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  • Internet or electronic network activity information, which includes browsing history, search history, and information regarding a consumer’s interactions online.
  • Records of any personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Characteristics of protected classifications under California or federal law.
  • Professional or employment-related information.
  • Biometric information.
  • Geolocation data.
  • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.
  • Audio, electronic, visual, thermal, olfactory or similar information.
  • Inferences drawn from any of the protected information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
  • Any categories of personal information described in subdivision (e) of Section 1798.80.

The CCPA provides an exception for information that is lawfully made available from federal, state or local government records, also known as publicly available information. However, information is not publicly available if that data is used for a purpose that is not compatible with the purpose for which the data is maintained.

When consumers request access to their information from organizations falling under the CCPA, the organization is obligated to provide all the aforementioned information if it has stored it.

Key Takeaway

With privacy regulations giving so many rights to the consumers, organizations will need to be on their toes to fulfill these data subject requests, making sure not to infringe any of these rights and stay compliant with privacy regulations. Failure to do so can result in lawsuits and heavy fines, not to mention a bad reputation to the business.

In the current state of the data privacy industry, most organizations are using manual methods to fulfill these requests. This may suffice right now, but as more data is stored and data subject requests start flooding in, manual methods will not be able to cope up with the requests or at least will not be an efficient method to do so. Organizations are already facing the paradigm shift in personal data and it only goes up from here, with potential zettabytes of data flowing into organizations. Organizations will need to recruit the assistance of automation to efficiently deal with data of this magnitude. After all, if the procedure of collecting, sorting and fulfilling data requests can be mostly automated, saving valuable business resources, why wouldn’t any business opt for it? This art of automation is called PrivacyOps, but that’s a topic for another day.

Avatar photo

Anas Baig

With a passion for working on disruptive products, Anas Baig is currently a Product Lead at SECURITI.ai. He holds a Computer Science Degree and did his Bachelors in Science from Iqra University. His interest includes Information Security, Networking, Privacy, and Data Protection.

anas-baig has 14 posts and counting.See all posts by anas-baig