New TrustArc Report on CCPA Readiness

With the continued compliance challenges surrounding the CCPA, including the August 14, 2020 final regulations approval, companies are looking to their peers to see how they are understanding, assessing, and complying with the CCPA requirements. In May 2020, TrustArc conducted a first-ever Global Privacy Benchmarks Survey which explored ongoing privacy challenges, changes, and opportunities that have arisen in the complex world of data protection and privacy. The CCPA Readiness Market Report 2020, is one part of our overall findings from the Global Benchmarks Survey

Here are some key findings from the report

CCPA Readiness. When surveyed before the deadline, three quarters of respondents (76%) believed they are very likely (36%) or somewhat likely (40%) to be ready for the July 1, 2020 enforcement date.

GDPR Prep. 82% of our respondents have leveraged their knowledge of and planning for GDPR to work through CCPA issues, particularly in the United States.

COVID-19. Leading up to the July 1st deadline, many companies were anticipating delays in implementation due to the pandemic and may have been “banking” on the California Attorney General delaying enforcement.

Challenges. When asked which elements of privacy management have been the most challenging, overwhelmingly respondents pointed to: the challenges of staying current with privacy and security regulations and managing privacy risks.

What’s your confidence level on your CCPA preparedness? Download this report now to compare yourself against your peers!

 

CCPA Regulations Take Effect

Final CCPA regulations approved and now effective immediately

On August 14, 2020, the California Office of the Attorney General (“OAG”) sent out a notice that the final CCPA regulations have been approved by the California Office of Administrative Law (“OAL”) and filed with the California Secretary of State. Effectively immediately, all organizations subject to CCPA statutes must comply with both the statutes and the regulations.

In the Addendum to Final Statement of Reasons, the OAG noted several changes from the version of the draft regulations submitted on June 1, 2020 to the OAL. The changes were described as “non-substantive” as the OAG deemed them not to materially change “the requirements, rights, responsibilities, conditions, or prescriptions” contained in the June 1, 2020 version. Some of the changes do, however, appear to change the requirements for businesses subject to the withdrawn provisions as described below:

  • Effect of withdrawn provision § 999.305(a)(5) – Businesses will not be required to directly contact consumers and obtain explicit consent if they plan on using their personal information for purposes that are materially different than those disclosed in the privacy notice at the time of collection.
  • Effect of withdrawn provision § 999.306(b)(2) – Businesses that primarily interact with consumers offline will not be required to provide notice of their right to opt-out of the sale of their personal information using an offline method. 
  • Effect of withdrawn provision § 999.315(c) – The provision that was withdrawn (1) required that a business’s opt-out method be “easy for consumers to execute,” and “require minimal steps to allow the consumer to opt-out,” and (2) prohibited using a method that intended or had the substantial effect of “subverting or impairing” a consumer’s decision to opt-out.” The withdrawal of these requirements does not mean, however, that a business may have a convoluted opt-out method or one that is designed or has the effect of subverting or impairing a consumer’s decision to opt-out.
  • Effect of withdrawn provision § 999.326(c) – Businesses may deny requests from authorized agents who do not provide signed written permission from the consumer demonstrating they have been authorized to act on the consumer’s behalf. The withdrawn § 999.326(c) would have permitted businesses to deny requests from authorized agents who did not submit “proof” of the authorization, but the regulations specify in other sections what is specifically required as a method proof, including signed written authorization.

What has changed since the CCPA statutes went into effect?

Though “non-substantive” changes were made between the June 1, 2020 draft regulations and the August 14, 2020 final regulations, a lot has changed since the CCPA statutes went into effect on January 1, 2020. With the CCPA regulations now enforced, here are some important takeaways organizations subject to CCPA statutes will need to make note of:

Accessibility 

  • Notices provided online must follow generally recognized industry standards for accessibility, like the Web Content Accessibility Guidelines (WCAG) version 2.1.
  • Notices must be easy to read and understand, using plain, straightforward language.
  • Notices must be available in the languages in which the business ordinarily provides information to consumers. 

Notice

  • Notice must be given at or before the time of personal information collection or a business may not collect personal information from a consumer. 
  • Businesses may not collect categories of personal information not disclosed in its notice.

Individual Rights Requests

  • Confirmation of requests to know or request to delete must occur within 10 business days, and businesses must provide a description of the identity verification process.
  • Businesses must respond to requests to know and requests to delete within 45 calendar days of receipt. If identity cannot be verified within 45 calendar days, the request may be denied.
  • Businesses may take an additional 45 calendar days to respond to a request to know or request to delete if necessary (for a total of 90 calendar days) if it provides notice and an explanation for the time extension.
  • Certain types of personal information may never be disclosed, including for example, Social Security numbers, driver’s license numbers, financial account numbers, health insurance or medical identification numbers, and account passwords.
  • Exceptions to complying with a request to delete include personal information on archived or back-up systems (unless and until the information is restored), deidentified personal information, or aggregated consumer information.
  • Records of consumer requests, including responses, must be kept for at least 24 months. 

Requests to Opt-Out of the Sale of Personal Information

  • Businesses must comply with a request to opt-out within 15 days.
  • Requests to opt-out needs not be verified.
  • Browser plug-ins or privacy settings must be considered a valid request to opt-out.
  • If a consumer who has opted out of the sale of personal information requests to opt-in, the business must use a two-step process requiring (1) a clear request to opt-in and (2) a separate step to confirm the choice to opt-in.

Identity Verification

  • Businesses are required to have a more stringent identity verification process for requests concerning high risk personal information. 
  • Businesses must avoid collecting new personal information for the purpose of identity verification where possible.
  • Authentication through an online account may be used to verify identity, though a business must require re-authentication before disclosing or deleting a consumer’s data.

Financial Incentive Programs

  • Businesses offering financial incentives, including price and service differences, related to the collection, deletion, or sale of personal information must provide in its notice:
    • A summary and description of terms of the financial incentive and the value of the consumer’s personal information.
    • An explanation of how the incentive is reasonably related to the value of the consumer’s data.
    • A good faith estimate of the value of the consumer’s data that serves as the basis for offering the financial incentive and a description of the method used to calculate the value of the consumer’s data.
  • Businesses offering financial incentives must provide instructions for opting in to the incentive and for withdrawing from it.
  • Except in the case of offering financial incentives, businesses may not discriminate against consumers for exercising their rights under the CCPA or the regulations.

Conclusion 

These are only some of the important takeaways from the regulations. If your business is subject to the CCPA, it is important to know the requirements which can be found here. With both the CCPA statutes and regulations now in effect, prioritizing compliance elements is key. 

Companies are understandably in varying stages of preparedness. Whether you’re stalled, have some resource constraints, or just need a review of your plan, TrustArc is here to help. Contact us for a free CCPA Preparedness Assessment to assess your current program against CCPA requirements, identify gaps, and prioritize risk remediation.

Serious Privacy Podcast – Get Schooled: Professor Solove’s Insight on Privacy Developments

Privacy is like driving a car – lots of rules which change across borders and you need to look both ways before crossing the street. In both the US and EU, the Schrems-II decision on 16 July is a major development in data protection navigation. But we are just at the beginning of understanding all the consequences of the verdict of the EU Court of Justice. Don’t worry – also in the coming weeks, we’ve got you covered. #SeriousPrivacy will keep you posted on important developments and views. 

In this episode, Paul Breitbarth and K Royal speak with Professor Dan Solove with the George Washington University Law School, a renowned educator in both privacy and data security legislation, an internationally-known expert and a prolific writer of books and articles on these topics. He certainly has an opinion of what happens next in transatlantic data relations and intra-US with the California Privacy Rights Act (CPRA).  

Listen in as we discuss the implications of Schrems-II, the CPRA, privacy legislation and enforcement, and developments in this space. For example, the CPRA now faces opposition from a coalition led by the American Civil Liberties Union (ACLU) of California. In addition, we discuss Prof. Solove’s views over the past few decades of the advance of the privacy field and what he hopes to see in the coming years. Listen to this week’s episode on our website or stream the episode below.

Serious Privacy Podcast – CCPA: Aiming for a Moving Target

The 1st of July has come and gone – the date that marks the beginning of the enforcement of the California Consumer Privacy Act (CCPA).  Not all companies are ready for CCPA enforcement. And many companies are confused among the many moving parts – the law and potential amendments, the regulations, the ballot initiative, and enforcement.  

California’s Attorney General Becerra describes the CCPA is a “first-of-its-kind data privacy law in America.” In his press release he encourages every Californian to know their rights to internet privacy and every business to know its responsibilities. The website of every business covered by the law must now post a link on its homepage that says ‘Do Not Sell My Personal Information’. Click on it – Becerra recommends. Remember, it’s your data. You now get to control how it’s used or sold.” Listen in as Paul and K discuss the various aspects of the CCPA, from amendments to enforcement and class actions. This week’s episode can be found on our website or can be streamed below. 

Webinar Recap – CCPA Update: What You Need to Know About CPRA & July 1st Enforcement

As part of the Privacy Insight Series, TrustArc presented the webinar “CCPA Update: What You Need to Know about CPRA & July 1st Enforcement” last week with speakers Teresa Troester-Falk, President and Founder of BlueSky Privacy, and K Royal, Associate General Counsel at TrustArc. This blog post will give a brief summary of that webinar addressing the California Consumer Privacy Act (CCPA), its new regulations and the ballot initiative, the California Privacy Rights Act (CPRA); you can listen to the entire webinar and download the slides here.

Definitions 

With the possibility of a July 1 enforcement date quickly approaching, there was a lot to cover in this webinar. K and Teresa discussed the current status of the consumer privacy acts in California, how the CCPA regulations compare to the CPRA, what to expect on July 1st, how to prepare for all possible scenarios and provided resources to ensure compliance by July 1st and beyond. They expanded upon the various definitions for terms within the CCPA regulations and CPRA. For the CCPA, the definition of “business” was clarified in the regulations that the revenue prong of $25M applies to all revenue, and not simply revenue within California. This was a point of confusion for business leaders trying to interpret the often vague text of the CCPA. 

July 1 Enforcement 

In regards to enforcement, K and Teresa discussed the recent communications from the California AG’s office: “The OAG has determined that any delays in implementation of the regulation will have a detrimental effect on consumer privacy as more and more Californians are using online resources to shop, work, and go to school.” Despite the COVID-19 pandemic, it is clear that the AG’s office is serious about protecting Californian’s personal data and unlikely to waiver on the impending enforcement date.

One of the hot topics in California privacy has been whether or not the use of Cookies on websites constitute a “sale” as defined by the CCPA. The attorney general’s comments in the “Final Statement of Reasons” confirm that the office considers this determination to be highly fact-specific and recommends that companies should seek clarification from counsel. However, under the CPRA, there is a new definition of “sharing” that addresses the cookie scenarios – 

“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making oval/able, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and o third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged. (§1798.140(ah)(1)).

TrustArc CCPA “Opt-Out” Solution  

One of the main aspects of CCPA compliance is fulfilling consumer rights requests as consumers have the right to opt-out of the sale of their personal information. As such, the ability for consumers to exercise this right must be found in an easy-to-find location on your website. With TrustArc Cookie Consent Manager now integrated with TrustArc Individual Rights Manager, you can display the “Do Not Sell My Personal Information” link on your cookie banner, providing transparency and improved user experience to your consumers.

In addition, TrustArc Cookie Consent Manager allows you to configure the consent experience based on any geographical compliance requirements as different regulations have different rules. Utilizing TrustArc Cookie Consent Manager allows you to display the applicable consent banner based on the location of the website visitor. For example, you can display a GDPR opt-in notice banner to EU residents and a CCPA notice-only banner to California residents. 

Companies are understandably in varying stages of preparedness, and with less than a month to go, prioritizing compliance elements is key. Wherever you are in your CCPA compliance journey, TrustArc can offer support at any stage of your compliance plan.

For more information on how TrustArc can help, visit TrustArc.com or contact us here.

div>