519 672 2121
Close mobile menu

Typically, no. It’s not recommended. If you do, contact us as soon as possible because you may get into some trouble with the law. Best Practice: give your customer access to their personal information for free unless the request is excessive or repetitive. You must also have this written down on a forward-facing policy.

How do you determine whether a request is excessive or repetitive? Consider this example: Say you’re a small business, and a consumer has requested that you provide them with any Personal Information you have on him or her. You spend a couple of hours looking throughout your system, and you find nothing. You report back to the consumer and say that you have nothing. The next day, the consumer makes the exact same request. You spend a couple of hours looking again, but again, you find nothing. You report back to the consumer. Then, the next day, the consumer makes the same request again. Sounds excessive, right? It probably would be, and it would be safe to charge the consumer a reasonable fee (or perhaps reject it, depending on the law of the relevant jurisdiction).

Different rules for different jurisdictions

When considering whether you can charge for an information request, it’s important to review the rules in your and the consumer’s jurisdiction. The rules can vary, but the strictest laws are similar:

PIPEDA (Canada)

“Minimal or no cost” [1]

CCPA (California)

“Free of Charge” for the first two requests in a 12-month period. [2]

CPDA (Virginia)

“Free of charge” for the first request in a 12-month period. [3]

CPA (Colorado)

“Free of charge” for the first request in a 12-month period. [4]

GDPR (EU)

“Free of charge” for the first copy. [5]

At the minimum, provide the customer his or her personal information for his or her first request for free.  After the first request, the rules slightly differ on whether you can charge the consumer. Importantly, in all these jurisdictions, there are special rules in place that permit the charging of fees. For example, in Virginia, if the consumer request is “manifestly unfounded, excessive, or repetitive,” you—the business—may charge a reasonable fee to cover the administrative costs of complying with that request. Va. Code § 59.1-573.

Develop policies to protect customer’s right to privacy

You should also adopt robust policies to ensure your customers receive the maximum privacy rights and protection. This could benefit you because you could advertise that you go above and beyond to protecting your customers’ right to privacy.

For more information and tips on how to improve your privacy policies, please check out my colleague Michael Weinberger’s blog post titled Privacy policies: Why are they important. He discusses ways you can improve your privacy policy.

Have questions about privacy policies and governance for your business?

Whether data collection, storage, and use are ancillary to your business, the Siskinds’ Data Protection, Cybersecurity, & Privacy Law Practice Group is ready to help minimize your enterprise risk and create a privacy policy that suits your needs. Should you have any questions, please don’t hesitate to contact me, Savvas Daginis, at [email protected].


[1] PIPEDA, Schedule 1, s. 4.9.4.

[2] CA Civ. § 1798.100

[3] Va. Code § 59.1-573 – Effective 1/1/2023

[4] Colo. Rev. Stat. § 6-1-1306 – Effective 7/1/2023

[5] GDPR, Arts. 12 5, and 15 3.

News & Views

Blog

The more you understand, the easier it is to manage well.

View Blog

Securities misrepresentation class action gone wrong – Superior Court denies leave under section 138.3 of the Ontario Securities Act and refuses certification of remaining claims

In Badesha v Cronos Group, Justice Morgan denied the plaintiff’s motions for leave to procee…

Landlord and other third-party consents in business transactions

When a professional practice or business is sold, whether by share sale or asset sale, consi…