Monday, October 11, 2021

Have You Been Stung by the Privacy Bee?

Privacy Bee, and other so-called privacy advocate organizations, have been sending thousands of data access and deletion requests invoking the California Consumer Privacy Act (“CCPA”). They assert such rights on behalf of individual consumers pursuant to a power of attorney authorized by the CCPA. In many cases these individual consumers have had no interaction with the business. 

Here is a sample of such a request from Privacy Bee:

I am hereby submitting a personal data request pursuant to Section 1798.105 of CCPA (SB-1121), Article 17 of GDPR, Nevada SB-220, New Hampshire HB 1680-FN, Washington Privacy SB-5376, Illinois DTPA SB2330, New York S5462, Hawaii SB 418, North Dakota HB 1485, Massachusetts S-120, Maryland SB 613, Texas Privacy Protection Act HB 4390, or other applicable right-to-be-forgotten legislation. If you feel my data is exempt from privacy legislation for any reason, I'm still asking you to respect my wishes regardless, as I believe privacy is a universal human right and I'm hopeful the integrity of your organization will honor my request with or without legal requisite.

Specifically I request :
- Data Deletion: I hereby request the immediate and complete purging of any and all information your company has on me including but not limited to: user accounts, marketing data, transaction data, behavioral data, social data, CRM records, or absolutely anything that that contains my personal information.
- No Dissemination: if any information is being or has been disclosed, resold, licensed, rented, or otherwise disseminated by your company to third parties, I hereby request to opt-out of that data sharing, and request you communicate this request for opt-out and deletion to those entities as well.
As I’m legally permitted, please confirm your compliance of my request without undue delay and in any event within one month of receipt of this request.
I am including the following information necessary to identify me:
If you require additional information to resolve my identity, to view my signed Power of Attorney authorizing this request, or to respond to this request, please visit:
If you do not answer my request within the stated period, I and my legal privacy advocate, Privacy Bee, are reserving the right to take legal action against you Plus and to lodge a complaint with the responsible supervisory authority.
Thank you.

The request cites many inapplicable laws and proposed legislation. As of today only the CCPA and GDPR require a response to such legitimate and verifiable requests.

The number of these requests has exploded in the past few months. In many cases the requests are being sent to customer service emails or someone other than the person responsible for CCPA compliance. They are now becoming a nuisance and administrative burden for many businesses. 

Businesses should be careful when responding to these requests.

First and foremost, make sure that they are all sent to the person responsible for CCPA compliance and handled in accordance with your CCPA compliance process.

You need to determination which privacy regulations you are subject to and what regulatory mechanisms are available to protect both your company and the consumer. In particular, you must consider the mechanisms used to handle the submission of requests, any exemptions for personal data not subject to the right, verification of the consumer's identity, and verification that a consumer has authorized an agent to act on their behalf.

The Privacy Bee does little investigation as to what interaction, if any, the individual has with the business or what is the proper method for submitting such requests.

Here are some suggested steps when receiving one of these requests:
  • Only respond to those individuals who have rights under the CCPA or GDPR. Only California residents are covered under the CCPA and only EU residents have rights under the GDPR.
  • Provide specified methods to submit CCPA requests. The CCPA regulations make it clear that a business can specify methods of submitting requests and can direct anyone making a request to use those preferred methods. You can respond by telling the requestor to submit the request using the webform, portal, or other method you designate on your website.
  • Invoke other elements of the CCPA/GDPR to verify and authenticate. A business should be able to screen for California residency, particularly when these "privacy advocates" are making no effort to limit their requests to only those individuals who have legal rights under the CCPA. A business can also (1) require a signed declaration submitted under penalty of perjury for requests for specific pieces of information and requests for deletions; (2) require individuals to confirm they want their information deleted; and (3) require individuals to confirm that they provided the authorized agent permission to submit the request.
Unfortunately, we are likely to continue to see an increasing number of these requests because other states, such as Virginia and Colorado, have passed similar laws. The Virginia and Colorado laws, however, don’t take effect until 2023. By implementing some of the steps outlined above, a business can mitigate the sting and disruptive effect of these mass requests.

No comments :

Post a Comment