1. Insights /

Insights

If a consumer sends a request for deletion or a request for access via Twitter or other social media, does a business have to respond?

If a consumer sends a request for deletion or a request for access via Twitter or other social media, does a business have to respond?

Apr 06, 2020
Download PDFDownload PDF
Print
Share

Yes, if currently pending regulations are made final.

As an initial matter, the statutory text of the CCPA is somewhat unclear regarding a business’s obligations when it receives a request for access or a request for deletion in a non-standard format. The statute provides only that a business must “[m]ake available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.”1

Taken alone, the provision states that businesses may direct consumers to a finite number of “designated methods,” with the implication that requests submitted through non-designated methods are invalid and may be ignored.  The proposed regulations, however, state the opposite—specifically, the regulations require that when a consumer submits a request through a non-standard method, the business must either “[t]reat the request as if it had been submitted in accordance with the business’s designated manner, or . . .  [p]rovide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request, if applicable.”2

Thus, in the case of a request submitted by Twitter, at a minimum the business would be required to provide the consumer who authored the tweet with information about how to submit a valid request.  It is also unclear as to the time period by which a business must respond to a non-standard request, since it is unclear whether a non-standard request, such as a Twitter request, meets the definition of a “request to know” or a “request to delete” under the regulations.3

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide.

1. CCPA, Section 1798.130(a)(1).

2. Proposed Regulation, 999.312(f).

3. Proposed Regulation 999.301(n)-(o).

Related Practice Areas

  • Data Privacy & Security

  • California Consumer Privacy Act

  • Retail & Consumer Products

Meet The Team

Christian M. Auty

Christian M. Auty

Chicago

+1 312 602 5144

Meet The Team

Meet The Team

Christian M. Auty

Christian M. Auty

Chicago

+1 312 602 5144

This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.