Consumers will likely reach out to you with requests concerning their CCPA rights. Below is an explanation of what you should do with the tools that SimplePart has provided in order to promptly and accurately respond. Keep in mind that you will be required to respond to any request within 45 days, which can be extended with notice to the consumer for an additional 45 days if the request is sufficiently onerous.
You may receive requests in multiple ways. Consumers may walk into your business and make a request manually. They may also call you. Your site also features a Data Request Page with a form that consumers can access to fill out a request online. If you receive a request through the webform, you will receive an email to notify you of the request. If you receive a request through any other medium (walk-in or on the phone), we advise that you fill out the webform so that you have a record of the request. It’s important that you keep records of your requests to be compliant with the CCPA.
Consumers may contact you with requests to disclose the categories of personal information you collect about them, categories of sources that information comes from, categories of third parties that information is shared with and business purposes for collection. They may also request that you send them that data in a portable format.
How you can respond:
- Verify the identity of the requestor. The Attorney General advises that you confirm two pieces of information you already have on file match the information on the request. This can include:
- Name
- Phone number
- Shipping or billing address
- Access a PDF of the relevant information. You have access to a Control Panel Data Request report which allows you to manage consumer requests and respond to them. Once you have verified identity, you may download a PDF of the categories of information, as requested. Learn how to do this at “Accessing Consumer Information.”
- Send the requestor their information. Once you have the PDF, you can email (or mail, should they specify) the information to the requestor.
Consumers may also contact you with requests to know specific pieces of personal information that you collect about them and that this information be sent to them in a portable format.
How you can respond:
- Verify the identity of the requestor. Specific pieces of information carry more sensitivity than general categories, so the Attorney General recommends that you use three pieces of information that you already have on file matched with the information on the request. This can include:
- Name
- Phone number
- Shipping or billing address
- In addition, the Attorney General advises that you collect a signed statement from the requestor that they are who they say they are, under penalty of perjury. You will need to maintain records of these statements. It is recommended that you consult your legal counsel for the text of this statement as it is a binding legal document.
- Access a PDF of the relevant information. Access the Control Panel Data Request report in your Control Panel. Once you have verified identity, you can download a PDF of their personal information. Learn how to do this at “Accessing Consumer Information.”
- Send the requestor their information. Email or mail the requestor their information as instructed. Remember there is a 45-day timeline for responding to requests.
Consumers may make requests for you to delete information that you collect about them. It is SimplePart’s policy to reject these requests as CCPA does provide for exceptions if the information is necessary for business purposes, including:
- Completion of a transaction
- Fraud prevention/security
- Debugging
- Exercise of Constitutional rights
- Compliance with extant California or Federal law
- Engagement in public interest research, provided informed consent
- Internal use
SimplePart uses the information collected from consumers in order to help you fulfill orders and to prevent fraud. As a result, if on the Data Request Page a consumer requests to delete his information, SimplePart automatically sends him an email explaining our deletion policy.
Please note that you will need to check your other service providers’ deletion policies and follow any processes they have defined to complete the consumer’s deletion request.
The last sort of request that consumers may make under the CCPA is opting out of the sale of their personal information. SimplePart does not sell consumers’ information for any reason. As a result, if on the Data Request Page a consumer requests to opt out of the sale of his information, SimplePart automatically sends him an email explaining our opt-out policy.
If your business does not sell consumers’ personal information for money or other valuable consideration, then this part of the regulation does not apply to you. If you get a request to opt out and you do not sell personal information, then you may inform the requestor of that fact.
If you have determined that you do sell personal information to third parties, then you will need to consult your legal counsel on how to proceed. SimplePart can assist you with implementing a “Do not sell” link on your site should this be the case.
Right to know
The only instance in which you should deny a request to know is if you feel as though you cannot confidently verify the identity of a requestor. Otherwise, CCPA entitles them to the disclosure of their personal information without exception. If you do feel as though you cannot assure that a request is not fraudulent, consider responding to the request with something like this:
Hello, we have received your request to disclose our records of your personal information to you, per rights granted to California consumers under the California Consumer Privacy Act (CCPA). Unfortunately, we cannot verify your identity confidently with the information you supplied when you submitted the request. Please consider resubmitting with different verification information or contact us directly at (phone number) or (email address). If you have questions about our policies on the matter, please consult our Privacy Policy (link).
We apologize for any inconvenience and you can rest assured that your data is secure and that we will not use it for any reason other than those explained in our Privacy Policy.
TIP: Remember from “How to Respond to Data Requests” that requests to know specific information carry a higher bar for identity verification than requests to know categories of information, including 3 data points and a signed statement. It’s important to consider the nature of the request when determining if the information provided is sufficient.
Right to delete
As covered in “How to Respond to Deletion Requests,” there are significant exceptions to the requirement to delete personal information at a consumer request. A business may deny a deletion request if they need to maintain the information for the following business purposes:
- Completion of a transaction
- Fraud prevention/security
- Debugging
- Exercise of Constitutional rights
- Compliance with extant California or Federal law
- Engagement in public interest research, provided informed consent
- Internal use
As a rule, SimplePart will reject any request to delete information that we have on file, principally because of order fulfillment and fraud prevention.
If you believe that your business needs to maintain consumer information on file for these purposes, you can reject a consumer request to delete. However, it’s important that you respond to the request with an explanation of the denial along the lines of the following.
Hello, we received your request to delete personal information that we have about you, per rights granted to California consumers under the California Consumer Privacy Act (CCPA). Unfortunately, we cannot honor your request to delete this information as we and our service providers require it for legitimate business purposes provided for under CCPA, which you can learn more about here (link to privacy policy). If you have any questions or concerns about this, please contact us at (phone number) or (email).
We apologize for any inconvenience and you can rest assured that your data is secure and that we will not use it for any reason other than those explained in our Privacy Policy.
Right to Opt Out
If a consumer sends you an opt-out request, you only need to comply if you sell consumer data to third parties for valuable consideration. SimplePart does not do this, so it will be our policy not to honor opt-out requests. If you do not sell consumer information, you may send the consumer an email detailing this fact in a way similar to the following:
Hello, we received your request opt-out of the sale of personal information that we have about you, per rights granted to California consumers under the California Consumer Privacy Act (CCPA). Unfortunately, we cannot honor your request as we and our service providers do not sell your personal information to third parties for money or other valuable consideration. If you wish to learn more about this fact, please consult our privacy policy (link). If you have any questions or concerns, please contact us at (phone number) or (email).
We apologize for any inconvenience and you can rest assured that your data is secure and that we will not use it for any reason other than those explained in our Privacy Policy.
If you have any questions or need any support with this information, please contact our support team via email at support@simplepart.com or 1-888-843-0425.
Record Keeping
The CCPA has certain recordkeeping requirements regarding requests and responses. Specifically, your business will need to maintain a record for two years of:
- Date of request
- Name of consumer
- Request type (Categories/Personal information/Deletion/Opt-out)
- Action taken
- Date of response
We are providing you with a Control Panel report that you can use to view these records as regards requests involving data SimplePart maintains. You can view it here.
