No.
While some businesses decide to create a written policy or procedure for handling access requests, other businesses decide that such a policy is unneeded.
For example, if a business rarely receives an access request, and if such requests are effectively handled on an ad hoc basis, it may be able to demonstrate that the fact that individuals are notified how to submit an access request through the company’s privacy notice, and the fact that such requests are appropriately handled in practice, is sufficient to satisfy the business’s obligations under the CCPA. On the other hand businesses that receive high volumes of access requests may find it difficult to handle such requests on an ad hoc basis – particularly if the volume necessitates that multiple people within the business are responsible for responding to such requests. For example, if hundreds of call center representatives are each responsible for fielding and processing access requests that come in through a customer support line, a business may find that the only effective way to process the requests consistently is through the creation of written processes and procedures.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
[View source.]