CCPA Regulation Update: Searching Offsite Physical Records
Part 2 of 4
Despite the push to digital record-keeping as a best practice and the impressive advances in technology to help digitize and organize records, companies continue to rely on hard-copy records and off-site storage to maintain relevant information. The CCPA is not limited to electronic information stored on hard drives, and is essentially agnostic about how data is collected and how it is to be destroyed. Unfortunately, for some businesses this creates a practical problem: How is the business to respond when it keeps information from years past at an external storage facility such as Iron Mountain? Does the CCPA require that a business go through each and every box to determine where additional personal information may be found?
The Problem with Physical Records
In the proposed regulations, language was added to specify that a business is not required to search for personal information in response to a "request to know" if:
- The business does not maintain the personal information in a searchable or reasonably accessible format;
- The business maintains the personal information solely for legal or compliance purposes;
- The business does not sell the personal information and does not use it for any commercial purpose; and
- The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.
This regulatory language essentially creates an exemption for any physical records that are largely kept off-site, and unused – except as back-up. However, this does not mean that a business can perpetually avoid undertaking this search. A similar exemption does not exist for a "request to delete," though the proposed regulations do currently permit an exception for "archived or back-up systems."
How to Comply?
Fortunately, the easiest way to comply is by engaging in "data mapping" - a practice where a company maps out what information is collected, and where that information is shared and stored. A comprehensive data mapping project would require companies to know the status and treatment of physical documents and cataloguing these materials accurately to make the materials more searchable or accessible, if need be. However, a company could choose to not delete physical records as they may lawfully be kept as archived records or be required for a legal defense. Under either scenario, the proposed regulations grant an exemption from searching through off-site, physical documents to respond to a consumer request under the CCPA.
Every business subject to the CCPA must develop a plan for handling their physical records – so that they can be located and catalogued in preparation for specific consumer requests. If physical records are kept for an exempted purpose under the CCPA, a company should carefully document such efforts in case a regulatory body, such as the California Attorney General, conducts a CCPA audit.