Below are the legal references relevant for exploits and defense under GDPR and CCPA. References will be updated as laws change.
GDPR
Exploits
Art 11.2 and Recital 57 - If the data subject wants to exercise their rights but the organization does not have enough information to identify them, the data subject can provide additional information for identification and the organization cannot refuse to take it
Art 12.1 - Data subjects can request the information to be delivered orally (verbally)
Art 12.3 - Data subjects can request for a DSR to be filled electronically or by other means
Art 12.5 - Data subjects can submit DSRs for free unless the organization can prove it is manifestly unfounded or excessive due to repetitive requests
Art 15.3 - The organization must provide the data subject with an electronic copy of the personal data held in a commonly used format
Art 16 - The data subject can revise or amend personal information held by the organization
Art 17 - Right to be forgotten/right to erasure/deletion
Art 19 - Organizations must communicate personal data updates to other organizations it has shared information with
Art 20.1 - Data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format
Recital 57 - Authentication credentials should be considered valid identification (cannot demand a second factor if 2FA was not set up already)
Recital 69 - Data subjects can ask an organization to transfer their information to another data controller
Recital 71 - Right to receive an explanation for automated decision-making and the logic used to make the decision
Defense
Art 11.1 - Organizations not required to retain or acquire additional information to identify data subjects if the processing does not require identification of individuals
Art 11.2, Art 12.2, and Recital 57- Organizations do not have to honor the data subject rights when they cannot identify an individual
Art 12.3 - Right to extend DSR processing time by up to an additional 60 days
Art 12.4 - Organizations can take no action as long as they provide reasonable justification to the data subject and inform them of how to contact the supervisory authority with a complaint
Art 12.5 - Right to reject or charge a reasonable fee for repetitive or abusive requests
Art 12.6 - Right to request additional information to identify a data subject
Art 12.6 and Recital 64 - Right to reject a request when the data subject can't be identified or associated with the data held
Art 13.4 and Recital 62 - Right to reject a request for data that the data subject already has access to (i.e., public or in an account)
Art 15.4 and Art 20.4 - Right to refuse or partially fulfill a request that would adversely affect the rights and freedoms of other individuals
Art 20.1-2 - Right to reject a portability request if the processing is not automated and the export is not technically feasible
Recital 62 - Right to refuse a request which is "impossible" or "requiring disproportionate effort" (requires review for situational determination)
Recital 62 - Organizations are not required to provide information the data subject can already access
Recital 63 - Right to ask data subject to narrow the scope of the request instead of giving the full record
Recital 64 - Organizations don't have to retain information solely to identify data subjects and should use all reasonable measures to identity the data subject
Recital 68 - Organizations are not required to design data in a system to be compatible with other systems (limiting portability)
Recital 68 - Right to reject a portability request where the data was not processed on the basis of consent or for a contract
CCPA
Exploits
1798.100(a) - Right to disclosure of information the business has collected
1798.100(d) and 130(a)2 - Right to make a request free of charge
1798.100(d) and 130(a)2 - Right to receive data by mail or electronically
1798.105(a) - Right to request deletion of personal information
1798.110(a and c) - Right to request disclosure of the specific pieces of personal information the business has collected
1798.130(a) - Right to submit a request by phone and website (if the business has a website)
1798.130(a)2 - Right to receive at least the prior 12 months of data within 45 days
1798.130(a)2 - Right to data access and portability without creating an account with the business
1798.130(a)3 - Right to any data that may be associated with the record
1798.130(a)3-4 - Right to identity the consumer by associating information provided by the consumer to data retained
1798.140(b) - Definitions of biometric and indirect identifiers that can be considered personal data
1798.140(o) - Definitions of personal information, including data which is capable of being associated with or could reasonably be linked, directly or indirectly, with a consumer or household; identifiers such as alias, unique personal identifier, online identifier, account name, or IP address; commercial information including records of personal property, products or services purchase, obtained, or considered, or other purchasing or consuming histories or tendencies; and professional or employment data
1798.140(x) - Definition of unique identifier to include any persistent identifier that can be used to recognize a consumer or family over time and across devices, such as IP address, cookies, beacons, pixel tags, mobile ad identifiers, and other tracking technology
Defense
1798.100(c), 105(c), 110(b), 130(a)2 - Right to refuse a request that is not verifiable
1798.100(d) and 130(b) - Right to honor only two requests per 12-month period
1798.105(d) - Right to refuse a request for deletion when the data is necessary to the business for 9 specified purposes
-
Complete a transaction
-
Detect security incidents
-
Debug to identify and repair errors
-
Exercise free speech
-
Comply with California Electronic Communications Privacy Ace (Chapter 3.6 of Title 12 of Part 2)
-
Engage in public or peer-reviewed research
-
To enable solely internal uses based on the consumer's relationship with the business
-
Comply with a legal obligation
-
Otherwise use the data internally in a lawful manner
1798.110(d)2 and 145(i) - A business is not required to reidentify or otherwise link data that would not be in the course of business
1798.130(a)3-4 - Right to identity the consumer by associating information provided by the consumer to data retained
1798.145(g)1 - Right to extend request processing time but up to 90 days with notice
1798.145(g)3 - Right to refuse or charge a fee for manifestly unfounded or excessive requests (particularly those that are repetitive)
1798.145(j) - Right to refuse or partially fulfill a request when it may adversely affect the rights and freedoms of others
1798.150(b) - Right to a 30-day period to cure a complaint before legal or regulatory action is taken against the business