Data Privacy Update: California AG Proposes CCPA Modifications
The California Attorney General’s office published revised proposed regulations for implementing the California Consumer Privacy Act (CCPA) on February 7, 2020. What are the implications for businesses trying to stay compliant with this landmark data privacy regulation?
Since the California Consumer Privacy Act of 2018 was proposed and signed in a startlingly short amount of time, it’s no wonder this “comprehensive” consumer privacy law suffers from a few redundancies and muddled definitions.
The experts at Keesal, Young & Logan have dug into the details about the A.G.’s announcement. So we’ll only focus on a few which can directly impact how a company might deploy technology solutions like workflow automation to draft and publish processes to help them deliver timely compliance with the law.
Guidance about what is (and isn’t) “personal information”
It’s good to have clarity about exactly what constitutes personal information, and the revised regulations will consider it PI if the business maintains that data in a way that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household.
For a website, for example, merely collecting the IP addresses of site visitors doesn’t make those IPs “personal information.” Not until they’re explicitly linked to a particular California resident or household.
That’s a vital parameter for legal and compliance departments that may want to build processes aimed at capturing visitor consent, or discovery processes for weeding through existing data, or satisfying consumer requests under the new legislation.
Accessibility standards
Rather than just offering up a general statement that the notices and privacy policy required by the CCPA on a business’ website must be accessible to persons with disabilities? The CCPA’s regulations now incorporate the specific guidelines and standards of the Web Content Accessibility Guidelines (WCAG) 2.1.
Specifying the Opt-Out button
The CCPA now mandates that websites incorporate a uniform “opt-out” button for use as the “Do Not Sell My Personal Information” link. This graphic will consist of a red button or toggle switch that might not win any design awards, but gets the point across.
Confirmation of Receipt and Responses to Requests to Know and Delete
Businesses must confirm the receipt of a request to know or delete a consumer’s personal information within 10 business days. That’s why an automated solution, where compliance is more assured and human error is vastly reduced, is a light-years-ahead improvement over manual processes where opportunities for risk are abundant.
The confirmation may be given in the same manner by which the request was made; for instance, a phoned-in request may be confirmed over the phone. The actual “substantive” responses to requests to know and delete personal data must be made in 45 calendar days.
Confirmation of Receipt and Responses to Requests to Know and Delete
This one will unburden many businesses from what seemed a steep compliance hurdle under former CCPA language: In responding to a request to know, businesses aren’t required to search for personal information if they meet all these conditions: A) The business doesn’t maintain the personal information in a searchable or reasonably accessible format; B) the business maintains the personal information solely for legal or compliance purposes; C) it doesn’t sell the personal information or use it for any commercial purpose; D) the business describes to the consumer the categories of records that may contain personal information that it didn’t search because it meets the conditions just given.
[bctt tweet=”New proposed guidance on #CCPA brings much-needed clarity to a #dataprivacy regulation that was rushed into law in a startlingly short time.” via=”yes”]