United States: How Do The CPRA, VCDPA & CPA Treat Consumer Requests?

Keypoint: The CPRA is relatively prescriptive in how organizations must receive and respond to consumer requests, while the CPA and VCDPA introduce an appeal process and other nuances that will require adjusting existing CCPA consumer response processes.

This is the tenth and final post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, this series has explored important distinctions between them. Following this series, we will continue to provide updates and insights into these and other state privacy laws, including following the CPRA and CPA rulemaking processes. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article we examine how each of the three state laws approaches consumer requests, including the types of requests consumers may submit, the methods organizations must employ to receive requests, and the timeframes in which to verify and respond to requests. The analysis below provides a high-level summary of the response frameworks under each law. It does not dive into statutory exceptions or how to substantively respond to requests.

The California Consumer Privacy Act (CCPA) and its regulations, as amended by the CPRA, is relatively prescriptive as it concerns processing consumer requests. The CPA and VCDPA, meanwhile, provide parameters but leave the processing of consumer requests largely to the discretion of the organization. Unique to the CPA and VCDPA, however, is the introduction of an appeals process that must also inform or assist the consumer in contacting the state Attorney General if dissatisfied with the result of the appeal.

California Privacy Rights Act (CPRA)

Under the CPRA, California residents have the right to request a business:

1. delete any personal information which the business has collected from the consumer;
2. correct inaccurate personal information that the business maintains about the consumer;
3. disclose certain information concerning the personal information the business has collected about the consumer;
4. disclose the specific pieces of personal information the business has collected about the consumer;
5. disclose what personal information is disclosed for a business purpose, or sold or shared, and to whom;
6. limit its use and disclosure of sensitive personal information; and
7. opt-out their personal information from the sale or sharing with third parties.

Also framed as a consumer right, businesses may not discriminate against a consumer because the consumer exercised any of the consumer's rights identified above. In addition, the California Privacy Protection Agency (CPPA) is required to issue "regulations governing access and opt-out rights with respect to businesses' use of automated decisionmaking technology, including profiling and requiring businesses' response to access requests to include meaningful information about the logic involved in those decisionmaking processes, as well as a description of the likely outcome of the process with respect to the consumer."

We analyzed the right to limit the use and disclosure of sensitive information in our fourth post in this ten-part series. Compliance with processing this type of request is nuanced and subject to further rulemaking by the CPPA. As such, the process we summarize below does not account for the right to limit the use and disclosure of sensitive information.

A business must provide at least two methods for submitting each type of request. Designated methods may include, but are not limited to, a toll-free number, a website link to a form, a designated email address, a form submitted in person or via mail, or acceptance of a global privacy control. In determining which methods to implement, the CCPA regulations require a business to "consider the methods by which it primarily interacts with consumers." If a consumer has an account with a business, the business may require the consumer to submit their request through the account. However, businesses are otherwise prohibited from requiring consumers to setup an account to submit a request.

Under the CCPA, for requests to know, one of the two designated methods must be a toll-free number. However, a business that "operates exclusively online and has a direct relationship" with the consumer is permitted to provide only one method of receiving requests to know, in the form of an email address. Further, if a business maintains an internet website, it must permit consumers to submit requests to know via the website. The CPRA extends these requirements to the right to delete and the right to correct inaccurate information.

As it concerns deletion requests submitted online, the CCPA regulations permit a business to implement a two-step process where the consumer must first, submit the request to delete and then second, separately confirm that they want their personal information deleted.

For requests to opt-out of the sale of personal information, per the CCPA regulations, one of the designated methods must be an interactive form accessible via a clear and conspicuous link titled "Do Not Sell My Personal Information," on the business's website or mobile application. The CPRA revises this link to read, "Do Not Sell or Share My Personal Information." The link must appear on its homepage in addition to the other locations mentioned at the outset of this subsection.

Notably, per the CCPA regulations, "a business may present the consumer with the choice to opt-out of sale for certain uses of personal information as long as a global option to opt-out of the sale of all personal information is more prominently presented than the other choices."

The California Attorney General also requires businesses to honor global privacy signals as valid opt out of sale requests. This will need to be reconciled with the CPRA, which provides businesses with the option of recognizing an opt-out preference signal as a valid consumer request to opt out of the sale or sharing of personal information. See our prior post for more information on opt-out signals under the CPRA, VCDPA, and CPA.

The designated methods must be described in a business's online privacy policy and in any California-specific description of consumers' privacy rights, or if the business does not maintain those policies, on its internet website. If a consumer submits a request through a channel outside one of the designated methods, the business may either treat the request as if it had been submitted via one of the designated methods or provide the consumer with information on how to submit the request properly.

Requests to know, delete, and correct must be verified. Requests to opt-out of sales or sharing, and requests to limit the use and disclosure of sensitive personal information do not require verification. However, per the CCPA regulations, a business may deny a request to opt-out of sales if it "has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent," suggesting some level of review is permitted.

The CPRA defines a "verifiable consumer request" as one in which a business is able to verify, using "commercially reasonable methods" and pursuant to regulations adopted by the Attorney General, "that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer's behalf."

According to the CCPA regulations, businesses must maintain and document a reasonable method of verification that allows the business to verify the identity of the consumer to either a "reasonable degree of certainty," such as matching two data points provided to personal information maintained by the business, or a "reasonably high degree of certainty," matching at least three data points and requiring a signed declaration that the requestor is the consumer whose personal information is being requested. The higher standard should be used where the information is more sensitive, risks more harm if subjected to unauthorized access or deletion, or is the kind of information sought-after by malicious actors. Any information requested by a business for verification purposes may only be used for verification.

A business must substantively respond to a consumer request to know, delete, and/or correct inaccurate information within 45 days of receipt of the request. This time period may be extended once by an additional 45 days (for a total of 90 days) provided the business provides notice to the consumer of the delay within the first 45-day period. Notably, determining whether the request is verifiable does not justify an extension.

Additionally, as set out in the CCPA regulations, within ten business days of receiving a request to know and/or delete, a business must provide confirmation of the request. The confirmation must describe in general the business's verification process and when the consumer should expect a response.

The time period to process requests to opt-out of sales is, per the CCPA regulations, 15 business days following receipt of the request. The CPRA does not specify a time period in which a business must comply with requests to opt-out of sharing. However, the CPPA is tasked with promulgating regulations concerning this right.

For verified requests to know, a business need only comply with such requests from the same consumer twice within a 12-month period. Each such request must cover the twelve months preceding the request. For data collected on or after January 1, 2022, businesses may be required to provide data beyond the 12-month lookback period unless it proves impossible or would involve a disproportionate effort, such standard to be clarified in the CPPA rulemaking process.

For the new right to correction, the CPRA instructs the Attorney General to develop additional regulations, including how often consumers may submit such requests.

There is no statutorily required appeal process. However, CPRA section 1798.145(h)(2) suggests appeal processes are at the option of the business, "If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business." (emphasis added).

Virginia Consumer Data Protection Act (VCDPA)

Under the VCDPA, Virginia residents have the right to request a controller:

1. confirm whether or not it is processing the consumer's personal data;
2. provide a copy of the consumer's personal data that the consumer previously provided to the controller;
3. correct inaccuracies in the consumer's personal data;
4. delete personal data provided by or obtained about the consumer; and
5. opt out their personal data from (i) targeted advertising, (ii) sales, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

As compared to the CPRA, Virginia residents' right to delete extends to all personal data maintained by the controller, though lawmakers passed HB 381 and SB 393 that provide an exemption to this right as it concerns personal data about a consumer collected from a third-party source. These bills are pending the governor's signature.

Virginia's right to opt-out of sales is narrower than the CPRA (and CPA) due to the definition of "sale" being limited to "the exchange of personal data for monetary consideration" and not exchanges for valuable consideration. Lastly, Virginia does not have a separate right concerning sensitive personal data like the CPRA because the VCDPA requires consent prior to processing sensitive data.

Like the CPRA, though not framed as a consumer right, controllers are prohibited from discriminating against consumers for exercising any of these rights.

Notably, there is no acknowledgment (as found in the CPRA and CPA) of a consumer's right to have an authorized agent submit a request on their behalf.

The VCDPA states that a "consumer may invoke the consumer rights authorized pursuant to this subsection at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke" and that controllers are required to comply with any such authenticated consumer request. Controllers must identify in a privacy notice at least one method for consumers to exercise their rights. As with the CPRA, the designated method must take into account the ways in which consumers normally interact with the controller and controllers are prohibited from requiring account creation to submit a request, though a controller may require a consumer to use an existing account.

All consumer requests must be "authenticated," which means using "reasonable means" to verify that the consumer is the same consumer exercising such consumer rights with respect to the personal data at issue. Notably, and unlike the CPRA, this requirement extends to opt-out of sales and targeted advertising requests.

The VCDPA does not specify different compliance time periods based on type of request. Rather, under the VCDPA, a controller has 45 days to respond to any type of consumer request. Like the CPRA, the controller may extend for one additional 45-day period where "reasonably necessary," provided it notifies the consumer within the original window and provides an explanation for the extension. There is no explicit prohibition for exercising the 45-day extension based on authentication, as is the case under the CPRA.

The VCDPA states, "[i]nformation provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer." It is unclear whether this limitation applies only to requests to know/access or to all request types. The statute, however, goes on to state, "[i]f requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request."

New under the VCDPA is an obligation for a controller to establish an appeal process for instances when it refuses to take action on a consumer request. The appeal process must be conspicuously available and similar to the process for submitting a consumer request.

In terms of when an appeal must be initiated, the statute merely states "within a reasonable period of time" following the consumer's receipt of the controller's decision to refuse to process the request. The controller must respond in writing to the consumer within 60 days of receipt of an appeal disclosing any action taken or not taken in response to the appeal and an explanation for the decisions. Additionally, a controller must provide consumers with a method (online or otherwise) to submit a complaint to the Attorney General in the event the controller denies the consumer's appeal.

Colorado Privacy Act (CPA)

The rights provided to Colorado residents under the CPA are similar to those under the VCDPA.

The CPA requires that consumers submit requests via the controller's designated method(s) as provided in the controller's privacy policy. The method to receive requests to opt-out of sales and/or targeted advertising must also be accessible in a location outside the privacy policy. Somewhat of a hallmark of the CPA, the Attorney General's Office is charged with developing the technical specifications of a universal opt-out mechanism, which will be a required method of receiving opt-out of sales and targeted advertising requests beginning July 1, 2024. We discuss this in more detail here.

The CPA does not otherwise specify the number of methods that controllers must provide to consumers. As with the other two laws, the designated method(s) must take into account the ways in which consumers normally interact with the controller and controllers are prohibited from requiring account creation to submit a request, though a controller may require a consumer to use an existing account. It is possible that the Colorado Attorney General's Office will issue regulations on this issue.

As with the VCDPA, all requests must be authenticated, including requests to opt-out of sales and targeted advertising.

The CPA tracks the VCDPA by requiring all requests be processed within 45 days of receipt of the request, with the option for one 45-day extension.

Under the CPA, a controller must provide the information requested without charge upon a consumer's first request in a twelve-month period. For each subsequent request in a twelve-month period, the controller may charge a fee. Calculating the charge follows the rules for calculating a charge for documents produced under the Colorado Open Records Act. Other than the right to charge a fee, the CPA does not seem to permit a controller to deny multiple requests from the same consumer in a twelve-month period.

As with the VCDPA, the CPA requires controllers setup an appeal process. As compared to the VCDPA, controllers must respond to an appeal within 45 days (as compared to the VCDPA's 60 days) with an option to extend that time period by an additional 60 days where "reasonably necessary," provided the controller notifies the consumer within the original time period with the reason for the delay. Further, a controller must notify a consumer of the right to contact the Attorney General for any concerns with the result of the appeal (not just denials as in the VCDPA). The CPA does not specify the method of providing that notice.

Consequences of the Variations

California has set the benchmark in the United States for processing consumer privacy requests. The CCPA and regulations thereto, as amended by the CPRA, are relatively prescriptive and still subject to further clarification and guidance through the CPPA's rulemaking, which is currently underway. Given that the VCDPA and CPA provide only general parameters for processing consumer requests, organizations should look to California for best practices and pay close attention to the CPPA's rulemaking.

Organizations subject to all three laws may be able to implement a consumer response process based on the most conservative requirements of each law; for example, providing two request methods with one being a toll-free telephone number, providing a confirmation response within 10-business days, deleting all information collected about a consumer in response to a deletion request, and providing an appeal process based on a 45-day timeline. That said, organizations should be careful to acknowledge the nuances between the laws. For example, verifying all request types as required under the VCDPA/CPA may run afoul of the CPRA since requiring consumers to verify opt-out requests may be viewed as an unnecessary barrier to a consumer exercising their right.

While we wait for further rulemaking on this topic from both the CPPA and Colorado Attorney General's Office, organizations should complete their data inventory and records of processing to identify which rights they must provide and begin to develop (or redefine) their consumer response process.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.