The California Consumer Privacy Act (CCPA) went into effect January 1st, 2020, setting forth new rights for California residents regarding personal access, data deletion options, and commercial data sharing. Nearly two months into the CCPA, there are new rule clarifications, requests for delays of the enforcement phase, potential new privacy laws moving through the California legislation, and some early compliance benchmarks. Enforcement begins July 1, 2020, unless final regulations are published sooner. (Link: proposed regulations , modifications posted Feb 7)
Jan 29, 2020: Five Ad Trade Associations Request Delay to Enforcement Deadline
Ad industry leaders sent a letter Jan 29th to California Attorney General Xavier Becerra asking for a delay of CCPA enforcement to allow companies time to review and implement the final regulations.
The request was delivered by 4A’s (American Association of Advertising Agencies), American Advertising Federation (AAF), Association of National Advertisers (ANA), Interactive Advertising Bureau (IAB), and Network Advertising Initiative (NAI). It pointed out the lack of final regulations, the complexity and wide-ranging impacts of the law, and the fact that the rules as currently written could still undergo changes with less than 6 months for companies to prepare. The letter requests a delay of 6 months from the time the rules are finalized by the California Attorney General’s office.
Feb 7, 2020: New CCPA Rule Clarifications from California Attorney General
In early February the California Office of the Attorney General (CAG) published a notice and update of modifications to the CCPA law. While the final regulations are still forthcoming, this notice provides some clarity for businesses effected. Some of the areas with new additions or clarification include:
“Personal Information” Definition: A new section was added called “Guidance Regarding the Interpretation of CCPA Definitions”. The first addition to this new section covers definitions of “personal information”.
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."Examples provided included (but not limited to) name, postal address, ip address, email address, social security number. They also listed categories of data, including geolocation data, browser history and cookies, and protected classifications such as race or sex. There is additional clarification to differentiate between data that could technically be considered PI, but when the business cannot and does not link that information with other data, it may not be considered personal information under CCPA.
Consumer data request clarification: A modification to the section (999.312) on submitting Requests to Know adds that at least one method offered must reflect the manner in which the business primarily interacts with the consumer.
Exclusion for fulfilling a Request to Know: an exclusion now exists when the PI and business use falls under a particular set of circumstances. Namely that the PI is not sold or used for commercial purposes, but merely maintained for legal or compliance purposes and not kept in an easily accessible format. The business would then need to inform consumers of these reasons when responding to a consumer request for data.
Clarification for Service Providers user of PI: Section 999.314 provides greater detail around the circumstances where Service Providers can retain and handle personal data without being subject to CCPA regulations.
Opt-Out Requests: There were clarifications around several opt-out aspects, including ensuring the CCPA opt-out process is “easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” Additional language prohibits methods attempting to impair a consumer’s decision to opt-out. Additional clarity was provided around global privacy controls, such as browser settings, and how companies should respond to opt-out requests via those controls.
“User-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information shall be considered a request directly from the consumer”
Businesses have 15 days to respond to opt-out requests. Further detail is added around notification to 3rd parties of a consumer’s opt-out request.
Loyalty Program vs Data Deletion: New language clarifies that it is lawful under the CCPA for the business to deny the deletion request as to the information necessary to maintain the enrollment in and benefits from the loyalty program.
Additional Modifications: The new language by the CAG covers additional aspects such as: Do Not Sell buttons, mobile notifications, household definition, data brokers, employee privacy notice, and Privacy Policy disclosures.
Adlawaccess has a more detailed review of modifications, and here are the CCPA modifications released Feb 7th by the California Office of the Attorney General.
Benchmarks for CCPA Compliance from PWC
PWC, the consulting heavy-weight, tracks over 1000 privacy laws and regulations, including CCPA. Recently they analyzed the CCPA readiness on websites of the 600 largest publicly traded companies and 100 largest privately held corporations. Some findings 6 weeks into the CCPA regulation:
- Overall 16% of companies tracked offer a Do Not Sell link.
- 29% of consumer market businesses evaluated had a DNS link.
- More than 25% of Telecom, Media, and Technology companies offer the DNS link
- Of the largest 600 companies, 40 percent of them established a CCPA rights portal.
- Most businesses across sectors, which had a CCPA rights portal, restricted those rights to just Californians.
- 33% of companies evaluated had a CCPA rights portal and extended rights to all consumers.
Continued Changes for Privacy Regulation Nationally
In addition to the forthcoming final CCPA regulation language, and the enforcement period to begin July 1st or sooner, the same group that pushed for CCPA are now pushing for a ballot initiative dubbed CCPA 2.0. Officially titled The California Privacy Rights Act of 2020 (CPRA), it may be voted on in 2020, and could result in an overhaul of CCPA with significant updates, per this NatLawReview article.
The California Privacy Rights Act expands the scope CCPA to give more protections and guidance around sensitive personal information, consumers right to have data corrected, added protections for minors, changes to the data breach liability provision, and establishes an enforcement agency.
The California law is merely the leading edge of changes coming to privacy compliance, as Nebraska, New York, and a handful of other states are proposing privacy regulations of their own.
The above updates are all referenced in the Megalist of CCPA Resources and Checklists. If you are looking for a CCPA checklist or information about CCPA compliance tools or software, check out the CCPA resources post.
Update June 2020: California Privacy Rights Act (CPRA), the planned expansion on CCPA, is slated for a vote in California in November. Read more about how CPRA differs from CCPA.
Offer California Residents Data Opt-Out Today
As part of our one tag solution, Admiral offers publishers access to our CCPA Opt-out Module. The module is designed to offer publishers:
- Detection: ID site visitors coming from CA IPs
- Provide those visitors a user interface to opt out of data sales
- Admiral’s UI/API access is compatible with IAB’s framework for communicating opt-out information to downstream vendors
For more information on how to enable Admiral’s CCPA Opt-out Module, contact us and a product specialist will reach out to get you started.