With the continued compliance challenges surrounding the CCPA, including the August 14, 2020 final regulations approval, companies are looking to their peers to see how they are understanding, assessing, and complying with the CCPA requirements. In May 2020, TrustArc conducted a first-ever Global Privacy Benchmarks Survey which explored ongoing privacy challenges, changes, and opportunities that have arisen in the complex world of data protection and privacy. The CCPA Readiness Market Report 2020, is one part of our overall findings from the Global Benchmarks Survey.
Here are some key findings from the report:
CCPA Readiness. When surveyed before the deadline, three quarters of respondents (76%) believed they are very likely (36%) or somewhat likely (40%) to be ready for the July 1, 2020 enforcement date.
GDPR Prep. 82% of our respondents have leveraged their knowledge of and planning for GDPR to work through CCPA issues, particularly in the United States.
COVID-19. Leading up to the July 1st deadline, many companies were anticipating delays in implementation due to the pandemic and may have been “banking” on the California Attorney General delaying enforcement.
Challenges. When asked which elements of privacy management have been the most challenging, overwhelmingly respondents pointed to: the challenges of staying current with privacy and security regulations and managing privacy risks.
What’s your confidence level on your CCPA preparedness? Download this report now to compare yourself against your peers!
Final CCPA regulations approved and now effective immediately
On August 14, 2020, the California Office of the Attorney General (“OAG”) sent out a notice that the final CCPA regulations have been approved by the California Office of Administrative Law (“OAL”) and filed with the California Secretary of State. Effectively immediately, all organizations subject to CCPA statutes must comply with both the statutes and the regulations.
In the Addendum to Final Statement of Reasons, the OAG noted several changes from the version of the draft regulations submitted on June 1, 2020 to the OAL. The changes were described as “non-substantive” as the OAG deemed them not to materially change “the requirements, rights, responsibilities, conditions, or prescriptions” contained in the June 1, 2020 version. Some of the changes do, however, appear to change the requirements for businesses subject to the withdrawn provisions as described below:
- Effect of withdrawn provision § 999.305(a)(5) – Businesses will not be required to directly contact consumers and obtain explicit consent if they plan on using their personal information for purposes that are materially different than those disclosed in the privacy notice at the time of collection.
- Effect of withdrawn provision § 999.306(b)(2) – Businesses that primarily interact with consumers offline will not be required to provide notice of their right to opt-out of the sale of their personal information using an offline method.
- Effect of withdrawn provision § 999.315(c) – The provision that was withdrawn (1) required that a business’s opt-out method be “easy for consumers to execute,” and “require minimal steps to allow the consumer to opt-out,” and (2) prohibited using a method that intended or had the substantial effect of “subverting or impairing” a consumer’s decision to opt-out.” The withdrawal of these requirements does not mean, however, that a business may have a convoluted opt-out method or one that is designed or has the effect of subverting or impairing a consumer’s decision to opt-out.
- Effect of withdrawn provision § 999.326(c) – Businesses may deny requests from authorized agents who do not provide signed written permission from the consumer demonstrating they have been authorized to act on the consumer’s behalf. The withdrawn § 999.326(c) would have permitted businesses to deny requests from authorized agents who did not submit “proof” of the authorization, but the regulations specify in other sections what is specifically required as a method proof, including signed written authorization.
What has changed since the CCPA statutes went into effect?
Though “non-substantive” changes were made between the June 1, 2020 draft regulations and the August 14, 2020 final regulations, a lot has changed since the CCPA statutes went into effect on January 1, 2020. With the CCPA regulations now enforced, here are some important takeaways organizations subject to CCPA statutes will need to make note of:
- Notices provided online must follow generally recognized industry standards for accessibility, like the Web Content Accessibility Guidelines (WCAG) version 2.1.
- Notices must be easy to read and understand, using plain, straightforward language.
- Notices must be available in the languages in which the business ordinarily provides information to consumers.
- Notice must be given at or before the time of personal information collection or a business may not collect personal information from a consumer.
- Businesses may not collect categories of personal information not disclosed in its notice.
Individual Rights Requests
- Confirmation of requests to know or request to delete must occur within 10 business days, and businesses must provide a description of the identity verification process.
- Businesses must respond to requests to know and requests to delete within 45 calendar days of receipt. If identity cannot be verified within 45 calendar days, the request may be denied.
- Businesses may take an additional 45 calendar days to respond to a request to know or request to delete if necessary (for a total of 90 calendar days) if it provides notice and an explanation for the time extension.
- Certain types of personal information may never be disclosed, including for example, Social Security numbers, driver’s license numbers, financial account numbers, health insurance or medical identification numbers, and account passwords.
- Exceptions to complying with a request to delete include personal information on archived or back-up systems (unless and until the information is restored), deidentified personal information, or aggregated consumer information.
- Records of consumer requests, including responses, must be kept for at least 24 months.
Requests to Opt-Out of the Sale of Personal Information
- Businesses must comply with a request to opt-out within 15 days.
- Requests to opt-out needs not be verified.
- Browser plug-ins or privacy settings must be considered a valid request to opt-out.
- If a consumer who has opted out of the sale of personal information requests to opt-in, the business must use a two-step process requiring (1) a clear request to opt-in and (2) a separate step to confirm the choice to opt-in.
- Businesses are required to have a more stringent identity verification process for requests concerning high risk personal information.
- Businesses must avoid collecting new personal information for the purpose of identity verification where possible.
- Authentication through an online account may be used to verify identity, though a business must require re-authentication before disclosing or deleting a consumer’s data.
Financial Incentive Programs
- Businesses offering financial incentives, including price and service differences, related to the collection, deletion, or sale of personal information must provide in its notice:
- A summary and description of terms of the financial incentive and the value of the consumer’s personal information.
- An explanation of how the incentive is reasonably related to the value of the consumer’s data.
- A good faith estimate of the value of the consumer’s data that serves as the basis for offering the financial incentive and a description of the method used to calculate the value of the consumer’s data.
- Businesses offering financial incentives must provide instructions for opting in to the incentive and for withdrawing from it.
- Except in the case of offering financial incentives, businesses may not discriminate against consumers for exercising their rights under the CCPA or the regulations.
These are only some of the important takeaways from the regulations. If your business is subject to the CCPA, it is important to know the requirements which can be found here. With both the CCPA statutes and regulations now in effect, prioritizing compliance elements is key.
Companies are understandably in varying stages of preparedness. Whether you’re stalled, have some resource constraints, or just need a review of your plan, TrustArc is here to help. Contact us for a free CCPA Preparedness Assessment to assess your current program against CCPA requirements, identify gaps, and prioritize risk remediation.
TrustArc has announced the results of its “Global Privacy Benchmark” survey on how organizations are protecting and leveraging data, their most valuable asset. One of the most extensive surveys ever conducted on data privacy, it polled more than 1,500 respondents from around the world at all levels of the organization. Survey results examined a wide range of topics, such as organizational commitment to privacy, the measures and investments companies are making to embed privacy, and company readiness for looming privacy regulations, such as CCPA and its July 1 enforcement date.
“There are more than 900 global privacy laws to which organizations must adhere, making privacy management an ongoing and dynamic challenge,” said Chris Babel, CEO, TrustArc. “The TrustArc survey highlights just how difficult it can be to comply with even a single new regulation, such as CCPA, let alone the entire list of existing laws. The results also show how the COVID-19 pandemic and its attendant technologies, such as video conferencing, have exacerbated an already difficult privacy challenge and forced respondents to rethink their approaches.”
CCPA Compliance Readiness Mostly Lacking; Prior GDPR Preparedness a Boost
Nearly one-third of survey respondents (29%) say they have just started planning for CCPA.
- More than 20% of respondents report they are either somewhat unlikely to be, very unlikely to be, or don’t know if they will be fully compliant with CCPA on July 1.
- Just 14% of respondents are done with CCPA compliance. Nine percent have not started with CCPA compliance, and 15% have a plan but have not started implementation.
- Of respondents who reported as being slightly or very knowledgeable about CCPA and GDPR regulations, 82% are leveraging at least some of the work they did for GDPR in implementing CCPA requirements.
Privacy Professionals Still Use Inefficient Technologies for Compliance Programs
Though 90% of respondents agree or strongly agree that they are “mindful of privacy as a business,” many privacy professionals are left building privacy programs without automation.
- 19% of respondents report they are most deficient in automating privacy processes.
- Just 17% of all respondents have implemented privacy management software, which matches the 17% who are still using spreadsheets and word processors.
- In addition, 19% are using open source/free software and 9% are doing nothing.
- Even in the U.S., which boasts the highest rate of privacy management software adoption, just 22% of respondents use privacy management software as their primary compliance software.
Respondents understand the importance of data privacy and continue to invest in ongoing privacy programs. However, many are still attempting to implement these programs using manual processes and technologies that do not offer automation. Moving forward, the companies that can leverage automation to simplify data privacy can protect their most valuable asset—data—and use it to drive business growth.
Pandemic, New Technologies Present Additional Challenges to Compliance
With the move to all-remote workforces, companies are increasingly turning to technologies, such as video conferencing and collaboration tools. These tools present new avenues for data creation that privacy professionals must consider in their company-wide plans.
- Twenty-two percent of respondents said personal device security during the pandemic has added a great deal of risk to their businesses. “Personal device security” received the highest proportion of “a great deal of risk” responses, compared to the other four response options.
- A majority of respondents said that third-party data, supply chain, personal-device security, unintentional data sharing, and required or voluntary data sharing for public health purposes all added at least a moderate amount of risk to their businesses.
- Seventy percent of respondents say video conferencing tools have required a moderate or great change to their privacy approach, and 65% of respondents say collaboration tools have required a moderate or great change to privacy approaches.
Despite Financial Impact of Pandemic, Privacy Compliance Remains a High Priority
Though many respondents expect a significant decrease in their company’s revenues as a result of the COVID-19 pandemic, they are still prioritizing privacy-related investments.
- Forty-four percent of companies expect a decrease or steep decrease in overall company revenues for the balance of 2020 as a result of COVID-19.
- Just 15% of respondents report they plan to spend less or a great deal less on privacy efforts in 2020 as a result of the pandemic.
- Nearly half (42%) of respondents plan to spend $500,000 or more in 2020 on CCPA efforts alone.
Boards of Directors Actively Involved in Privacy Management
The mandate for increased privacy investments is coming from the very top of organizations.
- Eighty-three percent of respondents indicate their board of directors regularly reviews privacy approaches.
- An impressive 86% of respondents say that everyone from the board of directors to the front-line staff knows their role in protecting privacy.
- Four out of five respondents view privacy as a key differentiator for their company.
To download the entire report, click here.
The global pandemic caused by COVID-19 has affected most companies and for many requires operational changes in order to move forward. In light of the uncertainty, TrustArc has provided access to the latest guidance and other helpful information to assist companies as they plan to reopen.
COVID-19: Privacy Risks & Considerations eBook
As the conversation shifts from how to create a remote workforce to how to reopen the physical office, this eBook provides privacy risk guidance for businesses during the COVID-19 pandemic. Download the free eBook here.
The COVID-19 Comparison provides summarized analysis from 100 regulators on the following topics:
- Whether certain legal exceptions apply, such as for public health, healthcare, public interests, or vital interests;
- What can be collected from employees and visitors;
- Requirements related to disclosure of confirmed cases; and
- Processing of location data
Download the Comparison Chart here.
TrustArc has developed regional maps showing regulators’ guidance on returning to work after COVID-19. Download the PDFs: United States, Canada, European Union & United Kingdom
- Providing guidance for employers navigating privacy and security issues; and
- Discussing the privacy implications of new mobile technologies tracking individuals to prevent the virus’ spread.
Serious Privacy Podcast
Serious Privacy podcast discusses COVID-19’s impact on privacy in the following episodes: COVID-19 Part 1, COVID-19 Part 2, Tech Talk: Innovation during COVID-19, Privacy on the Front Lines: A View from LA, and Returning to Work.
Privacy Insight Series Webinar
Watch our on-demand COVID-19 webinar to learn how employers can ensure good data protection and governance practices in these special times.
Describe your perfect privacy career. Do the words “vibrant,” “brilliant,” and “high energy” come to mind? Back when we still had privacy conferences and trade shows, you could sometimes meet someone that was so vibrant, so enthusiastic and so interesting, they would make the whole event. Emerald de Leeuw, Privacy Lead in EMEA for Logitech is that kind of person. She is a fellow Dutchie to Paul and calls Ireland her home. She is an entrepreneur with a brilliant privacy mind, but allegedly also serves up a mean cocktail.
We speak about building out a career in privacy, being underestimated and staying sane while working hard. We also talk about the challenges that a woman in privacy and tech faces, whether at the beginning of her career, or even when she is established and successful. Being underestimated is just one of those challenges. Emerald also opens up about her career champions and the importance of being authentic as a professional. Listen to this week’s episode on our website or stream the episode below.