The California Consumer Privacy Act of 2018 (the CCPA), California’s consumer data privacy bill, is continuing to evolve even as we get closer to the effective and enforcement dates. Here are some key dates in the history and future of the regulation:
CCPA Law Passed – June 28, 2018
Draft Regulation Written – October 10, 2019
Amendments Passed – October 11, 2019
Public Comment Period – Until December 6, 2019
CCPA, as amended, goes into effect – January 1, 2020
Final Regulation Published – Spring 2020
Enforcement – Six months after final regulation published OR July 1, 2020
As you can see from this timeline, a set of amendments were passed in the fall of 2019. There have been quite a few clarifications and additions since the law first passed. Below are some of the big ones.
- AB 25 – Excludes employees from the definition of “consumer” for one year. Businesses would not need to comply with an employee’s right to access, delete or opt out until January 1, 2021. This applies only for purposes of the employee in the role of employee. Employers are still required to comply with the disclosure requirements and are subject to the data security private right of action for employee data.
- AB 874 – Excludes “publicly available information” (information lawfully made available in federal, state or local government records) from the definition of “personal information.” Also excludes data that is aggregated or deidentified as “personal information.”
- AB 1146 – Specifies that businesses do not have to comply with a consumer’s request to delete personal information in the case of a business fulfilling a warranty or product recall including cases of vehicle ownership.
- AB 1355 – Specifies that a business may not discriminate against the consumer for exercising any of their rights, except if the differential treatment is reasonably related to the value that the business receives from the consumer’s personal information. Also specifies that businesses must disclose information regarding consumer rights.
- AB 1564 – Allows businesses that primarily have an online-only presence to provide only an email address (instead of toll-free number) for consumer data requests
The draft regulations go beyond clarifying the existing CCPA law; the regulation adds new requirements. Here are a few of the major additions:
Definition of Personal Information: The clarifier “reasonably” was added to the definition of Personal Information.
- “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Notices to Consumers
Do Not Sell Notice for consumers offline:
- Businesses are required to make consumers aware of their rights offline with signage or printed policies.
- For businesses that provide an incentive for consumers that allow the sale of their data, they must provide a description of the incentive, its terms, information on how to opt-in and opt-out of the incentive, and an explanation on why the incentive is permitted under CCPA.
Business Practices for Handling Consumer Requests
- Methods of consumer requests: The CCPA outlines that there should be at least two methods available for a customer to submit requests. In most cases that will be a website or email and a toll-free number. Businesses must consider how they typically interact with consumers and provide at least one method that reflects the manner in which they interact with consumers (If it’s an online retailer, there should be a link on the site; if it’s a brick-and-mortar retail location, they may need to provide a paper form).
- Timeline for consumer requests: Businesses must confirm receipt of a consumer request within 10 days and complete or respond to the request within 45 days. The exception is opt-out or Do Not Sell requests, which need to be honored within 15 days.
Verification of Requests
- Businesses should align their verification process with the sensitivity of the data they process. Businesses should also try to avoid collecting additional personal information when verifying a request and try to use what they already have. For example, if there is an account number or other unique ID for each consumer, that can be used in the verification process.
- Opt-out or Do Not Sell requests don’t have to be verified to the same degree as the other types of requests
- Training requirement: Personnel who handle consumer requests under CCPA must be properly trained in all aspects of CCPA.
Although the regulations are not yet final, companies should proceed with their preparations to comply with the pieces we know for sure will be needed. For example, disclosures and privacy policies can be updated. If you don’t already have a process in place to handle consumer requests from GDPR, you should put those processes in place now. And you should have a handle on the data you process, what it is used for and if its shared with any third parties. To learn more, visit the links below.
Text of draft regulations: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf
Note: This blog post is intended to provide an overview of the CCPA and is not intended as legal advice. We suggest you consult an attorney to understand how the CCPA affects your company and how to ensure your compliance.