How Will Your Organization Respond to this CCPA Nightmare Letter?

The "Nightmare Letter": Is Your Organization Ready for CPRA?

The original source of the Nightmare Letter was created by Constantine Karbaliotis, Counsel at nNovation LLP, in 2018 and published on LinkedIn in relation to the GDPR.

With CPRA coming into effect on January 1, 2023, time is running out for organizations to comply with its requirements. The California Attorney General's office has made it clear it intends to enforce the provisions of both CCPA and CPRA, with his recent settlement with Sephora being just one example. Organizations will no longer have the fallback of 30 days to remedy a violation; the CPRA eliminates the 30-day cure period originally permitted under the California Consumer Privacy Act. One of the requirements that will be difficult for many organizations to comply with is data subject access requests.

What Is a Data Subject Access Request (DSAR)?

A key feature of privacy regulations like the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the EU’s General Data Protection Regulation (GDPR) is that they grant individuals rights over their personal information. Individuals can see what personal information of theirs is stored by a given organization. These requests, known as Data Subject Access Requests (DSARs), require an organization with data on an individual to produce that information and allow for remediation (correction, deletion, archiving, etc.).

What Challenges do DSARs Pose?

Under California regulations, DSARS must be fulfilled within 45 days. (Companies may request an additional 45 days if necessary.) The individual whose data it is is known as the “data subject.” Unfortunately, companies don't organize their data based on who the subject is. That data is likely scattered across different systems, databases, and corporate divisions. Given this distribution and all of the moving parts required—technology, manpower, and workflow processes, to name a few—fulfilling these requests can be very challenging.

Are Organizations Ready to Fulfill DSARs?

The short answer is "not really." Exterro recently conducted a survey of privacy compliance preparedness with a focus on DSARs. The results showed that, unfortunately, most organizations seem woefully underprepared to respond to DSARs of any sort:

• 38% of respondents don’t have defined processes; their responses are entirely ad hoc.
• 33% rely on fully manual processes once requests are ingested through a webform.

Despite the lack of preparation, survey respondents are strangely confident in their ability to manage DSARs. Almost half feel that they can respond to both consumer and employee DSARs with “moderate” or “small” effort, perhaps unaware of the amount of commingled personally identifiable information (PII) stored in many employee data systems. With the California exception for employee DSARs set to expire as CPRA comes into effect, we won’t have to wait long to see if this confidence is misplaced.

Are You Ready to Fulfill a Request Like This?

Imagine working in privacy compliance and receiving a letter that starts like this on January 3, 2023:

Dear Sir/Madam:

I am writing to you in your capacity as <privacy officer> for your company. I am a customer of yours and in light of recent events, I am making this request for access to personal information pursuant to the following laws:

• California Consumer Privacy Act (CCPA) §1798.110.

• California Privacy Right Act (CPRA) § 1798.100 et seq.

I am including a copy of documentation necessary to verify my identity. If you require further information please contact me at my address above. I would like you to be aware at the outset that I anticipate reply to my request within 45 days as required under § 1798.130, failing which I will be forwarding my inquiry with a letter of complaint to the California Attorney General and the California Privacy Protection Agency.

Please confirm to me whether or not my personal information has been collected, sold, or disclosed over the past 12 months. If so, please disclose:

• What categories of personal information has been collected or disclosed for business purposes, and provide me with a copy of, or access to, my personal information that you have or are processing;
• Please identify the specific pieces of personal information that you have collected about me.
• Please advise what sources were used to obtain my personal information;
• Please also advise what categories of my personal information that you have shared with or disclosed to third parties.
• Additionally, please advise me in which countries my personal information is stored or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.

Please provide me with a detailed accounting of the business or commercial purposes for which you are collecting or selling my personal information, how long you store my personal information, and if retention is based upon the category of personal information, please identify how long each category is retained.

And on and on the letter goes. Maybe you're not feeling so confident anymore. But all is not lost. With the cost of manually fulfilling a single DSAR estimated at $1,500 by Gartner, organizations with a significant customer or employee footprint in California can easily justify investing in technology to automate the process—from initial request through fulfillment.