The California Consumer Privacy Act (CCPA) is scheduled to go into effect on January 1, 2020. The CCPA was signed into law in June 2018 and stands to be the strictest data privacy law in the US. It establishes significant obligations on businesses relating to the personal information of consumers.
The CCPA is notable in that it grants California residents:
- the right to be informed of the categories of personal information that a business collects, receives, sells or discloses about them; the purposes for these activities; and the third parties to which their personal information is disclosed.
- the right to request more detailed information about the personal information businesses hold about them, and the right to obtain portable copies of their personal information from the businesses.
- the right to prohibit a business from selling their personal information, and to request that a business delete their personal information.
The CCPA does not apply to all businesses. It applies to for-profit businesses that do business in California, collect and control personal information of California residents, and (i) have annual gross revenues exceeding $25 million, or (ii) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis, or (iii) derive 50% or more of their annual revenues from selling California resident’s personal information.
In advance of the CCPA going into effect, on October 11, 2019, California Governor Gavin Newsome signed into law six amendments passed by the legislature. The amendments do not change the fundamental aspects of the CCPA, but rather bring some clarity to the final scope of the act. Notable among the amendments are that: (i) the already broad definition of “personal information” was expanded to include biometric data, tax identification numbers, passport numbers and other unique identification numbers issued on government documents, and (ii) businesses that collect and sell consumer personal information and which do not have a direct relationship with those consumers must register with California as data brokers.
Also, on October 10, 2019 the California Attorney General released draft regulations for the CCPA. The regulations do more than fill in the gaps in the CCPA; they also include new requirements for compliance though in some instance, creating further ambiguities.
California Consumer Privacy Act: What’s in the Draft Regulation?
The draft regulation focus on the following areas of the act:
- Notices to consumers – The draft regulations clarify the format and content of notices businesses provide to consumers.
- Business practices for handling consumer requests – Some proposed requirements include businesses must confirm receipt of consumer requests within ten days, re-confirm requests to delete personal information and maintain records relating to consumer requests for at least two years.
- Verification requirements – The draft regulations provide requirements for verifying consumer requests and list factors businesses should consider when determining the level of verification required.
The draft regulations will be open for public comment until December 6, 2019 and final rules will likely be released in the spring of 2020 with enforcement of the rules commencing July 1, 2020. It is expected that the draft regulations will be further refined as privacy professionals, businesses and other interested parties weigh in.