The Department of Justice of California published yet another round of draft CCPA (California Consumer Privacy Act) regulations on March 7, 2020 with comments due March 27, 2020.
As stated in the notice, there were “around 100 comments received in response” to the previous draft regulations.
In the most recent version, the “redlined” version is color-coded to easily identify the original draft regulations, the first set of modifications, and this second set of modification. The redlined and clean versions are published online.
According to the rule-making process, if changes are made to the proposed regulations, the changes will be published for the public to submit comments. These comments would be reviewed and based on the comments, either revise or accept the published draft. Comments will also be responded to at the publication of the final regulations. The Office of the Attorney General previously provided guidance that if changes are “substantial and sufficiently related,” the changes will be published with an abbreviated comments period of 15 days (this modification and the last one met these requirements). If changes are not made or are “nonsubstantial and sufficiently related,” no publication for comments will occur. Only “major changes” would require a full 45-day comment period.
Some of the key changes include:
- Removal of § 999.302 which was added in the last version addressing that an IP address that is otherwise not associated with identifying information is not personal data. No sections were added or modified in the newest version to address IP addresses.
- Addition of § 999.305(d) clarifying that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”
- An addition was made that if a business that denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt out of the sale of their personal information and shall include either the contents of, or a link to, the notice of right to opt-out in accordance with section 999.306. (§ 999.313(d)(7)).
Where are we now?
The comment period ends on March 27, 2020. Per guidance and history, any changes made to this version will result in publication of a new round of proposed regulations.
Once we reach a version wherein there are no changes made, according to the “Information about the rulemaking process,” the Office of the Attorney General will prepare and submit the final rulemaking record to the Office of Administrative Law (“OAL”) for approval, including the summaries and responses to each public comment received. The OAL has 30 working days to determine if all of the procedural requirements are met and if so, the regulations will be filed with the Secretary of State.
Will enforcement start July 1, 2020?
At this time, enforcement remains slated to start on July 1, 2020. TrustArc will keep you posted on updates. To speak with a privacy expert about the California Consumer Privacy Act and how to comply, schedule a consultation today.
The most recent revised proposed regulations to the CCPA were released on February 10, 2020. As communicated in the “Information about the rulemaking process” issued by the Office of the Attorney General previously, if any changes were made to the proposed regulations, they would publish “another draft for more public comment” and “give the public at least 15 days (or longer, depending on the extent of the revision) to comment.” That comment period has now ended.
Prior statements by Attorney General Becerra led us to expect regulations in January, so it appears the timeline may be extending at some point, but how this will impact the enforcement date is unknown. Currently, there has been no indication that the enforcement date of July 1 will be pushed back at all.
Both the redlined and clean versions are published online. One of the more controversial proposed elements previously was that businesses unable to verify a request for deletion would treat that unverified request as a “Do Not Sell” request (§ 999.313(d)(1)). That has been removed along with the requirement to indicate which method of deletion was performed – deleted, de-identified, or aggregated. Another concerning proposed element was that a request for deletion had to go through a two-step process. Now, the two-step confirmation is suggested, but not required (§ 999.312(d)).
A controversial requirement that was removed was one requiring businesses to communicate a consumer’s opt-out of sales to any parties to whom the business sold the data in the prior 90 days (§ 999.315(f)). Under the new proposed regulations, businesses are required to process opt-outs within 15 business days and if there is a sale made during that time, the business must contact those third parties and direct them to remove the consumer’s data.
Key clarifications include the definition of “household” (§ 999.301(k)) “means a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier. Previously the definition was “a person or group of people occupying a single dwelling.” The new definition better accommodates the reality of the knowledge a business may have about households.”
Another key clarification came with the new section 999.302 on Guidance regarding the interpretation of CCPA definition. This new section of the proposed regulations provides:
Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”
This is welcome news to many companies as it may change the conversation around cookies. It does not end the conversation, but it does change some of the recent focus.
Other information that was added included guidance around when mobile apps should provide just-in-time notice (§ 999.305(a)(4)), accessible notices (various sections), and that “do not sell my personal data” link is not required in the notice at the collection of employment-related information (§ 999.2305(e)).
Where are we now?
The comment period has ended and we expect the next version will be the issuance of the final regulations. We may be surprised again with a new round of proposed regulations, but that is not expected. Next, according to the “Information about the rulemaking process,” the Office of the Attorney General will prepare and submit the final rulemaking record to the Office of Administrative Law (“OAL”) for approval, including the summaries and and responses to each public comment received. The OAL has 30 working days to determine if all of the procedural requirements are met and if so, the regulations will be filed with the Secretary of State.
Will enforcement start July 1, 2020?
At this time, enforcement remains slated to start on July 1, 2020.
To speak with a privacy expert about the California Consumer Privacy Act and how to comply, schedule a consultation today. In addition, TrustArc discusses the CCPA in its Serious Privacy podcast with Peter Stockburger, partner at Denton’s who practices in the area of Data Privacy.
Privacy laws are 50 years old this year! – which makes this Global Data Privacy Day – or Global Data Protection Day – even more special.
In celebration, TrustArc is launching the Serious Privacy Podcast, because the world needs serious privacy help. The podcast, hosted by Paul Breitbarth and K Royal, will look at the topics privacy professionals are most concerned with and seek to help them maximize their time by delivering key content in different ways. As Paul and K discuss in the pilot episode, the podcast will deliver TrustArc webinars via podcast, seek to capture conference sessions, and host unscripted discussions with privacy professionals on relevant, interesting, controversial, inspiring, or exciting topics.
In this pilot, Paul and K touch on two topics – privacy turning 50 years old and insight into how they got into privacy as a profession and what keeps them here.
It seems surprising that both Europe and the United States passed their first privacy laws. The EU saw its first data protection law ever with the German federal state of Hessen, albeit at regional level. Three years later, Sweden followed with their national Data Act, the first national data protection law. On the US side, the Fair Credit Reporting Act was passed in 1970 addressing a concern of “fairness, impartiality, and a respect for the consumer’s right to privacy” and the US Privacy Act followed in 1974.
Since then, the world has joined in with hundreds of privacy laws being passed and taking some different approaches in enforcement. But the one thing that remains clear…. it is critical that individuals have rights when it comes to their personal information and that businesses take responsibility to protect the data entrusted to them.
The huge jumps in technology and digital data and the increasing number of laws is what drove many privacy professionals to enter the field, by design or happenstance. In the first episode, Hilary Wandall, SVP, Privacy Intelligence and General Counsel joins us to share how she entered privacy along with the career journeys of Paul and K. As you can imagine, the paths share as many similarities as they do differences.
Listen to the pilot episode here.
Please let us know what you are interested in hearing. Email us here: Podcast@TrustArc.com
The podcast reflects what the privacy profession needs, real information, readily available, with convenient timing, and honest discussion of the real topics that matter in privacy and management of privacy programs. Really serious privacy.
In 2019, TrustArc continued its commitment to corporate responsibility this year by organizing and attending several volunteering events. From cycling to gardening to providing gifts to underserved kids, TrustArc employees stayed active while giving back to the local and global community. The TrustArc Gives Back program was created to provide employees with opportunities to volunteer alongside their teammates in an effort to make the world a better place. Each year, TrustArc Gives Back creates numerous volunteer events throughout the year in a variety of different settings to provide several days of giving back and good times. This blog post recaps TrustArc’s multiple volunteer events from 2019.
Cycle for Survival
In February, the TrustArc team put on their workout gear and broke a sweat during Cycle for Survival, an annual stationary bike event where TrustArcers raise money with the goal of beating rare cancers through research. Each rider cycled their hearts out for an hour while being cheered on by fellow employees and event participants.
TrustArc raised $13,705 for Cycle for Survival this year! Every single dollar is directly allocated to rare cancer research at Memorial Sloan Kettering Cancer Center within six months of the close of fundraising.
Urban Gardening at the Sunnydale Gardens Project
In June, the TrustArc Team helped install a new garden at the Sunnydale Community Garden. The TrustArc team gardened, planted trees, worked on construction projects, and even helped paint a mural. The Sunnydale Gardens Project is the largest urban farming initiative in San Francisco.
TrustArc worked with Urban Sprouts and made a financial donation to help support their free educational and job-training programs for youth and families in San Francisco’s underserved communities (in addition to covering supplies and staffing for the project).
Project Open Hand
During two days in September, the TrustArc community walked over to Polk Street in San Francisco and helped prepare, assemble, and distribute the 2,500 nutritious meals and nearly 200 bags of healthy groceries that went to their clients.
TrustArc partnered with Project Open Hand, a non-profit in our neighborhood, to help provide nutritious food options for clients with critical illnesses. The meals are nutritious and they work with registered dietitians to counsel clients on how to eat to feel better.
SF Marin Food Bank
Over three days in December, the TrustArc team donned hair nets and volunteered at the SF/Marin Food Bank. During their volunteer time, they sorted the fruits and vegetables that would eventually make their way into the hands of those in need of access to fresh produce.
The SF/Marin Food Bank serves families with children, seniors, and those experiencing homelessness. Every year, 225,000 people rely on food from the food bank and 30,000 families receive healthy groceries at over 260 pantry locations. More than 60% of the food they distribute is fresh produce.
The Family Giving Tree
For many families, the holiday season can be difficult. They’re already spread thin and are unable to provide the holiday experience they wish they could. This year, TrustArc worked with The Family Giving Tree and organized a company gift drive. From Hot Wheels to sewing machines, TrustArc was able to brighten the holidays for some needy families this season.
The Family Giving Tree is a Bay Area non-profit organization that helps underprivileged adults and children throughout our community. “Since 1990, the Family Giving Tree has provided gifts for over one million San Francisco Bay Area children, families, and seniors from low-income households.”
TrustArc employees in our Cebu office also made several generous contributions to the community this year:
TrustArc Reaches Out to the Ati Tribe
The Ati or Aetas are indigenous people of the Philippines. Being nomads, some of them migrated to Nage, Cebu about 20 years ago. Since then, their community has grown exponentially. While the local government is supporting the Ati community, there isn’t enough for them to sustain a decent living. The Ati community has limited access to basic resources including water, and their children are not accustomed to basic hygiene such as taking a bath, brushing teeth or washing hands.
TrustArc employees went to the Ati Community on February 24, 2019, and presented a short cartoon on the importance of proper hygiene like taking a bath, washing hands and brushing teeth. After the short film presentation, TrustArc employees distributed Jollibee burgers & spaghetti – food that may be ordinary to most, but are considered gourmet to these children. The community outreach ended with TrustArc giving a special gift to the Ati Chieftain. He thanked TrustArc for its generosity, and for making an impact on the tribe members, especially the children.
TrusArc Joins National School Maintenance Week “Brigada Eskwela”
TrustArc Cebu conducted its 2nd community outreach program last June 26, 2019 to help senior students of Lagtang Elementary School, a public school located in Talisay, City, Cebu.
TrustArc learned that teachers had major concerns about their students’ lack of interest in continuing their formal education. One reason for this is the insufficient finances for students to buy the necessary school materials. TrustArc employees raised funds, which was matched by TrustArc, to buy school supplies such as notebooks, bond paper, pens, rulers, and other needed items. These materials were distributed to each and every senior high school student.
TrustArc employees, together with the co-founder of KA-T-ON (a non-profit organization that provides free tutorials for underprivileged high school students), also shared their own inspiring stories and messages to motivate the students to persevere and promote the importance of acquiring a formal education as a means to alleviate poverty, and improve human dignity. The school’s faculty members, including its principal were there to recognize and thank TrustArc employees for sharing their time, efforts and money to help its students.
TrustArc Joins World Teachers’ Day
Recognizing the important role of educators in the development of the country’s future workforce, TrustArc Cebu distributed water canisters to 145 teachers of Pardo Elementary School, Cebu City as our simple way to thank them for their noble role in shaping the hearts and minds of children who will be the future economic drivers of the country. This event happened during the observation of the World Teacher’s Day on October 4, 2019.
As 2019 comes to a close, the TrustArc Gives Back program is quickly adding volunteer events to the calendar for 2020. Want to work for a company that’s focused on giving back to the community? Looking for a great place to work that celebrates innovation, leadership and creativity? Check out the TrustArc Careers page and find out why TrustArc was recognized as a winner of the 2019 Bay Area Best Places To Work award
As part of the TrustArc Privacy Insight Series, TrustArc Senior Privacy Consultant Beth Sipula, TrustArc Privacy Counsel Edward Hu, and TrustArc Director Privacy Intelligence Development Joanne Furtsch presented the webinar “CCPA: Countdown to Enforcement” last week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.
The CCPA is set to be the toughest privacy law in the United States. It broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information. The CCPA is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020.
During this webinar, the panelists discussed the current hot topics surrounding the CCPA, such as: notice, service providers, browser controls, identity verification, and the right to deletion. Regarding the right to deletion, Beth went into detail on the proposed regulations’ two step process: the first step allows the individual to submit the request for deletion; and the second step separately confirms the personal information will be deleted. Furthermore, Beth explained that when denying requests, businesses must provide the consumer with a notice stating the reasons for denial, including any applicable exceptions, delete any information not subject to exception, and not use the retained personal information for any purpose not provided for by a relevant exception.
The panel went on to discuss the recent CCPA public hearings, as Joanne attended the Sacramento hearing and Edward attended the San Francisco hearing. They touched on the variety of speakers during both hearings, which showed the wide range of use cases that the speakers brought forth, and the sizable impact of the CCPA. There were many similarities in both hearings, such as requests for model notices from the AG’s office in order to help streamline notice compliance requirements.
With the January 1, 2020 effective date quickly approaching, Edward provided several action items for companies, such as:
- Inventorying your data
- Putting a consumer request process in place
- Reviewing vendor contracts to determine who is a service provider
- Updating privacy notices
- Making a determination about whether using third-party ad tech cookies constitutes a “sale”
To learn more about the CCPA, view the on-demand Privacy Insight Series webinar here. TrustArc has a robust library of on-demand webinars available here. You can learn more about the CCPA look back requirement, automating privacy managing, GDPR compliance, and many other hot topics.
The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers, presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges.