When CCPA was passed in June 2018, the legislation was so rushed and undeveloped that it was all but certain there would be updates and changes to the law before it goes into effect on January 1, 2020.
Well, here we are, about two months from implementation, and California’s attorney general finally released the long-anticipated draft regulations. The public comment period is open until December 6, where citizens are invited to attend one of a handful of open sessions to discuss the draft regulations or can send their written comments to the AG.
The goal of the draft regulations is to make CCPA a stronger law, or as The National Law Review put it, “the AG’s team aims to bring the CCPA closer to the EU GDPR in some ways.” But considering how late into the game these draft regulations have been released, there are questions about whether or not the point of them is to create new hurdles for organizations trying to meet the compliance.
The Timeline Confusion
The draft regulations put a new wrinkle into the compliance timeline. As mentioned, CCPA goes online on this coming New Year’s Day. However, the new regulations won’t be implemented until July 1, 2020, which is good news for those scrambling to address the draft regulations. On the other hand, there is a retroactive aspect to CCPA. There is a 12-month “look back” period, and you may be accountable to CCPA and its penalties for mistakes and incidents that happened in 2018.
To complicate matters further, California businesses should expect more changes and amendments to the law before the end of the year, Jennifer Sosa, Director at TLS told her audience at the (ISC)2 Security Congress event in Orlando. While the basic tenets of CCPA haven’t changed, she anticipates that because these regulations are in draft mode, there could be several more rounds of changes on the horizon.
“The first draft regulations left time for changes,” she said, and she also expects there to be some level of leniency in compliance if organizations have limited time to make updates. But still, she added, it is best to be as prepared as possible with the basics and be able to adapt to the changes as quickly as possible.
Major Points of the Draft Regulations
The draft regulations address five major points:
- Notice to customers. Organizations required to meet CCPA compliances must give consumers notice of personal data collection before or at the time of collection, provide details of what the data collection will be used for, offer customers the right to opt-out of the data collection, including adding a “Do Not Sell My Info” link to make opt out easier, include how the company makes money from consumer data, and other rights involving customer control over their information. It’s worth noting, too, that the draft regulation requires that communications with customers be done in easy-to-understand language.
- Business practices for handling customer requests. Businesses will be required to offer at least two contact options for customers to submit right to know and right to delete requests. One option has to be a toll-free number, and if the company has an interactive website, there must be a contact option made available. Businesses can use more than two methods, like designated email addresses or snail mail for paper form requests. An important addition to this regulation is the recognition of household information. This draft regulation also revised the amount of time businesses have to respond to a request. They must confirm receipt of the request within 10 days, and they have 45 days to fulfill the request.
- Verification of requests. Businesses will be responsible for verifying the identity of the customer making the request, ensuring that the person really did have PII collected by the company.
- Special rules regarding minors. For someone 13 years of age or younger, the business must verify that it is the parent or guardian of the minor who is making the request for opting out and require signed request forms. For minors between 13 and 16 years old, they can allow the minors to opt in on the sale of their personal information.
- Non-discrimination clause. Businesses can’t discriminate against a person because they decided to exercise their right to be forgotten under CCPA. There is a loophole here that allows businesses to offer “a price or service difference if it is reasonably related to the value of the consumer’s data.”
Why Should We Care about the Draft Regulations?
The draft regulations have better defined some questions within CCPA, such as recognizing households and not just individuals within a household. They also address an important concern among both businesses and consumers in its verification of requests. As was discussed in Sosa’s session, attendees admitted they wondered how they were going to be able to tell the John Smith requesting the right to be forgotten from the 20 other John Smiths in the database, and also how they were going to prove that someone is who they say are. Without a strict verification process, especially when an individual asks to review the data on file, businesses risk sending that information to someone who is an identity thief or hacker.
Questions still linger, however. These regulations address the sale of data to third parties, but they don’t address sharing data between different organizations. There are questions of what defines a non-profit group and whether or not the information they have on file should be under CCPA compliance.
In the end, for everyone involved, CCPA is about money, Sosa said. This could be very expensive – expensive for companies who have to pay fines for non-compliance but also expensive to be compliant. “Compliance can be lengthy and complicated,” said Sosa. The draft regulations should provide a clearer process for companies to follow in order to meet these upcoming deadlines.