In May 2022, the California Privacy Protection Agency (CPPA) released its first draft of the California Privacy Rights Act (CPRA) Regulations. Among other clarifications and definitions, the draft provided a new definition of the term “disproportionate effort” that has attracted considerable attention in the privacy community.

In the field of data privacy, disproportionate effort serves as an exemption for companies who would otherwise be required to comply with unduly burdensome data subject access requests (DSARs).¹ This exemption seeks to strike a balance between efficient use of company resources and fulfillment of consumer needs. It is focused on protecting consumer interests, as the threshold for claiming disproportionate effort is dependent on benefits to consumers rather than to businesses. As the CPPA stated in its Initial Statement of Reasons, providing a clear definition for this principle would not only “clarif[y] when a business, service provider, or contractor can use this exception, [but also] prevent[] them from abusing this exception by claiming that everything requires ‘disproportionate effort’ on their part.”

The disproportionate effort exemption was initially introduced by the California Consumer Privacy Act (CCPA) in 2018. However, the California legislature provided only limited guidance on when this exemption was applicable. The CPRA draft regulations applied the disproportionate effort doctrine to situations where “the time and/or resources expended by the business to respond to the individualized request significantly outweighs the benefit provided to the consumer by responding to the request.”² To this end, businesses must demonstrate that “the time and/or resources needed to correct the information would be significantly higher than that material impact on the consumer.”³

In simpler terms, the draft regulations imposed the burden of proof for claiming disproportionate effort on businesses rather than consumers. Further, the threshold for businesses to make such a claim appears to be high, which is consistent with the California Privacy Protection Agency’s (CPPA) Statement of Reasons. However, while these draft regulations provide a more detailed definition of the disproportionate effort principle, its practical scope will remain uncertain until enough case law and judicial interpretations start to emerge.

Although the disproportionate effort principle is a relatively new feature of U.S. privacy law, it is no stranger to privacy professionals in Europe. For instance, section 8(2)(a) of the U.K. Data Protection Act of 1998 included such an exemption for the obligation to supply the data subject with a copy of the information in response to a DSAR request. In Dawson-Damer v. Taylor Wessing LLP (2017), the England and Wales Court of Appeal clarified the approach of assessing disproportionate effort. The Court stated that the correct approach is “to examine what steps a data controller has taken, and then to ask if it would be disproportionate to require further steps to be taken to comply with the individual’s right of access.”⁴ The disproportionate effort principle also can be found in the Data Protection Law (Jersey) 2018 and the EU’s General Data Protection Regulation.⁵

The implications of disproportionate effort depend on whether it is interpreted broadly or narrowly. In the context of the DSARs obligation, a broad interpretation of the disproportionate effort exemption is defined as “an exemption which releases [data] controllers from having to search for data which they could show was difficult to find or was trivial is of far greater value.”​​⁶ In contrast, a narrow interpretation would confine the scope of the exemption only to “the supply of a copy of information in permanent form.”⁷

A plain statutory interpretation would suggest a relatively narrow scope in which the exemption is only applicable to supplying or providing the information. The Guidance Note published by the Jersey Office of the Information Commissioner (JOIC) appears to support this interpretation of the exemption, indicating that its scope is limited to “‘supplying’ a copy of the relevant information in permanent form.” This narrow interpretation carries “limited significance given that producing a copy of information is the last stage in the process.”

However, not all DPAs or court interpretations follow this narrow approach. For instance, in a Belgian DPA’s decision (DOS-2018-06125), in relation to a former employee's right to access under Article 15 GDPR, the Belgian DPA upheld the notion that granting access to relevant IT logs would impose a disproportionate burden on the data controller. In Ittihadieh v. 5-11 Cheyne Gardens RTM Company Ltd and Others (2017), the Court of Appeal noted that the obligation to search applies only to circumstances where the search in question is “reasonable and proportionate.” Despite concerns that a broad interpretation might “favour data controllers whose data processing operations and systems are poorly organized,”⁸ this approach could still be limited to circumstances where the search of data involves excessive burdens and unreasonable search.

Although the United States data privacy landscape continues to progress rapidly, courts have not reached a consensus on the correct interpretation of the term “disproportionate effort.” One way to address this issue is to apply a totality of circumstances approach. This approach would allow courts to focus on all the facts of a given case and apply a combination of the existing approaches applied by European courts and DPAs, as well as consider other factors, such as the data subject’s motive for the request.⁹

Sheng Gao, LL.B., is a privacy compliance professional with experience in retail, insurance, and financial services industries. Sheng received his law degree from Queen's University Belfast. He received his BA in Economics from The George Washington University.

Megan Lombardi, J.D., is a seasoned privacy professional with years of experience in different privacy compliance fields. Megan received her Juris Doctorate from University of Arkansas School of Law. She received her Bachelor's degree in Business Administration and Management from Oklahoma State University.

¹ § 1798.130(a)(2)(B).