CCPA Update: March Regulation Proposed Revisions

The Department of Justice of California published yet another round of draft CCPA (California Consumer Privacy Act) regulations on March 7, 2020 with comments due March 27, 2020.

As stated in the notice, there were “around 100 comments received in response” to the previous draft regulations.

In the most recent version, the “redlined” version is color-coded to easily identify the original draft regulations, the first set of modifications, and this second set of modification. The redlined and clean versions are published online.

According to the rule-making process, if changes are made to the proposed regulations, the changes will be published for the public to submit comments. These comments would be reviewed and based on the comments, either revise or accept the published draft. Comments will also be responded to at the publication of the final regulations.   The Office of the Attorney General previously provided guidance that if changes are “substantial and sufficiently related,” the changes will be published with an abbreviated comments period of 15 days (this modification and the last one met these requirements). If changes are not made or are “nonsubstantial and sufficiently related,” no publication for comments will occur. Only “major changes” would require a full 45-day comment period.

Some of the key changes include:

  • Removal of § 999.302 which was added in the last version addressing that an IP address that is otherwise not associated with identifying information is not personal data. No sections were added or modified in the newest version to address IP addresses.
  • Addition of § 999.305(d) clarifying that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”
  • An addition was made that if a business that denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt out of the sale of their personal information and shall include either the contents of, or a link to, the notice of right to opt-out in accordance with section 999.306. (§ 999.313(d)(7)).
  • Clarification that the notice provided at the collection of employment-relation information does not need to contain a link to the business’s privacy policy.
  • Additional clarifications were added around information provided in response to consumers’ requests to know (§ 999.305(f)(2)), what to publish about selling minors’ data (§ 999.308(c)(9)), a description of biometric data that is to be provided where the biometric data itself cannot be provided in response to a request to know (§ 999.314(c)(4)), and descriptions of categories of sources and business purposes in the privacy policy (§ 999.308(c)(1)(e) and (f).

Where are we now?

The comment period ends on March 27, 2020. Per guidance and history, any changes made to this version will result in publication of a new round of proposed regulations.

Once we reach a version wherein there are no changes made, according to the “Information about the rulemaking process,” the Office of the Attorney General will prepare and submit the final rulemaking record to the Office of Administrative Law (“OAL”) for approval, including the summaries and responses to each public comment received. The OAL has 30 working days to determine if all of the procedural requirements are met and if so, the regulations will be filed with the Secretary of State. 

Will enforcement start July 1, 2020?

At this time, enforcement remains slated to start on July 1, 2020. TrustArc will keep you posted on updates. To speak with a privacy expert about the California Consumer Privacy Act and how to comply, schedule a consultation today.

Webinar Recap – CCPA: Countdown to Enforcement

As part of the TrustArc Privacy Insight Series, TrustArc Senior Privacy Consultant Beth Sipula, TrustArc Privacy Counsel Edward Hu, and TrustArc Director Privacy Intelligence Development Joanne Furtsch presented the webinar “CCPA: Countdown to Enforcement” last week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.

The CCPA is set to be the toughest privacy law in the United States. It broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information. The CCPA is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020.

During this webinar, the panelists discussed the current hot topics surrounding the CCPA, such as: notice, service providers, browser controls, identity verification, and the right to deletion. Regarding the right to deletion, Beth went into detail on the proposed regulations’ two step process: the first step allows the individual to submit the request for deletion; and the second step separately confirms the personal information will be deleted. Furthermore, Beth explained that when denying requests, businesses must provide the consumer with a notice stating the reasons for denial, including any applicable exceptions, delete any information not subject to exception, and not use the retained personal information for any purpose not provided for by a relevant exception. 

The panel went on to discuss the recent CCPA public hearings, as Joanne attended the Sacramento hearing and Edward attended the San Francisco hearing. They touched on the variety of speakers during both hearings, which showed the wide range of use cases that the speakers brought forth, and the sizable impact of the CCPA. There were many similarities in both hearings, such as requests for model notices from the AG’s office in order to help streamline notice compliance requirements. 

With the January 1, 2020 effective date quickly approaching, Edward provided several action items for companies, such as: 

  • Inventorying your data
  • Putting a consumer request process in place
  • Reviewing vendor contracts to determine who is a service provider
  • Updating privacy notices
  • Making a determination about whether using third-party ad tech cookies constitutes a “sale”

To learn more about the CCPA, view the on-demand Privacy Insight Series webinar here.  TrustArc has a robust library of on-demand webinars available here. You can learn more about the CCPA look back requirement, automating privacy managing, GDPR compliance, and many other hot topics.

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers, presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges.

Recap of San Francisco Public Hearing on CCPA


On December 4th, the California Attorney General’s (AG) office held a public hearing in San Francisco on the California Consumer Privacy Act (CCPA). The hearing provided the public with an opportunity to take part in the CCPA rulemaking process. The rulemaking process is governed by the California Administrative Procedures Act which requires the AG to solicit comments from the public through hearings and in writing. The AG considers all comments, makes revisions to the proposed regulations where appropriate, and posts another draft of the regulations for public review and comment.The San Francisco hearing took place at the Milton Marks Conference Center where the room was packed with approximately 175 attendees, including TrustArc team members. 

Representatives from the Office of the California AG started with a brief introduction and then allowed for pre-registered speakers to make their comments. With over 20 speakers, the public hearing lasted almost two hours and covered a wide range of CCPA-related topics and concerns. Below are some highlights from the hearing:

Individuals representing two different Bay Area credit unions spoke on the difficulties of complying with the complexities of the CCPA with a small staff and limited resources. Both asked for the enforcement date to be extended to January 1, 2022, pushing the date two full years. Extending the enforcement date would allow them the time needed to “get it right the first time,” they argued. 

One of the co-authors of the CCPA text also spoke during the public hearing. He argued that the CCPA’s fifteen-day grace period for companies to process opt-out requests was simply too long, and the requests need to be processed immediately, up to 72 hours at the latest, adding, “If [a company] is able to start selling immediately, they should be able to stop selling immediately.” 

A representative of an SF-based technology company criticized the “out of date” toll-free phone number required for CCPA compliance, especially for companies who conduct business solely online. She said the unnecessary requirement is expensive for companies to maintain, even if they do not receive a single phone call. She argued that companies could also become the targets of robo calls designed to exploit the way in which toll-free telephone numbers are billed to commit a fraud for profit.

Another speaker, a CPO with over 20 years of privacy experience in California, asked the AG’s office to clarify the definitions of “business,” “service provider,” and “3rd party.” She stated definitions were needed for these three terms because they are often used differently within the text of the CCPA.  

A data privacy advocate and former elected official expressed his concern over whether large technology companies will take the CCPA seriously. He commented that based on his conversations with C-Suite executives, attitudes towards the CCPA have been very cavalier, with statements ranging from “I’ll wait until there’s fines” to “I’m retiring soon, so it’ll be someone else’s problem to deal with.” The speaker suggested the AG’s office carry out tight enforcement in order to truly protect consumers.

The §999.315(c) requirement, that businesses treat browser privacy signals as valid requests to opt out, received attention from several speakers. Advocates commended the proposed regulation as giving consumers an accessible method to express their intent, while opponents argued that it would frustrate actual consumer intent. Two speakers expressed their belief that consumer intent would be better inferred through their interaction with an opt-out link or button.

TrustArc is an active participant in privacy conferences and our team regularly attend policy hearings to help inform and shape our solutions. With privacy experts spanning the world in the U.S., Canada, Latin America, Europe and Asia, our team is at the forefront of the ever-changing privacy landscape. To speak with a privacy expert about the California Consumer Privacy Act, schedule a consultation today!

Automated DSR Fulfillment to Avoid Denial of Service Attacks


In the wake of GDPR, law firm Squire Patton Boggs reported a “sharp increase” in the number of UK residents who initiated data subject access requests (DSARs), fulfilling the same number of DSARs in the first five months of 2019 as they’d handled during the entire year of 2018.

CCPA data subject requests (DSRs) are likely to have the same effect on California-based organizations, and with a 45-day deadline for fulfillment, companies that don’t implement automated self-service workflows are at an increased risk for Denial of Service (DoS) attacks.

DoS attacks happen when legitimate users are unable to access information systems, devices, or other network resources due to cyber criminal activity that floods a host or network with traffic until it cannot respond or simply crashes, preventing access to email, online accounts, websites, etc.

These attacks disrupt a company’s online presence by keeping its web servers so busy with network requests that they’re unable to load web pages or Internet resources, costing organizations both time and money while their resources and services are inaccessible.

A DoS attack can happen when a company is inundated with DSRs. It overwhelms the CSR and IT staff, who are forced to respond to requests manually and eventually reach a breaking point in which the company can’t safely respond to requests within the required timeline.

With CCPA right around the corner, there’s no time like the present to start thinking about your company’s plans to circumvent DoS attacks and streamline DSR processes, which, according to the new regulations, must now include identity verification prior to fulfilling each request.

Technology can help teams automate manual processes, which helps save time and promote consistency, but it’s important for businesses to be aware of potential DSR threats like DoS attacks that can jeopardize fulfillment and result in both frustration and noncompliance.

Lessons Learned from GDPR

Many companies started preparing for GDPR by hiring lawyers and consultants to conduct privacy impact assessments (PIAs), data mapping, understanding workflows, manually surveying data sets, and introducing internal guidelines.

These steps were certainly helpful and necessary, but because the work had to be applied to multiple sets of data repositories, companies found they were duplicating efforts over and over.

Operationalizing CCPA with automation requires companies to leverage existing IT security tools and other systems (e.g., SIEM, ticketing, data governance), which is why it’s critical to get buy-in from CTOs, CISOs, CPOs, and data governance teams from the very beginning in order to execute processes correctly the first time.

Taking the time to prepare and automate DSR fulfillment processes can help mitigate the onslaught of DSRs, which result in DoS attacks.

Coordinated Data Subject Requests

Through the use of social media, online networking platforms, and other less obvious sources, many data subjects can quickly and easily coordinate to submit DSRs on behalf of people who may or may not exist, all at the same time.

The most recent example of this was executed under GDPR law, when Blizzard Entertainment stripped the World of Warcraft Tournament Champion of his title after publicly claiming support for Hong Kong protesters, which triggered the gaming community.

Multiple gaming sites, and even Reddit posts like this, instructed angry gamers who were upset with Blizzard how to exercise their rights under GDPR Article 15. The weaponization of DSRs quickly caught on, and led to an influx of requests that was very difficult for Blizzard to manage.

Even for large organizations with robust processes and automated systems for managing DSRs, such a large number of coordinated requests are likely to have a lasting impact, as they tend to cause excessive and manual workload by clogging automated systems with complicated requests.

Not limited to large corporations, the coordinated DSR attacks will actually do more harm to smaller businesses that don’t have the resources to deal with the tidal wave of requests, but it’s important to note that even moderate levels of DSR traffic can overwhelm organizations if they’re not properly prepared.

DSR Automation Recommendations

The first step is to build an effective intake form for DSRs that are visible, have predefined requests that the data subject can select from, and can be automated to fulfill requests quickly. Automation tools also exist that can help businesses centralize requests in a single dashboard, automate notifications, track deadlines, and establish processes for individuals who are involved in each step of the workflow.

The second step is to ensure that identity verification techniques, congruent with the sensitivity of the data being requested, are prominently integrated at the very beginning of the DSR process. This action alone can weed out bad actors and bots attempting to flood business systems with requests. The more sensitive the data being requested (think: banking, insurance, healthcare, etc.), the higher the verification assurance should be for those submitting requests.

When it comes to preventing DoS attacks, manual DSR processes that require personnel to scan hundreds of systems for every request will simply not cut it. It’s a big data problem, especially when you consider that, in the DSR fulfillment process, duplicate data sets are the primary culprits for exposure of sensitive data to unnecessary parties. As such, additional recommendations to automate DSR fulfillment include:

  • Avoid creating additional copies of customer data
  • Reduce PI surface area 
  • De-identify but beware of toxic combinations
  • Comply with privacy and security-by-design principles
  • Prepare for a data subject request DoS attack

Want to learn more about how an automated DSR fulfillment process can help your company avoid DoS attacks? Click here to register for our webinar.

How [Integris/TrustArc/Evident] Helps

How Evident Helps

Evident’s Verified Data Request (VDR) DSR identity verification tool is helping businesses vet each request, distinguishing bad actors and bots from genuine individuals who want to access, delete, or opt out their personal data.

With connections to more than 6,500 authoritative data sources through a single API, Evident’s VDR is simplifying the identity verification portion of the DSR request workflow, enabling companies to corroborate a requester’s data points quickly, securely, and accurately, without ever returning “data subject not found” results.

In addition to supporting identity verification for DSR workflows, VDR also helps businesses demonstrate general privacy compliance through Evident’s asymmetric, end-to-end encryption, designed to protect each individual piece of personal data collected for verification purposes.


The TrustArc Individual Rights Manager solution is designed to help companies comply with regulations, minimize risk and build trust with customers. The solution enables individuals to easily submit DSARs and companies to efficiently manage, review, and follow-up in required timelines. In addition, the solution creates an audit trail that demonstrates accountability and compliance. 

TrustArc is the leader in privacy compliance and data protection solutions and offers an unmatched combination of innovative technology and TRUSTe certification solutions. TrustArc addresses all phases of privacy program management and has been delivering innovative privacy solutions for two-decades to some of the world’s largest companies. The TrustArc platform leverages deep privacy expertise and proven methodologies, which have been continuously enhanced through thousands of customer engagements. Headquartered in San Francisco, and backed by a global team across the Americas, Europe, and Asia, TrustArc helps customers worldwide demonstrate compliance, minimize risk and build trust.

How Integris Software Helps

Integris Software tackles one of the most challenging aspects of data subject requests (DSRs)– finding data subjects across your data ecosystem. Our discovery process isolates your systems that contain PI, then maps attributes, categories, purpose, and sources back to each data subject. By automating the discovery and classification of sensitive data, Integris reduces the burden on IT teams and data source owners. Deep Search and just-in-time identity matching make it easy for your customer service reps (CSRs) to verify and locate data subjects across thousands of systems. Integris DSR is enterprise ready and follows the principles of privacy- and security-by-design; there’s no need to replicate consumer data across network zones.

Privacy is now critical to an effective data protection strategy. By sitting upstream from security, Integris tells you what data is important and why so you can be precise in your InfoSec controls. Integris works securely, at scale, no matter where sensitive data resides. You get a live map of your sensitive data where you can apply policies, surface issues, fulfill DSAR requests, and automate remediations via your broader ticketing and InfoSec ecosystem. Regulations like GDPR and the California Consumer Privacy Act (CCPA) are triggering knee-jerk reactions as companies lock down their data for fear of misuse. With Integris, there is finally a way to use your data without fear.

Upcoming Webinar – CCPA: Countdown to Enforcement


TrustArc is proud to present the next Privacy Insight Series webinar “CCPA: Countdown to Enforcement” with TrustArc Senior Privacy Consultant Beth Sipula, TrustArc Privacy Counsel Edward Hu, and TrustArc Director Privacy Intelligence Development Joanne Furtsch. This webinar will take place on Wednesday, December 11th at 9am PT (12pm ET/5pm GMT). Don’t miss this opportunity to learn more about global privacy strategy – register today!

CCPA will be in effect before we know it as we count down the days until January 1, 2020. To help businesses prepare to be in compliance by January 1, 2020, the CA State AG released proposed regulations for implementing CCPA and is now holding public hearings to hear statements and comments on the proposed regulations. TrustArc will be at two of the four public hearings to hear the latest regarding implementing CCPA requirements and will bring you the latest updates in this webinar.

Register for this webinar to gain valuable insights and learn about:

  • Key requirements of the proposed regulations
  • Key takeaways from the Sacramento and San Francisco public hearings
  • What happens next in the rulemaking process and what companies need to be doing to be ready for January 1, 2020

Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar.

TrustArc publishes a broad range of privacy educational resources, including research reports, benchmark statistics, solutions briefs, product updates, webinars, workshops and much more. Check out the following resources on hot topics including CCPA, GDPR, Vendor Risk Management, DSAR Best Practices, Cookie Consent, and much more. Register for the free TrustArc Privacy Insight Series subscription and find out why over 20,000 privacy professionals per year take advantage of TrustArc privacy education resources.