MANAGING CONSUMER

PRIVACY REQUESTS
2020

Internal Audit, Risk, Business & Technology Consulting

TABLE OF CONTENTS

CCPA Consumer Request Requirements 3

CCPA Definition of Personal Information 7

Consumer Request Workflow 11

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
2 offer attestation services. All registered trademarks are the property of their respective owners.
 CCPA REQUIREMENTS

3
 CALIFORNIA CONSUMER RIGHTS

Access Erasure Disclosure Opt-Out

(CCPA 1798.100) (CCPA 1798.105) (CCPA 1798.110 & 1798.115) (CCPA 1798.120 & 1798.135)

A consumer shall have the A consumer shall have the A consumer shall have the A consumer shall have the
right to request that a right to request that a right to request that a right, at any time, to direct a
business that collects a business delete any business disclose to the business that sells personal
consumer’s personal personal information about consumer information information about the
information disclose to that the consumer which the related to collection, sale, consumer to third parties
consumer the categories business has collected and disclosure of personal not to sell the consumer’s
and specific pieces of from the consumer. information. These sections personal information.
personal information the provide requirements
business has collected. specific to the disclosure
content.

4 © 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.
REQUEST REQUIREMENTS

Request Intake Identity Verification Fulfillment

(CCPA 1798.130) (CCPA 1798.130) (CCPA 1798.130)

• Make available to consumers two or more
designated methods for submitting
requests for information, including, at a
minimum, a toll-free telephone number and
an online form.
• A business shall provide personal
information to a consumer free of charge
• A business may provide personal
information to a consumer at any time but
not more than twice in a 12-month period.
• The business must validate the identity of • Response Timeline: Disclose and deliver
the requestor prior to providing any the required information within 45 days of
personal information. receiving a verifiable request. The time
period may be extended once by an
• To identify the consumer, a business shall additional 45 days when reasonably
associate the information provided in the necessary, provided the consumer is
request to any personal information provided notice of the extension.
previously collected by the business about • Data Report Format: Information may be
the consumer.
delivered by mail or electronically, and if
provided electronically, the information shall
• Use any personal information collected from be in a portable and, to the extent technically
the consumer in connection with the feasible, in a readily useable format that
business’s verification of the consumer’s allows the consumer to transmit this
request solely for the purposes of information to another entity without
verification. hindrance.

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
5 offer attestation services. All registered trademarks are the property of their respective owners.
DISCLOSURE REQUIREMENTS

Data Collected Data Disclosed Data Sold

(CCPA 1798.110) (CCPA 1798.115) (CCPA 1798.115)

Upon request, a business that collects personal
information about consumers shall disclose:
• The categories of personal information it has
collected about that consumer.
• The categories of sources from which the
personal information is collected.
• The business or commercial purpose for
collecting or selling personal information.
• The categories of third parties with whom the
business shares personal information.
• The specific pieces of personal information it
has collected about that consumer.
Upon request, a business that discloses
personal information about consumer shall:
• Identify by category the personal information
of the consumer that the business disclosed
for a business purpose in the preceding 12
months.
• Provide the categories of third parties to
whom the consumer’s personal information
was disclosed for a business purpose in the
preceding 12 months.
• If the business has not disclosed the
consumers’ personal information to third-
parties, it shall disclose that fact.
Upon request, a business that sells personal
information about consumer shall:
• Identify by category the personal information
of the of the consumer that the business sold
in the preceding 12 months.
• Provide the categories of third parties to
whom the consumer’s personal information
was sold in the preceding 12 months.
• If the business has not sold the consumers’
personal information to third-parties, it shall
disclose that fact.

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
6 offer attestation services. All registered trademarks are the property of their respective owners.
 CCPA PERSONAL INFORMATION
DEFINITION

7
 PERSONAL INFORMATION CATEGORIES
Personal Identifiers &
Biometric Information

Individual Profile & Online Identifiers &

Protected Characteristics Online Activity

Personal
Information
Categories

Healthcare Insurance
Geolocation
& Medical Records
Information

Financial Records & Purchasing Education, Professional, &

Information Employment Related Information

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.
PERSONAL INFORMATION
Personal Information
Category
Biometric Information
Personal Identifiers
Online Identifiers &
Activity
Medical Records
Health Insurance
Information
© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.
Description
Means an individual’s physiological, biological or behavioral characteristics, including an individual’s
deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with
other identifying data, to establish individual identity. Biometric information includes, but is not
limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice
recordings, from which an identifier template, such as a faceprint, a minutiae template, or a
voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and
sleep, health, or exercise data that contain identifying information.
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier
Internet Protocol address, email address, account name, social security number, driver’s license
number, passport number, or other similar identifiers.
Means identifiers provided by individual's devices, applications, tools and protocols, such as
internet protocol addresses, cookie identifiers as well as activity information, including, but not
limited to, browsing history, search history, and information regarding a consumer’s interaction with
an Internet Web site, application, or advertisement.
A record of a patient's medical information (as medical history, care or treatments received, test
results, diagnoses, and medications taken)
Consumer’s health insurance policy number or subscriber identification number, any unique
identifier used by a health insurer to identify the consumer, or any information in the consumer’s
application and claims history, including any appeals records, if the information is linked or
reasonably linkable to a consumer or household, including via a device, by a business or service
provider.
Example Data Elements
Imagery of the iris; retina; fingerprint; face print; handprint; palm; vein
patterns; voice recordings, keystroke patterns and/or rhythms, gait
patterns and/or rhythms, sleep patterns, exercise data; DNA; Other
Age / Date of Birth; Alien Registration Number; Birth Certificate Number;
Birth Certificate; Citizenship / Immigration Status; Death Certificate;
Dependents; Driving License Details; Email Address; Physical Address; I-
9 Forms; Phone Number; First & Last Name; National Identity Card
Details; Passport Number; Permanent Resident ID Number; Signature;
Social Security Number; Tax ID Number; Vehicle License Plate; Visa
Information; Other
Activity Log Files; Browsing History; Browser Fingerprints; International
Mobile Equipment ID (IMEI), International Mobile Subscriber ID (IMSI), IP
Addresses, MAC Address, Authentication Details; Social Media Accounts;
Unique Mobile Device ID (UDID); Username; Website Cookies; Other
Medical History; Care or Treatments Received; Test Results; Diagnoses;
Prescriptions; Pharmacy Activity; Hospital Activity; Blood Type; Allergies &
Symptoms; Genetic Data; Medical Condition Characteristics.
Insurance Policy Number; Policy Benefits Details; Plan Documents;
Account Number; Claims Activity; Claims History; Benefits Details;
PERSONAL INFORMATION
Personal Information
Category
Geolocation Information
Financial Information
Professional &
Employment Related
Information
Education Related
Information
Individual Profile
Information
Protected Characteristics
Commercial &
Purchasing Information
© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.
Description
Information that can be used to identify an electronic device's physical location.
Financial information refers to the nonpublic information concerning an individual's
assets, liabilities, credit, account numbers and balances, transactional
information. This may include bank account numbers, credit card and debit card
numbers, financial transactions, payroll records, etc.
Any information related to professional status, qualifications, and employment
records. This may include Attendance Records; Background Information;
Disciplinary Action; Drug Test Results; End Date / Reason for Termination; Exit
Interviews and Comments; Investigation Records (Harassment or Discrimination);
Performance Records; Succession Planning Records.
Means personally identifiable information from education records.
Inferences drawn from any of the information identified in this subdivision to
create a profile about a consumer reflecting the consumer’s preferences,
characteristics, psychological trends, preferences, predispositions, behavior,
attitudes, intelligence, abilities, and aptitudes.
Under federal law, protected characteristics include race, color, national origin,
religion, gender (including pregnancy), disability, age (if the employee is at least
40 years old), and citizenship status.
Commercial information, including records of personal property, products or
services purchased, obtained, or considered, or other purchasing or consuming
histories or tendencies.
Example Data Elements
Geographic location; IP address; MAC address; RFID; hardware embedded
article/production number; UUID; Exif/IPTC/XMP; device fingerprint; canvas fingerprinting;
device GPS coordinates; country; region; city; postal/zip code; latitude; longitude; time zone;
domain name; connection speed; ISP; language; proxies; name;
Company Reimbursed Expense Records; Financial or Banking Reference Letters; Results of
Credit Checks; Bank Account Type; Bank Account Information (Account or Routing Number);
Bank Statements; Credit /Debit Card Information; Financial Account Information; Other
Business Cards; Business Phone Number; Business E-mail Address, professional status,
qualifications, Attendance Records; Background Information; Disciplinary Action; Drug Test
Results; End Date / Reason for Termination; Exit Interviews and Comments; Investigation
Records (Harassment or Discrimination); Performance Records; Succession Planning
Records; Job Applicant Information; Payroll Records, Incentives & Benefits.
Student Record; Admission Records; Grades & Performance; Activities; Report Cards;
Transcripts; School Name; Community Participation; Student ID; Student Pictures; Student
e-mail records; Address; Student Health Records;
Loyalty Member Profile; Consumer Preferences; Consumer Characteristics; Psychological
Trends; Customer Online Behavior; Customer In-Store Behavior; Customer Intelligence
rating; Financial Incentive history; Loyalty Program Status;
Racial or ethnic origin; Political opinions; Religious or philosophical beliefs; Trade Union
membership; Sexual orientation; Disability; Age; Citizenship Status.
Records of personal property; products or services purchase history; products and services
considered; Point-of-Sale data; customer complaints; Marketing Research; Marketing
Campaigns & Activities; Behavior Monitoring & Analytics; Web site clicks; automated tracking
of sales; customer service records; targeted customer studies.
 REQUEST WORKFLOW AND PROCESS

11
CONSUMER REQUEST WORKFLOW

TIMELINE: 45 DAYS

SECURE COMPLETION
REQUEST FORM
COMMUNICATION NOTICE
Consumers

REQUEST ASSIGNMENT & FULFILMENT & CLOSURE &

INTAKE VALIDATION TRACKING REPORTING

Response
Teams

TECHNICAL SOLUTION DESIGN – Various Options such as Informatica, OneTrust. Scripting

IT Team

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
12 offer attestation services. All registered trademarks are the property of their respective owners.
CONSUMER REQUEST PROCESS

Intake
01
Verify
02
Assign
03
Track
04
Update
05
Notify
06

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
13 offer attestation services. All registered trademarks are the property of their respective owners.
DSR PORTAL - INTAKE

Intake process is the first consumer contact

Collect information that is required for to process the request

• Type of request(s)

• Identity information

• Additional information that is relevant or required to service the request

• Limit information required to avoid fines for introducing barriers

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
14 offer attestation services. All registered trademarks are the property of their respective owners.
DSR PORTAL - VERIFY

Establish a process to verify identity of requestor

Validate the information provided

• Do use existing authentication methods such as those used when collecting the information

• Do not collect additional personal information for the sole purpose of identity verification

• Do establish record keeping to show how an identity was verified or why it was unable to be verified

• Do communicate with the consumer when clarification is needed on the information provided

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
15 offer attestation services. All registered trademarks are the property of their respective owners.
DSR PORTAL - ASSIGN

Create a queue, round robin or other means to assign cases

Prompt resource assignment reduces average case length

• Some requests are either out of scope or simple to answers questions that can be dealt with
through FAQ templates or other standard methods

• Teams can be created for specific request types to speed processing

• Assignment loads should be assessed and rebalanced as needed to ensure equal coverage

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
16 offer attestation services. All registered trademarks are the property of their respective owners.
DSR PORTAL - UPDATE

Requests should be updated frequently

Every team is responsible for updating requests

• When a request is sent to another team (IT, legal, etc.) they should update the ticket with what is
being done and who is doing the work

• Periodic updates should be performed even when no new work has been accomplished to follow up
and avoid exceeding regulated time limits

• Service Level Agreements should be established so that various steps can be monitored against the
updates to improve completion times and reduce risk

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
17 offer attestation services. All registered trademarks are the property of their respective owners.
DSR PORTAL - NOTIFY

Notifications communicate completion or extensions

Spend time crafting the notification templates since they are your primary touchpoint with the requestor

• Develop internal policies to determine how and when the requestor is notified of completion or other
status changes

• Request queues should be monitored to ensure that requests are getting updated and that the
requestor is notified of extensions or other exceptions

• Business, marketing and legal teams should review the notification templates

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
18 offer attestation services. All registered trademarks are the property of their respective owners.
DSR PORTAL – TRACK

Design to allow easy reporting and audit of steps

All events should be traceable

• Ideally all events will be recorded in a single system

• Events include:
– Assignment / Reassignment
– Status change (Complete, Cancel, Processing, Etc.)
– Escalation
• Include who took the action, the timestamp, links to the original and related requests

• Notes, reviews and audits should also be tracked and linked to the events they cover

• Design the tracking around the fact that reporting and alerts will be based off this data

© 2019 Protiviti – Confidential. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
19 offer attestation services. All registered trademarks are the property of their respective owners.
© 2019 Protiviti – Confidential. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not
licensed or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.