Data privacy and security

Countdown to the California Consumer Privacy Act, Nation’s Strictest Data Privacy Law

With less than 45 days until the nation’s most significant data privacy law takes effect on January 1, 2020, the California Attorney General recently released draft CCPA regulations and California recently finalized five amendments to the California Consumer Privacy Act (CCPA). Companies should be preparing to comply as enforcement will begin next summer.

For businesses who are just getting familiar with the CCPA, see what you need to know about the CCPA, including what the CCPA is, whether it applies to your company and what you need to do to comply. As of January 1, 2020, consumers will be able to request that a business disclose specific pieces of information for the preceding 12 months—going back as early as January 1, 2019—such as what the business has collected about the consumer and whether that information was disclosed or sold to a third party.

As the CCPA implementation date approaches, California has recently provided additional obligations for businesses, in and out of the state, that handle California residents’ personal data. On October 10, 2019, the California Attorney General’s Office, which will enforce the CCPA, released draft regulations that will be open for public comment until December 6.

CCPA regulations provide both clarity and new obligations for businesses

While the draft CCPA regulations provide clarity for how businesses can comply, they also include many additional obligations for businesses. From a clarity perspective, the CCPA only indirectly references information obtained from third parties (such as data enrichment), but the CCPA regulations more specifically outline the requirements for businesses that don’t collect information directly from consumers. In addition, the CCPA itself has very few process requirements for how companies respond to consumer requests, but the CCPA regulations include highly technical process requirements—some of which are unique to the CCPA regulations, such as a double opt-in process for deletion requests.

The CCPA regulations also clarify the required timelines for businesses to respond to requests to access and delete, to act on an opt-out of sale request and when that opt-out preference must be reported to Service Providers. The CCPA regulations also provide details about what records businesses will need to maintain to demonstrate CCPA compliance, and the required retention period for those records. Given that the CCPA regulations have only been available for about a month, are subject to change, and are not expected to be finalized until mid- to late-December, businesses have a lot to tackle in a short period of time before the CCPA goes into effect on January 1, 2020.

As for new requirements for businesses, the CCPA regulations require businesses to treat “user-enabled privacy controls, such as a browser plugin or privacy settings” as a valid opt-out of sale request, although it is unlikely that this can be widely operationalized before the CCPA goes into effect.

The CCPA regulations also add a new data security obligation for businesses to implement reasonable security measures to detect fraud and prevent unauthorized access or deletion of personal information. Additionally, the regulations reference California’s data security statute with regard to what personal information should not be collected for authentication. Effectively, these new requirements add unique data security obligations to the data privacy focused CCPA.

CCPA language is revised and finalized

On October 11, just after the CCPA regulations were released, California Governor Gavin Newsom signed five amendments into law that modify the original language of the CCPA. While these amendments don’t significantly change the obligations imposed by the CCPA, the modifications do cover clarifications, exemptions, and expansions of the CCPA.

For example, the new amendments clarify that the definition of personal information excludes de-identified or aggregated consumer information, and personal information collected on another business’s employees in certain B2B contexts. One of the amendments creates a yearlong exemption for employee datafrom a consumer’s right to access, deletion, and opt-out, so the California legislature will need to readdress this next year. Another amendment creates a data broker registry and yet another establishes a carve-out so that the right of deletion doesn’t apply to vehicle repair information. Businesses must take into account these amendments to the CCPA as they prepare for implementation and enforcement.

Will other states enact similar laws?

With the enactment of the CCPA coming up quickly, many businesses are wondering whether there will be similar privacy legislation introduced in other states. The short answer is yes, several states are moving forward on privacy legislation at record pace, although many bills that have been introduced will change or never become law. This U.S. state comprehensive privacy law comparison from the International Association of Privacy Professionals (IAPP) gives a great snapshot of bills in progress at the state level.

With the implementation of the CCPA fast-approaching, businesses inside and outside of California must make compliance a priority. Begin by working with a data privacy expert to determine how your organization, clients and vendors are defined under the law, then focus on the implications for your business.

To learn more about the California Consumer Privacy Act or for other data privacy and security questions, contact KO attorney and data privacy expert Chris Achatz at or (720) 477-7140. Chris is a Certified Information Privacy Professional (CIPP/US) and a Colorado KnowledgeNet Chair for IAPP. He is a frequent speaker at local and national industry, bar association and university events on all types of technology and data-related topics.



Looking for a new partner?

We are changing the status quo in the legal industry one client at a time. Why not be next?

Related Articles