Final Prosed Regulations of the California Consumer Protection Act (CCPA)

On June 1, California’s Attorney General submitted the final proposed text of regulations for the California Consumer Privacy Act (CCPA) to the Office of Administrative Law (OAL). Following this, the OAL now has 30 days, plus an additional 60 due to the Covid-19 related executive order N-40-20, to review the proposals after which they will become enforceable. 

In a statement which accompanied the proposed regulations, the Attorney General has requested an expedited review be completed within 30 days stating that post this, his office will begin enforcement of the regulations which establish procedures to facilitate new consumer rights under the CCPA and provide guidance to businesses for how to comply. 

The CCPA went into effect on January 1, 2020 with the intention to protect the use, sharing and selling of consumers’ personal information and contained a myriad of requirements for organizations which do business with California residents. The Attorney General has been requested to provide guidance on compliance with the CCPA, and June’s release marks the final step in this process. 

Businesses now need to take action 

For organizations, now is the time to review privacy policies, implement consent procedures and evaluate practices to ensure compliance. Given the short 30 to 90-day window before enforcement begins, businesses do not have a lot of time and should look to move quickly to protect themselves against potential litigation. 

In recapping some of the key objectives in the CCPA: 

• Businesses must clearly disclose their data collection and sharing practices to consumers upon first interaction
• Businesses must provide consumers with the ability to request information pertaining to what data is collected on them
• Businesses must not sell their customer’s data (with exceptions) where they have been requested to refrain from doing so from the said customer
• Businesses must provide consumers with the ability to request that an organization deletes any data (with exceptions) which has been collected pertaining to them 
• Businesses must implement policies, procedures and mechanisms to adequately protect consumer data from intentional, accidental or malicious loss 

Regardless of any challenges that the implementation of the CCPA poses to organizations, it is clear that the Attorney General’s priority is one of consumer privacy first, stating that his office does not believe the regulations to be overly burdensome or impractical to implement. 

A spiderweb of compliance complexity 

In the most part, it is clear that the CCPA is mostly aimed at advertisers or organizations whose business model is one of productizing user data. But for organizations with a different focus, the complexities of the modern website can quickly result in them running afoul of compliance requirements. 

Most sites today comprise of a combination of first-party code and content, supplemented with third-party components to deliver capabilities such as analytic tracking, virtual assistants and checkout processing. While such components are often essential to the operation of a business’ virtual presence, they also process significant amounts of the organization’s customers data; data which the CCPA aims to protect. 

In the proposed amendments, third parties are expressly referenced meaning entities “with whom the business shares personal information” and includes “advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.” 

While the CCPA does offer some provisions for businesses to be insulated from blame where a third party loses customer data, there is a grey line widely open to interpretation – especially where a customer has made certain consent choices. If a customer has requested not to be tracked, but in implementing a virtual assistant, an organization inadvertently provides personal data to their third-party provider of such assistant. As such, the business could find themselves in violation of the CCPA and open to lawsuits. 

More than just a workflow 

Most organizations to whom the CCPA would apply have at least made an attempt to become compliant by implementing workflow solutions to handle user requests, such as data deletion and do-not-track, and while these solutions do satisfy certain aspects of the legislation, they do not do enough. 

In order to act upon user choices, almost all of these workflow solutions require some form of integration to the numerous components used within a website and for the providers of these components to honor any requests made. Given that in most instances, third-party compliance verification is not possible, most businesses are assuming risk – and in the event that one of their technology suppliers runs outside of the law, the business themselves would potentially be found responsible. 

In addition to workflow solutions, organizations should implement compliance enforcement which will ensure that any requests made by consumers are acted upon effectively. When looking at compliance enforcement options, businesses should ensure that they are capable of working not only at the (first-party) website level, but can also control data access to the site supply chain; the place which poses the largest compliance risk. 

Ensighten – security first compliance 

Ensighten is the leader in managing data access within a website through cutting-edge client-side controls throughout the website and supply chain. These security capabilities form the foundations of our consent enforcement technology, delivering an unrivaled ability to ensure compliance at every level of online customer interaction and prevent data leakage. 

With the final CCPA proposed regulations marking what is likely to become the beginning of litigation, organizations should now move to both ensure they are compliant and look to evaluate options where there are potential gaps and vulnerabilities.