DSARs requirements in CCPA vs. GDPR

Under the stipulations laid down by the CCPA and GDPR, businesses must fulfill DSARs or data subject access requests from 2020 onwards. Unfortunately, a survey revealed that 56 percent of companies would fail to meet CCPA requirements by 2020. Companies operating under both these privacy laws should be aware of the differences between the EU's General Data Protection Regulation and the more recent California Consumer Privacy Act when it comes to key DSARs.

It is essential for businesses to understand specific preliminary issues that are common among various DSAR types:

Need for Identity Verification

According to GDPR

As per Recital 64, the controller needs to use every available resource for verifying the identity of data subjects who submit requests for access. This is especially true for online identifiers and online services. What's more, the verification process must not exceed the amount of sensitive information mentioned in the request. It is also said that the verification procedure must not be unnecessarily time-consuming and challenging.

According to CCPA

The California Consumer Privacy Act has tasked the Attorney General with drafting procedures and rules for governing the decision whether or not a particular request is a valid consumer request. These regulations will come out in the first draft. Ideally, a request that has been submitted via a password-protected account maintained by a business consumer will be treated as a bonafide request.

Right of a Third Party to Exercise Authorization

According to GDPR 

The Information Commissioner's Office has released information mentioning that the General Data Protection Regulation does not prevent any person from making a subject access request through a third party. This third party is responsible for establishing an authority that will allow them to act on behalf of the data subject. The details may even be sent directly to the data subject if he/she does not understand what information the third party enlisted by them for the task will access.

According to CCPA

The new data protection directives allow a natural person or an individual registered with the Secretary of State to receive authorization from the consumer for acting on their behalf.

Time frame for Compliance with DSAR Request

According to GDPR

The Information Commissioner's Office has established the timing for compliance at one calendar month or sooner. If the request is complicated, however, an extension of two months will be granted to the organization.

According to CCPA

The CCPA makes it clear that DSAR requests must be responded within 45 days. In some cases, an extension of up to 90 days is permitted.

Requirements for Right to Access

According to GDPR

The GDPR requires the following information to comply with data subject access requests:

• If any processing of the data took place
• Categories of personal data that were processed
• Recipients of the disclosed information
• Data retention period
• Right to erase or correct data along with restricting or object processing
• Right to complain about the supervisory authority
• Source of information not submitted by the data subject
• Copy of the processed data
• Meaningful details regarding automated decision-making
• Necessary safeguards for data transfers taking place between two or more countries

According to CCPA

It is essential for the controller to disclose all information relating to:

• Categories of personal information gathered
• Types of personal information sold
• Categories of sources
• Categories of third parties with whom the organization shares personal data
• Categories of third parties to whom private data was sold
• Categories of personal information for every third party
• Particular pieces of information collected by the business
• Commercial or business purposes for gathering or selling the data

Right to Data Portability

The following requirements need to be fulfilled:

According to GDPR

All pieces of information offered by the data subject to the controller should be legally based on either a contract or consent. This is applicable wherever the processing took place, even if through automated means.

According to CCPA

Under the CCPA, every right to access responses must be submitted electronically.

Format of DSAR

According to GDPR

Data needs to be structured in a commonly used format readable by machines.

According to CCPA

All data should be in a portable format.

Transfer to Third Parties

According to GDPR

Controllers allow transferring data smoothly without any objections or hindrances. If it is technically feasible, they retain the right to transmit the personal data directly to another controller.

According to CCPA

The transfer is permitted to the fullest technical extent as long as the data is available in a readily usable format that the consumer can transmit to a different entity without any issues.

Right to Deletion

The following information needs to be deleted:

According to GDPR

Personal data that falls under one of the six grounds for erasure and is not covered by one of the five exemptions should be removed without fail.

According to CCPA

Personal details covered by the law and out of the provision of exemption must be removed.

General Qualifications and Exemptions on Exclusion and Inclusion of DSARs

According to GDPR

All data subject access requests should be restricted to personal data. Plus, it applies only to personal data:

• That is no longer required for the purpose processed or collected
• Which is no longer bound by consent since it has been withdrawn
• That is an objection covered by Article 21(1)
• That does not fall under the unlawful processing of personal information
• The collection of which comes under Article 8(1) offer of information society services.

Exemptions apply if the processing is required for:

• Exercising the right to freedom of information and expression
• Public interest in public health
• Compliance with a legal obligation
• Exercise, defense, and establishment of legal claims
• Archiving of specific historical or scientific research, and public interest

According to CCPA

All requests made under CCPA are limited to personal details. The law does not cover any right to information, such as GLB Act Information or HIPAA.

Exemptions for rejecting the request to delete data include:

• Debugging
• Exercise of free speech
• Security purposes
• Completion of transaction
• Compliance with the CCPA
• Solely internal users
• Specific internal, lawful uses
• Compliance with a legal obligation
• Certain statistical, scientific or historical research in the public interest

Concluding Remarks

The fundamental difference between EU and GDPR is the coverage area. The first protects individuals inside the EU while the latter protects consumers who are Californian residents, including households. While they do share a few things in common, they try to protect the interests of the data subjects to the full extent of the law.