What is Right to Know?

The right to know encompasses two types of requests: a general disclosure about data practices (which must be addressed in the privacy notice) and a specific consumer request for the particular personal information collected about them. When a consumer makes a verifiable request, the business must provide the categories and specific pieces of personal information collected, the categories of sources from which it was collected, the business or commercial purpose for collecting or selling it, and the categories of third parties with whom it is shared. CPRA expanded this right to cover a 12-month lookback period from the date of the request, and businesses that have been collecting data since January 1, 2022, may need to provide information beyond the 12-month window if practicable. Businesses must respond within 45 days and cannot charge a fee for the first two requests in a 12-month period. Organizations should implement a verifiable consumer request intake process, maintain comprehensive data inventories, and build reporting capabilities that can generate accurate disclosures within the response timeframe.