Introduction
The CCPA and GDPR enables consumers to exercise three different rights regarding their personal information:
- A right to know what personal information the business collected, sold, or disclosed about them, including the specific pieces of personal information held.
- A right to make the business delete their personal information unless a statutory exception allowing its retention applies.
- A right to restrict sales of their personal information.
Process and Documentation Requirements
Process Flow
Consumer Requests
Consumer requests may generate from an email or from a CCPA Information Request. Accurately responding to a consumer’s CCPA or GDPR rights request first requires a full understanding of exactly what personal information the business collects, obtains, uses, stores, shares, and sells about that individual and how to identify and access it. Customers may review the Advantus Privacy Policy at shopadvantus.com. To request a copy of data, to request deletion, or for any questions or complaints concerning privacy practices, customers may email dataprivacy@advantus.com or fill out a request form via this link.
Record and Document
When a customer completes a Data Privacy Request, the form is received and processed by Compliance. A Compliance specialist receives the request in the compliance@advantus shared mailbox. It is then reviewed and sent to Web@advantus.com and ITsupport@advantus.com to complete request within the following time-frames:
- A business must confirm receipt of a consumer’s request to know or delete within ten business days. Refer to Template 1 and Template 2 for sample reply.
- The receipt must inform the consumer about the business’s process for responding to requests, including:
- Generally describing the business’s verification process.
- Providing an expected response time-frame, unless the business already granted or denied the request.
- Template 1:
- Advantus, Corp. is the owner of both the Bluelounge® brand and Bluelounge.com as of February 16, 2018. I am writing on behalf of Advantus to acknowledge receipt of the below request and to advise you that Advantus does not have record of insert customer name (include in paranthesis customer full name, email, and/or phone number provided)prior to receipt of the below request.The CCPA (or GDPR) requires us to verify both your identity and that the personal information you asked us to delete relates to you. After reviewing the information you provided to date, we are unable to verify your identity and that it relates to you because Advantus has no records of (customer name) prior to receipt of the below request. If domestic request, include the following statement: Advantus will maintain a record of this request pursuant to California Civil Code Section 1798.105(d).
- Template 2:
- Thank you for your request. Advantus, Corp. is the owner of both the Bluelounge® brand and Bluelounge.com as of February 16, 2018. I am writing on behalf of Advantus to acknowledge receipt of the below request and to advise you that Advantus/does not have/ has XXX records of XXX@gmail.com/ prior to receipt of the below request. Based upon the information provided, Advantus /did or did/ not verify your identity and determine whether we are in possession of any of your covered personal information. Advantus will maintain a record of this request pursuant to California Civil Code Section 1798.105(d). The CCPA requires us to verify both your identity and that the personal information you asked us to delete relates to you. After reviewing the information you provided to date, we are /able/unable to verify your identity and that it relates to you because Advantus has no records/ of XX@gmail.com prior to receipt of the below request. Advantus will maintain a record of this request pursuant to California Civil Code Section 1798.105(d).
- The receipt must inform the consumer about the business’s process for responding to requests, including:
A business may provide the confirmation response in the same manner that it received the request. For example, a business receiving requests on its toll-free telephone number can provide the confirmation orally during the call as part of its intake process script. Guidance provided by the California AG further explains that businesses can automate this initial response to lessen the cost and burden and that requirement’s purpose is to improve transparency about the process and set appropriate expectations.
Record of Request
Record of request must be maintained for at least 24 months.
Customer Report/Feedback Record
Compliance specialist will generate a New Customer Report/Feedback Record.
Step 1 Enter date of report and attach the initial email notification in the manufacturer/customer notification field as objective evidence.
Step 2 Select Privacy Data Request for Report Type
Step 3 Enter Customer contact information under Reporter Contact Information and provide general details of the request under Feedback/Issue.
Step 4 Use the comments/review field to track workflow comments and update status accordingly.
Data Inventory
Step 5 Request completion of review from IT and WEB. Web@advantus.com and ITsupport@advantus.com assess data inventory.
Advantus data inventory includes assessment from Marketing to IT to HR to Vendor Management. The Advantus Data inventory includes:
- A review of areas where personal information is received.
- any type of personal information received in any format, for example, through your website, email, employment applications and related documents, marketing, etc.
- Identification that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- Advantus provides this information in the Privacy Policy
- A review of the location where the information identified is stored, in what format it is stored, and the department responsible for maintaining the information.
Once request is assessed by IT and WEB, generate response to the customer based on action completed. Attach the follow up communication to the customer under the files tab.
Customer Notice of Closure
Step 6 Enter the date of follow up/notice of closure and update the status to complete.
A business has 45 calendar days from the date it receives a consumer’s request to know or delete to provide its substantive response. Time spent verifying the requestor’s identity does not stay or extend the substantive response deadline. The business may extend this response period for another 45 calendar days if necessary. However, the business must first notify the consumer about its reasons for extending the response period within the original 45-day deadline. The maximum total response period, including any extensions, is 90 calendar days.