The California Consumer Privacy Act of 2018 (CCPA) has recently been revised. On March 11, 2020 California Attorney General Becerra, made these amendments for the safety of consumers and in August of 2020. Lawalways wants businesses as well as consumers to be aware of their rights and responsibilities. Since its inception in 2018 there have been two revisions, and this latest revision has removed quite a bit, including the Severability provision in Section 999.341.
Request to Know
Personal information or personal data is extremely valuable to both consumers and businesses. Businesses want personal information for marketing purposes and consumers want it for their own privacy and peace of mind. According to the revision a business can give the requesting entity information that dates back beyond one year if specified in the request to know. Certain types of information are still forbidden from being shared, like biometric data and social security numbers. And businesses that do collect such data are required to tell consumers that it has collected that type of information.
The CCPAs finalized regulations beg the question, What happens to global privacy controls and “do not track” options that are explicitly mentioned in the CCPA? Do these options work as an automatic opt out regarding the sale of personal information? According to Appendix E of the Final Statement of Reasons (June 2020), (i) a business can “treat a ‘do not track’ signal as a useful proxy for communicating a consumer’s privacy choices to businesses and third parties;” and (ii) global privacy controls should be considered forward-looking because regulations “state the privacy control be “developed’ in accordance with these regulations.”
Should a consumer require an agent to opt-out for them, a business can deny the request if the agent is unable to sufficiently prove that they are acting on the behalf of a particular consumer. This is also true for requests to know or delete. It is also worth noting that the “do not sell my personal info” link has been changed to “do not sell my personal information.” Businesses that do most of their business offline, however, are not required to offer an option to opt-out of the sale of personal information when using an offline method.
Since these are fairly new regulations and commerce is always changing, you may be wondering if this latest revision truly is “final.” With elections looming in the very near future and ballot initiative “California Privacy Rights Act of 2020,” it may undergo another revision. But for now, businesses can familiarize themselves with the changes and come into compliance, including opt-out requests, consumer rights to opt-out and specific things to include in privacy policies.
Although these new CCPA regulations are effective immediately, businesses have 30 days to become compliant once they have been notified of any violations. As consumer rights lawsuits are filed, problems and solutions are highlighted, and possible future revisions are born. But as of August of 2020, business can breathe easier knowing that the regulations have been finalized for now.