CCPA Two Months In: What’s Changed (and What Hasn’t)

Please note that this article is intended for informational and educational purposes only and does not constitute legal advice.

The much-anticipated California Consumer Privacy Act (CCPA) went into effect as of January 1, 2020, with enforcement expected to begin come summer. The Act grants Californians unprecedented rights regarding the access, sale, and deletion of personal data and stipulates some pretty steep fines for violations. 

As a result, companies doing business in California were under pressure to develop and implement a process for handling personal data requests that met all of the compliance measures California Attorney General Xavier Becerra included in the law. Since no fines will be levied until the summer, however, AG Becerra has taken the opportunity to make a few key revisions and clarifications to CCPA based on feedback from California residents and business owners.

Keep reading for an overview of what you need to know as we get closer to CCPA enforcement.

4 CCPA Regulation Updates You Need to Know

1. What you think is personally identifiable information (PII) might not actually be considered PII.

It’s rare to find a business that doesn’t collect customer information in some form or fashion. Whether your company collects shoe sizes or IP addresses, however, doesn’t really matter—what matters is whether or not that data is stored in a way that could link it to an individual customer or group of customers from the same household.

If you can be completely positive that your company does not retain or house customer data in a way that could directly or indirectly connect it to an individual or group of people, then you don’t need to consider that data to be PII.

That being said, the average customer is far better educated about personal data privacy today than even five years ago. If you value strong relationships with your clients and want to ensure that your customer experience remains top-notch, be transparent in your privacy policy regarding the types of data your company collects and how (or if) those data types are associated with others. 

2. If your company sells data, you’ll need a specific graphic.

Companies that sell PII must provide Californians with a way to indicate their wish that the company not sell their information. The simplest way to do this and ensure your company’s compliance with CCPA regulations is to use the opt-out button designed by the California AG’s office:

This button can’t be used on its own, however. You’ll need to work with your web team to ensure that the button appears to the left of a link labeled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” See below for what the button and the link should look like together:

Remember to point the link either to a page on your website or the section of your company’s privacy policy that explains the customer’s right to opt out of the sale of their personal information.

3. Requests for data deletion don’t have to involve multiple steps.

In the original iteration of the law, businesses were required to employ a two-step process for customers requesting deletion of their personal information. First, the customer would submit a deletion request, and then they would be required to confirm that they did indeed want the company to delete their information.

Under the updated regulations, companies can certainly still offer this two-step process for data deletion requests, but they are not legally required to do so.

4. The clock starts ticking as soon as your company receives a personal data request under CCPA.

If you were paying attention to the first round of CCPA news, you probably have a 45-day turnaround time in mind. And that’s still accurate, but there are additional details you need to keep in mind going forward.

• You must return an initial response to every submission within 10 business days. The purpose of this initial response is to let the consumer know that your company received their request and to outline what they can expect in terms of how the request will be processed and when they’ll receive a final response.
• You have 45 days to issue a final response to a request. (But watch out for the caveat below.) Note, however, that this stipulation has been clarified as calendar days. If you aren’t able to verify the identity of the requestor within those 45 calendar days, you are legally permitted to deny the request.
• You may take an additional 45 calendar days to respond to a data request—but only if absolutely necessary. Some personal data requests will take longer to resolve than others for one reason or another, and AG Becerra has made room for these anomalies. Promptly notify the customer when you realize that their request will take longer than the standard 45 days, and be sure to clearly explain the reason for the delay.

The Bottom Line

When it comes to personal data requests under CCPA, there are several important things to keep in mind:

1. Make sure you have a workflow in place for personal data request submissions to ensure that each request is routed to the correct place and isn’t overlooked.
2. Verify the identity of each requestor and respond within the allotted time frame for each and every submission.
3. Write your company’s privacy policy in plain language, and clearly define the types of data you collect and what (if anything) those data types are associated with.
4. Update your website to include simple buttons and links for customers who do not want their data sold.

CCPA represents a huge step forward in consumer data privacy, but it can also present a compliance minefield for businesses that don’t stay up to date on revisions issued by AG Becerra’s office.

At IDology, we’re committed to providing you with the information you need to stay in the know when it comes to CCPA as well as the tools to help your organization stay compliant as you handle personal data requests. Contact us or request a demo of our solutions today.