CCPA 1.0 vs. 2.0: What’s Changing and How Will It Impact You?
The California Consumer Privacy Act (CCPA) is proving to be a moving target. There’s been lots of back and forth as the California Attorney General shares proposed changes and receives feedback in at least two rounds of comments before the July 1 enforcement date.
Amendments address aspects of consumer privacy that were overlooked or addressed incompletely in the original CCPA.
In the short time since CCPA took effect, your customers have become more CCPA-savvy. There’s been more media coverage informing consumers of their data privacy rights and explaining how to exercise those rights. Their expectations for a positive privacy experience are rising.
Businesses must remain flexible to accommodate changes in the law as well as consumer expectations. Any technology you use to operationalize privacy compliance should be equally adaptable.
Why all the change?
The law was written in a rush. When it went into effect on January 1, 2020, lawmakers warned that there would be ongoing changes.
The Attorney General is using an iterative process to clarify the law before enforcement begins. All this back and forth allows for ample public comment, ensuring that the proposed regulations facilitate consumers’ rights under CCPA and provide compliance guidance to businesses.
Every round of revisions remedies gaps and shortcomings in the law, making it more clear, comprehensive, and fair.
2020 timeline for CCPA
In the short time since CCPA went into effect, the AG’s office has published two sets of modifications for public comment. The modified regulations released on February 10, 2020 had public comments due back to the Attorney General by February 25. For the second set of modifications, released on March 11, the deadline for submitting written comments is March 27. [MA1]
The Attorney General’s office is expected to issue another set of revisions or a final set of regulations before enforcement is scheduled to go into effect on July 1, 2020.
Note that there’s been significant pushback on the enforcement date, which may change this schedule. In January 2020, advertising industry groups were already seeking a six-month delay in enforcement, citing the “extraordinary complexity of the law and the wide range of open issues to be clarified.” On March 19, 2020, almost three dozen trade associations sent a letter to the Attorney General saying they need more time to operationalize the law given the current coronavirus crisis.
Even with enforcement dates in question, it’s useful to take a look at the recent clarifications and modifications proposed in “CCPA 2.0” to make sure you’re prepared.
What’s changing in CCPA 2.0?
First, the AG’s office has cleared up some ambiguities with these notable clarifications:
- Expanding the definition of “household” data to apply not only to people who live at the same address, but also to people who share a common device or service from a business, and are identified as sharing the same account or unique identifier.
- Adding examples of “categories of [data] sources” and “categories of third parties” that must be disclosed to consumers.
Beyond these language clarifications, additional modifications impact how businesses should interact with consumers when handling requests and verifying consumer identity.
Flexibility for consumers submitting requests
The updates allow more flexibility for consumers to communicate their requests to businesses, specifically:
- Businesses must accept request via email in addition to web forms.
- Methods of submitting requests cannot be a barrier to making access requests.
- Intake methods for request should reflect how the business normally interacts and communicates with the consumer.
In February 2020, modifications to CCPA provided an option of an opt-out icon for websites. They even specified that the icon must be placed to the left of the “Do Not Sell My Info” link and must be the same size as other buttons on the webpage.
The Attorney General has since received written comments arguing that the proposed icon was confusing. The objections were recently validated in a study led by Internet design experts at Carnegie Mellon University.
One month later, the second set of modifications deleted those specifications and the proposed icon from the draft law. Instead, version 2.0 proposes an optional “Do Not Sell” icon but requires the use of a “Do Not Sell” link regardless of whether the icon is posted.
Verification of consumer identity also gets closer scrutiny with the following modifications:
- Eliminating use of a consumer’s credit card security code as a method of verification.
- Consumers can’t be required to pay a fee for identity verification.
- Businesses must establish, document, and comply with a reasonable method for determining whether a person submitting a request of a child under the age of 13 is the parent or guardian.
- Businesses can deny a request if they can’t verify the identity of requestor.
This last point creates a new scenario, which is addressed in the second set of proposed modifications: if a business denies a request to delete and the consumer has not already opted-out, the business must ask if the consumer if they would like to opt-out of the sale of personal data, and include either the notice of right to opt-out, or a link to it.
Another important aspect of the modifications provides for non-discrimination when handling consumer requests. The modifications state that all notices must be reasonably accessible to consumers with disabilities. For notices provided online, businesses must follow the Web Content Accessibility Guidelines (WCAG) 2.1, which are generally recognized industry standards.
Non-discrimination also applies to businesses that may entice consumers to provide their personal data in exchange for something of value. The modifications state that businesses shouldn’t offer financial incentives to consumers in exchange for the use of their data if they’re unable to calculate a good-faith estimate of the value of the consumer’s data or can’t show that the financial is reasonably related to that value.
The second round of modifications clarifies the meaning of ‘financial incentive’ by defining it as ‘a program, benefit, or other offering, including payments to consumers, related to the collection, retention, or sale of personal information.’
Easing the burden on businesses
CCPA 2.0 adapts some areas of the law which businesses argued would create an excessive burden for compliance.
For example, the February 2020 modifications relax the reporting requirement for businesses by increasing the threshold for transparency reporting from 4 million to 10 million consumers.
The March 2020 modifications specify that if businesses neither collect personal information directly from consumers, nor sell that information, they don’t need to provide a notice at collection.
How should your business adjust to the changes?
You should expect that CCPA and other data privacy laws will continue to evolve. Businesses need to keep up with the changes or risk undercomplying or overcomplying.
Businesses should look to privacy management technology to simplify and streamline privacy compliance. Be sure to choose a privacy management solution that’s flexible enough to adapt to changes and accommodate new state, federal or international privacy laws.
Most importantly, stay focused on the needs of your customers. Make sure every step of their data privacy journey is transparent and builds trust with your brand.