Page 79 - GDPR and US States General Privacy Laws Deskbook
P. 79
11 C.C.R. § 7023. Requests to Correct
(a) For requests to correct, if a business cannot verify the identity of the requestor pursuant to the regulations set forth in
Article 5, the business may deny the request to correct. The business shall inform the requestor that their identity cannot
be verified.
(b) In determining the accuracy of the personal information that is the subject of a consumer’s request to correct, the business
shall consider the totality of the circumstances relating to the contested personal information. A business may deny a
consumer’s request to correct if it determines that the contested personal information is more likely than not accurate
based on the totality of the circumstances.
(1) Considering the totality of the circumstances includes, but is not limited to, considering:
(A) The nature of the personal information (e.g., whether it is objective, subjective, unstructured, sensitive, etc.).
(B) How the business obtained the contested information.
(C) Documentation relating to the accuracy of the information whether provided by the consumer, the business, or
another source. Requirements regarding documentation are set forth in subsection (d).
(2) If the business is not the source of the personal information and has no documentation in support of the accuracy of
the information, the consumer’s assertion of inaccuracy may be sufficient to establish that the personal information is
inaccurate.
(c) A business that complies with a consumer’s request to correct shall correct the personal information at issue on its existing.
The business shall also instruct all service providers and contractors that maintain the personal information at issue
pursuant to their written contract with the business to make the necessary corrections in their respective systems. Service
providers and contractors shall comply with the business’s instructions to correct the personal information or enable the
business to make the corrections. If a business, service provider, or contractor stores any personal information that is the
subject of the request to correct on archived or backup systems, it may delay compliance with the consumer’s request to
correct, with respect to data stored on the archived or backup system, until the archived or backup system relating to that
data is restored to an active system or is next accessed or used.
(d) Documentation.
(1) A business shall accept, review, and consider any documentation that the consumer provides in connection with their
right to correct whether provided voluntarily or as required by the business. Consumers should make a good-faith effort
to provide businesses with all necessary information available at the time of the request.
(2) A business may require the consumer to provide documentation if necessary to rebut its own documentation that
the personal information is accurate. In determining the necessity of the documentation requested, the business shall
consider the following:
(A) The nature of the personal information at issue (e.g., whether it is objective, subjective, unstructured, sensitive, etc.).
(B) The nature of the documentation upon which the business considers the personal information to be accurate (e.g.,
whether the documentation is from a trusted source, whether the documentation is verifiable, etc.)
(C) The purpose for which the business collects, maintains, or uses the personal information. For example, if the personal
information is essential to the functioning of the business, the business may require more documentation.
(D) The impact on the consumer. For example, if the personal information has a negative impact on the consumer, the
business may require less documentation.
California Consumer Privacy Act of 2018 (as amended by the
79 |
California Privacy Rights Act of 2020) and Related Regulations