Recap of San Francisco Public Hearing on CCPA

On December 4th, the California Attorney General’s (AG) office held a public hearing in San Francisco on the California Consumer Privacy Act (CCPA). The hearing provided the public with an opportunity to take part in the CCPA rulemaking process. The rulemaking process is governed by the California Administrative Procedures Act which requires the AG to solicit comments from the public through hearings and in writing. The AG considers all comments, makes revisions to the proposed regulations where appropriate, and posts another draft of the regulations for public review and comment.The San Francisco hearing took place at the Milton Marks Conference Center where the room was packed with approximately 175 attendees, including TrustArc team members. 

Representatives from the Office of the California AG started with a brief introduction and then allowed for pre-registered speakers to make their comments. With over 20 speakers, the public hearing lasted almost two hours and covered a wide range of CCPA-related topics and concerns. Below are some highlights from the hearing:

Individuals representing two different Bay Area credit unions spoke on the difficulties of complying with the complexities of the CCPA with a small staff and limited resources. Both asked for the enforcement date to be extended to January 1, 2022, pushing the date two full years. Extending the enforcement date would allow them the time needed to “get it right the first time,” they argued. 

One of the co-authors of the CCPA text also spoke during the public hearing. He argued that the CCPA’s fifteen-day grace period for companies to process opt-out requests was simply too long, and the requests need to be processed immediately, up to 72 hours at the latest, adding, “If [a company] is able to start selling immediately, they should be able to stop selling immediately.” 

A representative of an SF-based technology company criticized the “out of date” toll-free phone number required for CCPA compliance, especially for companies who conduct business solely online. She said the unnecessary requirement is expensive for companies to maintain, even if they do not receive a single phone call. She argued that companies could also become the targets of robo calls designed to exploit the way in which toll-free telephone numbers are billed to commit a fraud for profit.

Another speaker, a CPO with over 20 years of privacy experience in California, asked the AG’s office to clarify the definitions of “business,” “service provider,” and “3rd party.” She stated definitions were needed for these three terms because they are often used differently within the text of the CCPA.  

A data privacy advocate and former elected official expressed his concern over whether large technology companies will take the CCPA seriously. He commented that based on his conversations with C-Suite executives, attitudes towards the CCPA have been very cavalier, with statements ranging from “I’ll wait until there’s fines” to “I’m retiring soon, so it’ll be someone else’s problem to deal with.” The speaker suggested the AG’s office carry out tight enforcement in order to truly protect consumers.

The §999.315(c) requirement, that businesses treat browser privacy signals as valid requests to opt out, received attention from several speakers. Advocates commended the proposed regulation as giving consumers an accessible method to express their intent, while opponents argued that it would frustrate actual consumer intent. Two speakers expressed their belief that consumer intent would be better inferred through their interaction with an opt-out link or button.

TrustArc is an active participant in privacy conferences and our team regularly attend policy hearings to help inform and shape our solutions. With privacy experts spanning the world in the U.S., Canada, Latin America, Europe and Asia, our team is at the forefront of the ever-changing privacy landscape. To speak with a privacy expert about the California Consumer Privacy Act, schedule a consultation today!

New IAPP and TrustArc Report Reveals a Majority of Companies Are Embracing a Single Global Data Protection Strategy

TrustArc and the International Association of Privacy Professionals (IAPP) announced the results of new benchmarking research that examines the current state of privacy operations. The research shows that a majority of companies are adopting a single global data protection strategy to manage evolving legal requirements, and that managing the expanding ecosystem of third parties handling data has become a top priority. 

“The data outlined in this study demonstrates, once again, that privacy is not a one-off endeavor,” said Trevor Hughes, CEO and president of the IAPP. “Privacy management is an increasingly complicated industry. As a result, the role of privacy professionals is taking center stage. Our research highlights how they must act as stewards for implementing the processes and technologies required to ensure scalable compliance across an ever-growing ecosystem of data from partners, customers, and vendors.”  

Evolving Ecosystem of Partners, Customers, and Vendors Driving Risk Assessment Processes

Vendor and third-party risk assessments ranked first among privacy assessments globally, with 78 percent of U.S. respondents reporting that they now conduct them. That figure indicates the growing complexity of the ecosystem now impacting compliant data privacy management. 

“The CCPA will be the toughest privacy law this country has seen to date, expanding the rights of consumers and their data,” said Chris Babel, CEO of TrustArc. “This survey reinforces what we continue to see and hear from our thousands of customers: that privacy management is getting more complex. That’s why we continue to lead the charge in building the technology solutions and enabling the infrastructure integrations necessary to make compliance automated and scalable.”

To understand the different types of privacy operations across regions, company size and industry, TrustArc and the IAPP surveyed close to 350 privacy professionals in the U.S., EU, UK and Canada.

Key findings from the survey include:

U.S. companies comply with more laws than EU counterparts, which focused primarily on GDPR

  • 79% of respondents report complying with two or more privacy laws, while only 16% are focused on just one. 
  • 10% report actively working to comply with 50 privacy laws or more at once, while 13% are working on 6-10 laws, and another 13% on 11-49 laws.
  • EU respondents were more likely to report actively working to comply with five or fewer privacy laws, while U.S. respondents were more likely than their EU counterparts to be complying with 11 or more laws.
  • Significantly more EU+UK respondents (81%) conduct Data Protection Impact Assessments as compared to U.S. respondents (53%). 

Majority pursuing a single, global data protection strategy 

  • 56% of respondents across all geographies are working toward a single, global data protection and privacy strategy for data subjects’ rights. 
  • Only 28% of U.S. companies and 21% of EU+UK companies categorize data subjects by jurisdiction and geography and handle each data subject’s data according to the laws that apply to that individual.
  • A majority of EU+UK respondents report serving customers in only one region (22%) compared to U.S. respondents (11%). 

Growing complexity is driving operational changes to privacy programs

  • 47% updated their website’s cookie policy and 80% updated their website’s privacy policy one or more times in the last 12 months. 
  • 42% deleted personal data more regularly; more so among EU+UK respondents (56%) than U.S. (44%).
  • 21% converted from an opt-out to an opt-in email marketing strategy across geographies; vastly more so in the EU+UK (30%) compared to US respondents (13%).

To download the complete findings, click here.

About the Research

The survey was fielded in the fall of 2019 to the IAPP Daily Dashboard newsletter, which reaches more than 60,000 subscribers from around the globe. The results are based on responses from 327 privacy professionals (primarily in-house in privacy, legal and compliance functions) based in the U.S. (43%), EU/Non-UK (24%), UK (13%), Canada (9%), Asia (4%) and Other Countries (7%). Company size ranged between 1-250 employees (25%), 251-1,000 (17%), 1,001-5,000 (20%), 5,001-25,000 (19%), and 25,000+ (19%). Respondents represent a variety of industries, split between sectors traditionally regulated for privacy (e.g. health care, financial services and banking, insurance) at 35% and sectors traditionally not subject to privacy regulation (e.g. technology and software, manufacturing) at 33%. Those working in legal or consulting services made up 16% of respondents, with another 11% representing governmental or non-profit organizations.


Upcoming Webinar: How to Comply with CCPA as Part of a Global Privacy Strategy


TrustArc is proud to present the next Privacy Insight Series webinar “How to Comply with CCPA as Part of a Global Privacy Strategy” with TrustArc Director U.S. Eastern Region Consulting Group & Senior Privacy Consultant Paul Iagnocco, and TrustArc Senior Privacy Consultant Martin Gomberg. This webinar will take place on Wednesday, November 13th at 9am PT (12pm ET/5pm GMT). Don’t miss this opportunity to learn more about global privacy strategy – register today!

With the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other laws such as the Brazilian General Data Protection Law (LGPD), businesses must be prepared to comply with a variety of laws around the world.

Privacy is a complex, multi-level concept which is now being regulated in more than 130 countries with more than 500 privacy laws. To be successful in complying with so many laws, businesses must develop a multi-jurisdictional approach that is consistent and predictable yet also not one-size-fits-all.

This webinar will help answer questions like:

  • What are the additional privacy laws outside of the GDPR and CCPA law requirements you need to be aware of?
  • How do you manage data privacy to meet all applicable global requirements?
  • How do you implement a multi-jurisdictional custom approach to address all applicable laws and regulations?

Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar.

TrustArc publishes a broad range of privacy educational resources, including research reports, benchmark statistics, solutions briefs, product updates, webinars, workshops and much more. Check out the following resources on hot topics including CCPA, GDPR, Vendor Risk Management, DSAR Best Practices, Cookie Consent, and much more. Register for the free TrustArc Privacy Insight Series subscription and find out why over 20,000 privacy professionals per year take advantage of TrustArc privacy education resources. 

The Careful Planning Required to Meet and Maintain CCPA Compliance – Tips and Tools for your CCPA RFP


The California Consumer Privacy Act (CCPA) is set to be the toughest privacy law in the United States. The act broadly expands the rights of consumers and requires businesses within scope to be significantly more transparent about how they collect, use, and disclose personal information. The act is one of the first laws to show that, as many jurisdictions have and are continuing to do, the U.S. may be trending toward more rigorous global privacy regulations. The CCPA was signed on June 28, 2018, is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020. It has many similarities to the GDPR, from its extraterritorial reach to its expansive rights for individuals, and will impact tens of thousands of businesses worldwide that collect California consumers’ personal information.

Data protection management and compliance with the CCPA will be a challenging task. Most companies are planning to invest in external resources including technology solutions and consulting services. In recent “CCPA and GDPR Compliance Report” research, TrustArc found that 84% of respondents say that they have started the CCPA compliance process, but only 56% have started implementation.


Businesses that have prepared to comply with GDPR by creating comprehensive data governance practices, records of processing, and individual rights procedures will have a head start. But, under the CCPA, all companies in scope will need to enhance their data management practices, expand their individual rights processes, and update their privacy policies. According to research, 21% of respondents that also worked on GDPR compliance are ready for CCPA. However, out of the companies that haven’t worked with GDPR, only 6% are ready for CCPA. The overall compliance rate is currently 14%.


CCPA compliance requires diligent planning and training for teams on their roles in helping to implement CCPA compliance. Technology can help teams automate some of the otherwise manual processes, which will save time and help promote consistency. Technology can also assist teams to keep careful records – both for implementing programs that pertain to requirements such as responding to data subject access requests; and, for demonstrating compliance. Companies must carefully consider their privacy approach by selecting the best solutions and tools in order to achieve their privacy program management goals. 

To help your company acquire a technology solution to efficiently manage CCPA compliance requirements, TrustArc has developed a comprehensive template you can use to help select the best privacy compliance solution for your company. The CCPA RFP Template benefits include:

  • Comprehensive list of solution requirements to support CCPA compliance
  • Flexible spreadsheet format for easy editing and collaboration
  • Works for companies of all sizes across all industries

Request the TrustArc CCPA RFP Template here.

TrustArc can also help you develop a custom RFP for your business as well as provide guidance on the types of solutions that best fit your needs.  To set up a free consultation, contact us today. 

Nevada Enacts New Privacy Law – Consumers Granted the Right to Opt-Out of the Sale of Personal Information


On May 29th, Nevada Governor signed into law Senate Bill 220, a new privacy law granting consumers the right to opt-out of the sale of their personal information. Nevada is the second state to grant this right, following California (CCPA). SB 220 does not provide for a specific effective date; therefore, following Nevada law, it will go into effect October 1, 2019.

While similar to the “Do Not Sell” provisions of the CCPA, the SB 220 has notable differences:

SB 220 defines “sale” more narrowly. SB 220 defines “sale” as the sale or licensing of personal information for monetary consideration. CCPA defines “sale” more broadly to include the sale, renting, release, disclosure, dissemination, availability, or transfer of personal information for monetary or other valuable consideration.

SB 220 defines “consumer” more narrowly to exclude employee information. SB 220 defines “consumer” as any person who seeks or acquires any good, service, money or credit for personal, family, or household purposes. As currently written, CCPA defines consumer as California residents. (However, see AB 25, an amendment to exclude employee data from CCPA’s scope.)

SB 220 defines “personal information” more narrowly to exclude “household” information. SB 220 defines personal information as information personally identifiable information about a consumer. CCPA defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be associated with a consumer or household.

SB 220 has broader applicability – no required thresholds to meet. CCPA has minimum thresholds that must be met for the law to apply. Namely, CCPA will apply only to businesses that: (1) have an annual gross revenue exceeding $25 million; annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; and/or (3) derives 50 percent or more of its revenue from selling consumers’ personal information. SB 220 will apply to businesses that: (1) own or operate a website or online service; (2) collect personal information from consumers who reside in the state and use or visit the site; and (3) direct their activities toward the state, purposefully avail itself of the privilege of conducting activities in the state, or otherwise have a sufficient nexus with the state.

SB 220 has a longer timeframe to respond. Like CCPA, SB 220 requires that businesses respond to verifiable requests within a defined time. SB 220 requires that businesses respond within 60 days upon receiving a request; with a 30 day extension permissible if necessary. CCPA requires that requests be responded to within 45 days of receiving of request; with a 45 day extension permissible if necessary.

SB 220 does not allow a business to request authorization for a sale after opt-out. CCPA expressly provides that businesses can, after 12-months of respecting a consumer’s decision to opt-out, request from the consumer authorization for the sale of his or her personal information. SB 220 does not provide businesses a similar right; rather, SB 220 requires the businesses that receive opt-out request not make any sale, indefinitely.

SB 220 does not require a conspicuous “Do Not Sell My Personal Information” link. CCPA expressly requires that business provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information,” for individuals to make a request. SB 220 requires that businesses have a “designated request address”—email address, telephone number, website—for individuals o submit requests; there is no requirement for the request address to be on a business’s internet homepage.

View the full text of SB 220 here; and CCPA here.

This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform. To learn how you can get full access to the daily newsfeed, contact us today!

The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations


While many of us were focused on the European Union’s GDPR and California’s Consumer Privacy Act (CCPA), the giant on the other side of the world implemented China’s Cybersecurity Law (CSL) in June 2017. While CSL laid out broad data protection principles, there were noticeable gaps related to implementation and overall scope. To operationalize and further clarify CSL scope, the Chinese government instituted six systems: the Internet Information Content Management System; the Cybersecurity Multi-Level Protection System (MLPS); the Critical Information Infrastructure Security Protection System; the Network Products and Services Management System; the Cybersecurity Incident Management System; and the Personal Information and Important Data Protection System.

While it is important for foreign businesses to review all aspects of CSL and the six systems, TrustArc has helped clients focus in on the implications of the Personal Information and Important Data Protection System. Specifically addressing the following regulations:

  1. What are the requirements to store certain information (including negative list) inside China and at what level of required security measures (e.g., Ministry of Public Security [MPS] Regulation)?
  2. What procedures and reviews are needed before transferring certain information out of China (e.g.,Cross-Border Data Transfer)?
  3. What are the required notice and consent requirements when collecting personal data?
  4. What are the MPS requirements in reporting a cyber incident within 24 hours?
  5. What does the Cyberspace Administration of China (CAC) require in the security assessment report annually?
  6. Data subjects have what individual rights under the PI Security Specification?

For more than 20 years, TrustArc has worked with the world’s largest and most successful brands to find innovative solutions to data privacy challenges. Headquartered in San Francisco, and backed by a global team, we help clients worldwide demonstrate compliance, minimize risk, and build trust. Using a combination of consulting expertise and powerful technology, TrustArc will help your team address privacy issues and meet global compliance requirements. Learn how TrustArc Privacy Consulting can help you build and manage your privacy program. Schedule a consultation today!