CCPA Update: February Regulation Proposed Revisions


The most recent revised proposed regulations to the CCPA were released on February 10, 2020.  As communicated in the “Information about the rulemaking process” issued by the Office of the Attorney General previously, if any changes were made to the proposed regulations, they would publish “another draft for more public comment” and “give the public at least 15 days (or longer, depending on the extent of the revision) to comment.” That comment period has now ended.

Prior statements by Attorney General Becerra led us to expect regulations in January, so it appears the timeline may be extending at some point, but how this will impact the enforcement date is unknown. Currently, there has been no indication that the enforcement date of July 1 will be pushed back at all.

Both the redlined and clean versions are published online. One of the more controversial proposed elements previously was that businesses unable to verify a request for deletion would treat that unverified request as a “Do Not Sell” request (§ 999.313(d)(1)). That has been removed along with the requirement to indicate which method of deletion was performed – deleted, de-identified, or aggregated. Another concerning proposed element was that a request for deletion had to go through a two-step process. Now, the two-step confirmation is suggested, but not required (§ 999.312(d)).

A controversial requirement that was removed was one requiring businesses to communicate a consumer’s opt-out of sales to any parties to whom the business sold the data in the prior 90 days (§ 999.315(f)). Under the new proposed regulations, businesses are required to process opt-outs within 15 business days and if there is a sale made during that time, the business must contact those third parties and direct them to remove the consumer’s data.

Key clarifications include the definition of “household” (§ 999.301(k)) “means a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier. Previously the definition was “a person or group of people occupying a single dwelling.” The new definition better accommodates the reality of the knowledge a business may have about households.”

Another key clarification came with the new section 999.302 on Guidance regarding the interpretation of CCPA definition. This new section of the proposed regulations provides:

Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”

This is welcome news to many companies as it may change the conversation around cookies. It does not end the conversation, but it does change some of the recent focus.

Other information that was added included guidance around when mobile apps should provide just-in-time notice (§ 999.305(a)(4)), accessible notices (various sections), and that “do not sell my personal data” link is not required in the notice at the collection of employment-related information (§ 999.2305(e)).

Where are we now?

The comment period has ended and we expect the next version will be the issuance of the final regulations. We may be surprised again with a new round of proposed regulations, but that is not expected. Next, according to the “Information about the rulemaking process,” the Office of the Attorney General will prepare and submit the final rulemaking record to the Office of Administrative Law (“OAL”) for approval, including the summaries and and responses to each public comment received. The OAL has 30 working days to determine if all of the procedural requirements are met and if so, the regulations will be filed with the Secretary of State.

Will enforcement start July 1, 2020?

At this time, enforcement remains slated to start on July 1, 2020.

To speak with a privacy expert about the California Consumer Privacy Act and how to comply, schedule a consultation today. In addition, TrustArc discusses the CCPA in its Serious Privacy podcast with Peter Stockburger, partner at Denton’s who practices in the area of Data Privacy.

Serious Privacy on Global Data Privacy / Data Protection Day

Privacy laws are 50 years old this year! – which makes this Global Data Privacy Day – or Global Data Protection Day – even more special.

In celebration, TrustArc is launching the Serious Privacy Podcast, because the world needs serious privacy help. The podcast, hosted by Paul Breitbarth and K Royal, will look at the topics privacy professionals are most concerned with and seek to help them maximize their time by delivering key content in different ways. As Paul and K discuss in the pilot episode, the podcast will deliver TrustArc webinars via podcast, seek to capture conference sessions, and host unscripted discussions with privacy professionals on relevant, interesting, controversial, inspiring, or exciting topics.

In this pilot, Paul and K touch on two topics – privacy turning 50 years old and insight into how they got into privacy as a profession and what keeps them here.

It seems surprising that both Europe and the United States passed their first privacy laws. The EU saw its first data protection law ever with the German federal state of Hessen, albeit at regional level. Three years later, Sweden followed with their national Data Act, the first national data protection law. On the US side, the Fair Credit Reporting Act was passed in 1970 addressing a concern of “fairness, impartiality, and a respect for the consumer’s right to privacy” and the US Privacy Act followed in 1974.

Since then, the world has joined in with hundreds of privacy laws being passed and taking some different approaches in enforcement. But the one thing that remains clear…. it is critical that individuals have rights when it comes to their personal information and that businesses take responsibility to protect the data entrusted to them.

The huge jumps in technology and digital data and the increasing number of laws is what drove many privacy professionals to enter the field, by design or happenstance. In the first episode, Hilary Wandall, SVP, Privacy Intelligence and General Counsel joins us to share how she entered privacy along with the career journeys of Paul and K. As you can imagine, the paths share as many similarities as they do differences.

Listen to the pilot episode here.
Please let us know what you are interested in hearing. Email us here:

The podcast reflects what the privacy profession needs, real information, readily available, with convenient timing, and honest discussion of the real topics that matter in privacy and management of privacy programs. Really serious privacy.

Adobe Boosts Global Trust with TrustArc APEC PRP Certification

By Adobe Privacy Team 

As governments globally continue to address data privacy, organizations have seen how a privacy-by-design approach can yield significant benefits. Since the introduction of the General Data Protection Regulation (GDPR), research has shown that companies who build privacy into the foundation of their product lifecycle have seen a competitive advantage with more positive customer satisfaction, increased trust, and even higher employee morale and revenue.

Earlier last year, we teamed up with TrustArc, which has a rich history of helping companies demonstrate compliance, to independently validate our GDPR readiness. We’re excited to build upon this and announce that Adobe is now certified under the new Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processors (PRP) for various offerings within Adobe Experience Cloud, further demonstrating our commitment and readiness to support our global customers and partners. This puts us among a small group of leading organizations that have demonstrated the ability to support data controllers in compliance with the APEC Cross Border Privacy Rules (CBPR).

TrustArc PRP certification

The APEC Cross Border Privacy Rules (CBPR) and PRP are voluntary enforceable, accountability-based data privacy certifications. The framework was endorsed by the 21 APEC Member Economies to promote accountable and responsible transfers of personal information around the globe.

While the APEC CBPR only applies to data controllers, the APEC PRP was established to provide a mechanism to help controllers identify qualified and accountable processors and help those processors demonstrate their ability to support controllers in compliance with the CBPR.

TrustArc CEO Chris Babel said, “We believe a strong data privacy management program is critical for companies to build customer trust. We reviewed and certified the privacy practices of Adobe to ensure they meet the terms of PRP participation and can demonstrate this privacy commitment to users, partners and regulators.”

Continued commitment to privacy principles

As we continue to build on our strong privacy foundation, we find it incredibly important to participate in these types of certification and validation programs to help demonstrate our compliance with globally recognized privacy standards.

Knowing privacy is top-of-mind for our customers and partners alike, we’re also listening and anticipating their needs by introducing various services and tool as part of our Adobe Experience Platform Privacy Service and the Privacy JavaScript Library.

We are committed to privacy-by-design principles and demonstrating accountability and transparency.

Read the full post here.

TrustArc Gives Back – 2019 Recap

In 2019, TrustArc continued its commitment to corporate responsibility this year by organizing and attending several volunteering events. From cycling to gardening to providing gifts to underserved kids, TrustArc employees stayed active while giving back to the local and global community. The TrustArc Gives Back program was created to provide employees with opportunities to volunteer alongside their teammates in an effort to make the world a better place. Each year, TrustArc Gives Back creates numerous volunteer events throughout the year in a variety of different settings to provide several days of giving back and good times. This blog post recaps TrustArc’s multiple volunteer events from 2019. 

Cycle for Survival

In February, the TrustArc team put on their workout gear and broke a sweat during Cycle for Survival, an annual stationary bike event where TrustArcers raise money with the goal of beating rare cancers through research. Each rider cycled their hearts out for an hour while being cheered on by fellow employees and event participants.  

TrustArc raised $13,705 for Cycle for Survival this year! Every single dollar is directly allocated to rare cancer research at Memorial Sloan Kettering Cancer Center within six months of the close of fundraising.

Urban Gardening at the Sunnydale Gardens Project

In June, the TrustArc Team helped install a new garden at the Sunnydale Community Garden.  The TrustArc team gardened, planted trees, worked on construction projects, and even helped paint a mural. The Sunnydale Gardens Project is the largest urban farming initiative in San Francisco. 

TrustArc worked with Urban Sprouts and made a financial donation to help support their free educational and job-training programs for youth and families in San Francisco’s underserved communities (in addition to covering supplies and staffing for the project).

Project Open Hand

During two days in September, the TrustArc community walked over to Polk Street in San Francisco and helped prepare, assemble, and distribute the 2,500 nutritious meals and nearly 200 bags of healthy groceries that went to their clients. 

TrustArc partnered with Project Open Hand, a non-profit in our neighborhood, to help provide nutritious food options for clients with critical illnesses. The meals are nutritious and they work with registered dietitians to counsel clients on how to eat to feel better.

SF Marin Food Bank

Over three days in December, the TrustArc team donned hair nets and volunteered at the SF/Marin Food Bank. During their volunteer time, they sorted the fruits and vegetables that would eventually make their way into the hands of those in need of access to fresh produce.   

The SF/Marin Food Bank serves families with children, seniors, and those experiencing homelessness. Every year, 225,000 people rely on food from the food bank and 30,000 families receive healthy groceries at over 260 pantry locations. More than 60% of the food they distribute is fresh produce. 

The Family Giving Tree

For many families, the holiday season can be difficult. They’re already spread thin and are unable to provide the holiday experience they wish they could. This year, TrustArc worked with The Family Giving Tree and organized a company gift drive. From Hot Wheels to sewing machines, TrustArc was able to brighten the holidays for some needy families this season.


The Family Giving Tree is a Bay Area non-profit organization that helps underprivileged adults and children throughout our community. “Since 1990, the Family Giving Tree has provided gifts for over one million San Francisco Bay Area children, families, and seniors from low-income households.”

TrustArc employees in our Cebu office also made several generous contributions to the community this year: 

TrustArc Reaches Out to the Ati Tribe

The Ati or Aetas are indigenous people of the Philippines. Being nomads, some of them migrated to Nage, Cebu about 20 years ago. Since then, their community has grown exponentially. While the local government is supporting the Ati community, there isn’t enough for them to sustain a decent living. The  Ati community has limited access to basic resources including water, and their children are not accustomed to basic hygiene such as taking a bath, brushing teeth or washing hands.  

TrustArc employees went to the Ati Community on February 24, 2019, and presented a short cartoon on the importance of proper hygiene like taking a bath, washing hands and brushing teeth. After the short film presentation, TrustArc employees distributed Jollibee burgers & spaghetti – food that may be ordinary to most, but are considered gourmet to these children. The community outreach ended with TrustArc giving a special gift to the Ati Chieftain. He thanked TrustArc for its generosity, and for making an impact on the tribe members, especially the children.

TrusArc Joins National School Maintenance Week “Brigada Eskwela”

TrustArc Cebu conducted its 2nd community outreach program last June 26, 2019  to help senior students of Lagtang Elementary School, a public school located in Talisay, City, Cebu.  

TrustArc learned that teachers had major concerns about their students’ lack of interest in continuing their formal education. One reason for this is the insufficient finances for students to buy the necessary school materials. TrustArc employees raised funds, which was matched by TrustArc, to buy school supplies such as notebooks, bond paper, pens, rulers, and other needed items. These materials were distributed to each and every senior high school student.  


TrustArc employees, together with the co-founder of KA-T-ON (a non-profit organization that provides free tutorials for underprivileged high school students), also shared their own inspiring stories and messages to motivate the students to persevere and promote the importance of acquiring a formal education as a means to alleviate poverty, and improve human dignity. The school’s faculty members, including its principal were there to recognize and thank TrustArc employees for sharing their time, efforts and money to help its students. 

TrustArc Joins World Teachers’ Day

Recognizing the important role of educators in the development of the country’s future workforce, TrustArc Cebu distributed water canisters to 145 teachers of Pardo Elementary School, Cebu City as our simple way to thank them for their noble role in shaping the hearts and minds of children who will be the future economic drivers of the country. This event happened during the observation of the World Teacher’s Day on October 4, 2019. 


As 2019 comes to a close, the TrustArc Gives Back program is quickly adding volunteer events to the calendar for 2020. Want to work for a company that’s focused on giving back to the community? Looking for a great place to work that celebrates innovation, leadership and creativity? Check out the TrustArc Careers page and find out why TrustArc was recognized as a winner of the 2019 Bay Area Best Places To Work award

Webinar Recap – CCPA: Countdown to Enforcement

As part of the TrustArc Privacy Insight Series, TrustArc Senior Privacy Consultant Beth Sipula, TrustArc Privacy Counsel Edward Hu, and TrustArc Director Privacy Intelligence Development Joanne Furtsch presented the webinar “CCPA: Countdown to Enforcement” last week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.

The CCPA is set to be the toughest privacy law in the United States. It broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information. The CCPA is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020.

During this webinar, the panelists discussed the current hot topics surrounding the CCPA, such as: notice, service providers, browser controls, identity verification, and the right to deletion. Regarding the right to deletion, Beth went into detail on the proposed regulations’ two step process: the first step allows the individual to submit the request for deletion; and the second step separately confirms the personal information will be deleted. Furthermore, Beth explained that when denying requests, businesses must provide the consumer with a notice stating the reasons for denial, including any applicable exceptions, delete any information not subject to exception, and not use the retained personal information for any purpose not provided for by a relevant exception. 

The panel went on to discuss the recent CCPA public hearings, as Joanne attended the Sacramento hearing and Edward attended the San Francisco hearing. They touched on the variety of speakers during both hearings, which showed the wide range of use cases that the speakers brought forth, and the sizable impact of the CCPA. There were many similarities in both hearings, such as requests for model notices from the AG’s office in order to help streamline notice compliance requirements. 

With the January 1, 2020 effective date quickly approaching, Edward provided several action items for companies, such as: 

  • Inventorying your data
  • Putting a consumer request process in place
  • Reviewing vendor contracts to determine who is a service provider
  • Updating privacy notices
  • Making a determination about whether using third-party ad tech cookies constitutes a “sale”

To learn more about the CCPA, view the on-demand Privacy Insight Series webinar here.  TrustArc has a robust library of on-demand webinars available here. You can learn more about the CCPA look back requirement, automating privacy managing, GDPR compliance, and many other hot topics.

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers, presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges.

Tips to Securing a Privacy Budget

Privacy is historically underfunded when it comes to company budgets, even as “data privacy” has become a popular topic. Some stakeholders view regulations, like the GDPR or CCPA, as a one-time, check-the-box project, and therefore fail to fund appropriately. However, those handling privacy management on a day-to-day basis know this is not the case when dealing with numerous complex privacy regulations. Privacy compliance is an ongoing adventure and cannot be approached like a task that will be crossed off the list once compliance has been reached. Developing a mature privacy program is crucial to ongoing risk management and compliance. So how do you do this when there aren’t the proper resources available? Luckily, there’s several ways through which you can get your stakeholders on board the privacy train: 

Presenting a Solid Case for Privacy

Be Persuasive. When presenting your case to the stakeholders, be ready to make a convincing argument as to why privacy resources are needed. Be prepared. Be firm. And be early – don’t wait until the last minute to figure your compliance plan when there’s an enforcement date quickly approaching. 

Align Visions. Harmonize your privacy vision with the company vision and mission statement. If your company prides itself on its transparency, show that being transparent with your privacy policies and principles syncs with that vision of transparency. 

Case Studies. Nothing gets the point across like cold hard facts. Pull together a list of examples that show the importance of investing in privacy, such a recent regulatory fines, data breaches, and any consumer backlash related to data handling. These tangible use cases will demonstrate the severe repercussions when privacy is not taken seriously.   

Privacy as a Differentiator. Show your stakeholders how privacy will be an innovator and how privacy will set the company apart from its competitors. At CES 2019, Apple took out a large billboard stating “What happens on your iPhone, stays on your iPhone.” This marketing move focused in on Apple’s commitment to user privacy, and used that commitment as a competitive edge.

Know What’s at Stake. Business leaders need to know how much they have to lose. Regulations, such as the GDPR and the CCPA, come with significant penalties for non-compliance. GDPR fines can total up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher). Furthermore, stakeholders need to evaluate how potential loss of trust could negatively affect brand equity. 

Set Goals and Targets 

Program Maturity Level. Conduct assessments to understand your company’s maturity level. Explain to the stakeholders the maturity level of the current privacy program and discuss the resources needed and the values of achieving a higher maturity level.   

Compliance Metrics. As mentioned before, cold hard facts get the point across. Compile metrics on where the company is at in terms of number of privacy incidents, number of data access requests, number of number of hours dedicated to employee training, for example.  Or, conversely, point out that not knowing these key metrics suggests that your organization may be at risk if requested by a regulator, shareholders or prospective M&A partners.  Review and analyze past privacy incidents to create qualitative metrics. Set goals for the future and explain what is needed to meet these goals.

Let Technology Help 

Automate. Aim for consistency, repeatability and scalability by using technology to automate and operationalize your privacy processes. For risk assessments, use a tool to complete assessments and generate compliance reports, which saves time, increases accuracy, and improves record keeping. Move away from spreadsheets which are very difficult to update and keep current.

Simplification. Technology can simplify the complex world of privacy regulation and privacy management. Managing data privacy and compliance risk is nearly impossible without specialized technology to streamline the process. A data inventory and mapping solution makes it easy to standardize and operationalize the processes and creates a detailed, up to date inventory of data collected along with visual data flow maps of all business processes.

Visit our website to learn more about how TrustArc can simplify privacy management for the GDPR, CCPA and 500+ other global regulations with our comprehensive technology platform.