{"id":2769,"date":"2020-02-28T08:00:47","date_gmt":"2020-02-28T14:00:47","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=2769"},"modified":"2020-02-28T08:00:47","modified_gmt":"2020-02-28T14:00:47","slug":"the-latest-ccpa-draft-explained","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=2769","title":{"rendered":"The Latest CCPA Draft, Explained"},"content":{"rendered":"

Dhara Shah<\/em><\/p>\n

Senior Editor<\/em><\/p>\n

Loyola University Chicago School of Law, JD 2020<\/em><\/p>\n

 <\/p>\n

The California Attorney General\u2019s office released an updated draft<\/a> to the California Consumer Privacy Act<\/a> (CCPA) on February 10th<\/sup>. This updated draft follows the four public hearings that were held in December of 2019 and over 1,700 pages of submitted comments<\/a>. Comments are being heard as of the posting of this article, and if no new changes are made, a final rulemaking record will be submitted.<\/p>\n

<\/p>\n

CCPA Refresher<\/strong><\/p>\n

The CCPA came into effect on January 1, 2020 and serves as a consumer privacy act for the residents of the state. It allows for more transparency<\/a> between a company and its consumers\u2014allowing the consumers to ask to see what information the company has collected about them, who it is shared with, and includes many other consumer-centered privacy ideas. Often compared to the General Data Protection Regulation<\/a> (GDPR), it too places strong fines on companies that fail to properly comply with the CCPA.<\/p>\n

The CCPA gives a variety of rights<\/a> to its consumers, including: the right to know what personal information is collected, used, shared, or sold; the right to delete personal information held by businesses; the right to opt out of their data being sold; and the right to nondiscrimination.<\/p>\n

Notable Changes<\/strong><\/p>\n

Of the changes, the ones to look out for include further clarification on what constitutes the collection of \u201cpersonal information\u201d, removing the claw back period, and introducing more user friendly ways to opt-out, amongst others.<\/p>\n

The first noteworthy change highlights that businesses are not collecting \u201cpersonal information\u201d when the business collects an IP address but does not<\/strong> link the IP address to a particular individual and it could not reasonably be linked to one. This, in turn, ends up raising further questions on what a \u201creasonable\u201d link constitutes in the context of the CCPA. Some argue that given how vastly the internet is used, IP addresses are also collected more than other information\u2014so if they are \u201cpersonal information\u201d then the way they are handled changes. If it is considered to be \u201cpersonal information\u201d, a business would reach the 50,000 consumer threshold much quicker<\/a>, thus including a larger group of businesses liable to the CCPA.<\/p>\n

Another noteworthy change is the removal of the claw back period. Initially, a 90-day claw back period was placed into effect for businesses to pass on an individual\u2019s opt-out of sale of information. The latest draft has since removed this provision<\/a>.<\/p>\n

As the center of the CCPA are the consumers, it only makes sense they have tried to make it as user friendly as possible. The newest draft introduces the option of an opt-out button<\/a> that can be used in addition to the notice of the right to opt-out. It really will be as easy as a click of a button then. Companies like OneTrust<\/a> have already started to create and market this button towards businesses.<\/p>\n

Other noteworthy changes include: confirming that a two-step process for online requests to delete is not required, rather is optional; stating that the metrics and transparency reporting requirements only holds to those with 10 million or more consumers now, rather than the initial\u2014businesses with 4 million or more consumers; and a deletion of the requirements to treat unverifiable deletion requests as opt-out requests.<\/p>\n

Next Steps<\/strong><\/p>\n

Comments will be heard again until February 25th<\/sup>, 2020. To submit comments visit, https:\/\/oag.ca.gov\/privacy\/ccpa<\/a>.<\/p>\n

While comments are still being submitted, the CCPA has gone into effect since January 1st<\/sup>, 2020. Qualifying businesses should already be in compliance with the CCPA\u2014with just the primary requirements including: meeting the \u201cright to know\u201d by telling consumers how their data is being used; meeting the \u201cright to opt out\u201d by creating a privacy policy and potentially even including a one-click button; meeting the \u201cright to delete\u201d; and meeting verification requirements. Of those in compliance, the hardest challenge so far seems to be just determining where a company is storing consumer data<\/a>.<\/p>\n

Stay tuned for what the next round of the rulemaking process brings and what other regulations may be inspired from the CCPA. As data privacy concerns are only growing<\/a> in the minds of consumers, it will be important to ensure that the data privacy protection and compliance environment continues to grow as well.<\/p>\n","protected":false},"excerpt":{"rendered":"

The California Attorney General\u2019s office released an updated draft to the California Consumer Privacy Act (CCPA) on February 10th. This updated draft follows the four public hearings that were held in December of 2019 and over 1,700 pages of submitted comments. Comments are being heard as of the posting of this article, and if no new changes are made, a final rulemaking record will be submitted.<\/p>\n","protected":false},"author":28,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[339,358,468,571,1623,1747],"class_list":["post-2769","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-california-consumer-privacy-act","tag-ccpa","tag-compliance","tag-data-privacy","tag-cybersecurity","tag-rulemaking"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/2769","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2769"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/2769\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}