The new California Consumer Privacy Act (CCPA) went into effect at the beginning of this year and becomes enforceable by the California Attorney General (CAG) on July 1, 2020. The regulations required to enforce the new law are nearing completion. Originally proposed in October of last year, the regulations have been revised by the CAG twice this year – once in February and again in March. It is unclear whether the CAG will issue a third round of revisions. (A ‘redline’ showing all revisions published by the CAG to date is available here.)
In this post, Mike DeAndrea, GRC Advisory Solution Architect at Covestic, highlights 10 significant revisions to the CCPA regulations that are likely to impact your consumer-requests, order (intake) and fulfillment processes. We strongly encourage you to reference the most recent version of the CCPA source document prior to making any changes to CCPA related policies, processes or tools.
Top 10 Revisions
1. Two-step Deletion Request Process (§999.312.(d))
The previously mandated two-step process for handling deletion requests has been downgraded from a requirement to an option. If you’ve already implemented the two-step process, you may continue to use it although it is no longer required.
2. Opt-out Button (§999.306.(f))
The Opt-out “toggle” button requirement added by the CAG in February has been removed. The February revision required you to implement an opt-out toggle button next to the “Do Not Sell My Personal Information” link as shown below. As a result of public pushback, the requirement was stricken from the March revisions. If you have already implemented the toggle button, there’s no harm in keeping it. The “Do Not Sell My Personal Information” link is still mandated.
3. Request Verification Time Out (§999.313.(b))
All consumer requests must be verified before processing, but if a request cannot be verified in 45 calendar days, you can now legitimately deny the request. You need to keep a record of the denial and will need to notify the requestor that the request was denied because it could not be verified.
4. Disclosure Request Data Exceptions (§999.313.(c.)(3)(a))
Finding all the data to include in a disclosure request is challenging. In the February revisions, the CAG specified that, in response to a right-to-know request, you no longer need to search for personal information that is:
- Not stored in a searchable or reasonably accessible format
- Maintained solely for legal or compliance purposes
- Never sold or used for commercial purposes
However, you must disclose the categories of records that were not searched and that could possibly contain the consumer’s personal information.
5. Deleting Back-up or Archived Data (§999.313.(d)(3))
In responding to a right-to-delete request, you do not need to delete the consumer’s data from any backup or archival systems until the data is restored, reactivated, retrieved or is included in a data-sales transaction.
6. Deletion Request Response (§999.313.(d)(4))
When notifying the consumer that their deletion request was completed, you no longer need to describe the way the data was deleted. But you do need to inform the consumer that a record of their request will be maintained for 24 months (§ 999.317(b)).
7. Right-to-Delete Request Denial (§999.313.(d)(7))
If a verified deletion request is denied, you must give the requestor an opportunity to opt-out of the sale of their personal information unless, of course, you don’t sell personal information or the consumer has already opted-out. This means you must ask the consumer at the time of denial whether they want to opt-out and you must provide a link to the opt-out request form or notice.
8. Calendar Days vs Business Days
Clarification was added throughout the regulations to distinguish between “calendar” days and “business” days. For example, the time allowed for responding to a consumer request is 45 calendar days (§ 999.313(b)), whereas the time allowed for confirming receipt of a right-to-know or right-to-delete request is 10 business days (§ 999.313.(a)). Make sure your SLAs count the appropriate days.
9. Deleting Household Information (§999.318(a))
The definition of “Household” was redefined from “a group of people occupying the same dwelling” to “a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier occupying a single dwelling.” As a result, the requirements for handling requests to access or delete household information were strengthened to ensure that the requests are submitted jointly by all members of the household. Requests to access or delete Household Information, can now only be filled if:
- All consumers of the household jointly request access to specific pieces of information or the deletion of household personal information.
- The business individually verifies all the members of the household.
- The business verifies that each member making the request is currently a member of the household (§999.318(a)).
10. Accessibility Guidelines
The CCPA requires the California Attorney General’s office to commence enforcement no later than July 1, 2020. But, before enforcement can begin, the proposed CCPA regulations must be finalized, submitted to the California Office of Administrative Law (AOL), and filed with the California Secretary of State. Since the AOL must receive the finalized regulations by May 29, there is very little time for further public reviews before the regulations become enforceable. It remains unclear as to whether the CAG will issue a third round of revisions; according to the CAG website few written comments were received in response to the March revisions.
In addition, while the nation faces unprecedented challenges as a result of the Coronavirus (COVID-19) Pandemic, the CAG remains resolute, indicating that CCPA enforcement will NOT be delayed. This means you need to be ready by July 1. The best way to do this is to make sure your CCPA processes adhere to the most recently published revisions of the regulations.
How Covestic Can Help
At Covestic, our GRC team focuses on privacy compliance. Whether CCPA, GDPR or any of the dozens of other privacy laws emerging across the country and around the globe, our team can help your team translate regulatory requirements into developer stories to quickly stand-up an efficient, effective, and scalable solution and significantly shorten your time-to-compliance.
You can watch our recent webinar on this topic: Achieving CCPA Compliance with ServiceNow and Covestic.
For more information, please reach out to us via e-mail at email@example.com.
About the Author
Mike DeAndrea, GRC Practitioner and Advisory Solution Architect, Covestic
With more than 20 years of applied expertise in Governance, Risk, and Compliance, Mike helps Covestic customers understand how they can leverage the power of ServiceNow to meet their regulatory compliance needs in the shortest time. Mike has extensive experience both as a practitioner and a consultant. As a practitioner, he managed the compliance efforts of a large enterprise-wide IT operations department of a multi-billion-dollar, multi-national company for several years. As a consultant, Mike has been helping high-profile customers deploy GRC solutions in ServiceNow for over five years. He maintains a number of ServiceNow and industry certifications, and specializes in designing compliance solutions that are not only effective but also highly efficient, that minimize the time to value, and that drive down the cost, burden, and impact of compliance on your organization. You can connect with Mike on LinkedIn.