The California Consumer Privacy Act (CCPA) is fast approaching. With an effective date of January 1, 2020 and a 12-month look-back requirement, organizations falling under the CCPA definition of businesses are struggling to understand and implement its new requirements, including the right California residents now have to ask for the deletion of their personal information and to stop a business from selling their personal information.
During the lead up to 2020, the California Attorney General (AG) still needs to issue some rules on several CCPA topics. To prepare, the California AG’s Office, in partnership with the Department of Justice, scheduled several public forums to get feedback and opinions on the law.
The AG’s office scheduled seven forums to be held in cities across California, which have been underway since January 8, 2019. The office is mainly seeking public comment and suggestions on the following questions:
- Should there be additional categories of personal information?
- Should the definition of “unique identifiers” be updated?
- What exceptions should be established to comply with the state or federal law?
- How should consumers submit a request to opt out of the sale of personal information and how should a business comply with that consumer’s request?
- What type of uniform opt-out logo or button should be developed to inform consumers about the right to opt out?
- What types of notices and information should businesses be required to provide, including those related to financial incentive offerings?
- How can a consumer or their agent submit a request for information to a business and how can the business reasonably verify these requests?
Consumer advocates, members of the public, attorneys, data security professionals, as well as business and trade association representatives have attended the forums. With five of the seven forums in the books, here are the areas within the regulation that have garnered the most reaction:
- A clearer definition of what constitutes the sale of personal information
- Clarify the proper means in which a business or organization demonstrates they are CCPA compliant in the event of an audit or incident
- Clarify whether consumers can be offered multiple choices related to their deletion or opt-out rights, i.e. opt out or delete some but not all of their personal information
- Define a standard of care for compliance and CCPA best practices, using NIST security standards as a model
- Clarify the requirements of the “Do Not Sell My Personal Information” button and specify where on a website the button should be located
- Clarify the rules for businesses that do not collect “enough data” to verify the identity of a California resident
- More closely align the CCPA with other privacy regulations like the EU GDPR
- Suggestion to create safe harbors for businesses under the CCPA
- Clarification on how loyalty programs may be affected under the CCPA
The remaining public forums will be held on February 13 in Fresno and March 8 in Stanford. The California AG’s office encourages members of the public to participate in these forums either by attending in person or submitting their comments and questions via email or mail by the March 8, 2019 deadline. The AG’s Office plans to start the formal review process in the fall of 2019. This website is also available for more information.
Are you ready for the CCPA? Understand your readiness and get the best combination of technology, professional services, research, and community events with OneTrust’s Resources: