December 1, 2022

Volume XII, Number 335

Advertisement

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

What Is the Difference Between a Category-Level Access Request and A Specific-Information Access Request?

The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business. As the first five requests ask that a business respond with broad information about the type of information collected (as opposed to the actual information itself), they are often referred to as category-level access requests. As the sixth request asks that a business respond with the actual information the business collected about a consumer, it is often referred to as a specific-information request.

So, for example, if a consumer submitted a category-level request that asked a business what categories of personal information the business collected about the consumer, it might be sufficient for the business to respond by stating that it collected “identifiers” about the consumer, or it could respond more specifically by stating that it collected the consumer’s name and email address. If the same consumer submitted a specificinformation request to the same business, the business might respond by telling the consumer that it collected the name “John Smith” and the email address [email protected].[1]

In practice, many companies don’t separate category-level requests from specific-information requests when they discuss consumers’ rights to request access to their information. Indeed, 52% of companies simply allow consumers to “access” their personal information or submit a “request to know” without specifically differentiating between the different types of access that might be requested.[2]


FOOTNOTES

[1] See FSOR Appendix A at 121 (Response 392).

[2] Greenberg Traurig LLP reviewed the publicly available privacy notices and practices of 555 companies (the Survey Population). The Survey Population comprised companies that had been ranked within the Fortune 500 at some point in the past five years as well as additional companies selected from industries that are underrepresented in the Fortune 500. While the Survey Population does not fully match the current Fortune 500 as a result of industry consolidation and shifts in company capitalization, we believe that the aggregate statistics rendered from the Survey Population are representative of mature companies. Greenberg Traurig’s latest survey was conducted between September and October 2022.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 325
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement