§ 7024. Requests to Know.

(a) For requests that seek the disclosure of specific pieces of information about the consumer, if a business cannot verify the identity of the person making the request pursuant to the regulations set forth in Article 5, the business shall not disclose any specific pieces of personal information to the requestor and shall inform the requestor that it cannot verify their If the request is denied in whole or in part, the business shall also evaluate the consumer’s request as if it is seeking the disclosure of categories of personal information about the consumer pursuant to subsection (b).(b) For requests that seek the disclosure of categories of personal information about the consumer, if a business cannot verify the identity of the person making the request pursuant to the regulations set forth in Article 5, the business may deny the request to disclose the categories and other information requested and shall inform the requestor that it cannot verify their If the request is denied in whole or in part, the business shall provide or direct the consumer to its information practices set forth in its privacy policy.

(c) In responding to a request to know, a business is not required to search for personal information if all of the following conditions are met:

(1) The business does not maintain the personal information in a searchable or reasonably accessible format.

(2) The business maintains the personal information solely for legal or compliance purposes.

(3) The business does not sell the personal information and does not use it for any commercial purpose.

(4) The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.

(d) A business shall not disclose in response to a request to know a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. The business shall, however, inform the consumer with sufficient particularity that it has collected the type of information. For example, a business shall respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.

(e) If a business denies a consumer’s verified request to know specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA, the business shall inform the requestor and explain the basis for the denial, unless prohibited from doing so by law. If the request is denied only in part, the business shall disclose the other information sought by the consumer.

(f) A business shall use reasonable security measures when transmitting personal information to the consumer.

(g) If a business maintains a password-protected account with the consumer, it may comply with a request to know by using a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to under the CCPA and these regulations, uses reasonable data security controls, and complies with the verification requirements set forth in Article 5.

(h) In response to a request to know, a business shall provide all the personal information it has collected and maintains about the consumer during the 12-month period preceding the business’s receipt of the consumer’s request. A consumer may request that the business provide personal information that the business collected beyond the 12-month period, as long as it was collected on or after January 1, 2022, and the business shall be required to provide that information unless doing so proves impossible or would involve disproportionate effort. That information shall include any personal information that the business’s service providers or contractors collected pursuant to their written contract with the business. If a business claims that providing personal information beyond the 12-month period preceding the business’s receipt of the consumer’s request would be impossible or would involve disproportionate effort, the business shall not be required to provide it as long as the business provides the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period. The business shall not simply state that it is impossible or would require disproportionate effort.

(i) A service provider or contractor shall provide assistance to the business in responding to a verifiable consumer request to know, including by providing the business the consumer’s personal information it has in its possession that it collected pursuant to their written contract with the business, or by enabling the business to access that personal information.

(j) In responding to a consumer’s verified request to know categories of personal information, categories of sources, and/or categories of third parties, a business shall provide an individualized response to the consumer as required by the It shall not refer the consumer to the businesses’ information practices outlined in its privacy policy unless its response would be the same for all consumers and the privacy policy discloses all the information that is otherwise required to be in a response to a request to know such categories.

(k) In responding to a verified request to know categories of personal information, the business shall provide all of the following:

(1) The categories of personal information the business has collected about the consumer.

(2) The categories of sources from which the personal information was collected.

(3) The business or commercial purpose for which it collected or sold the personal information.

(4) The categories of third parties with whom the business shares personal information.

(5) The categories of personal information that the business sold, and for each category identified, the categories of third parties to whom it sold that particular category of personal information.

(6) The categories of personal information that the business disclosed for a business purpose, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information.

(l) A business shall identify the categories of personal information, categories of sources of personal information, and categories of third parties to whom a business sold or disclosed personal information, in a manner that provides consumers a meaningful understanding of the categories listed.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.110, 1798.115, 1798.1301798.140 and 1798.185, Civil Code.