The California Consumer Privacy Act (CCPA) is slated to go into effect on Jan. 1, 2020. I recently attended one in a series of informal public rulemaking workshops being held by the state attorney general’s office to get an understanding of the concerns held by those who will be affected.
The workshop was attended by about 100 people representing concerned California residents, privacy lawyers, corporate legal counsels, privacy advocacy organizations and the media. Not surprisingly, the questions and the interpretations of the rules varied widely among these groups. Some residents called for stricter enforcement while others set out to define what is and what is not considered personal information.
The state has divided the categories for comment into the following:
- Categories of personal information
- Definition of unique identifiers
- Exceptions to CCPA
- Submitting and complying with requests
- Uniform opt-out logo/button
- Notices and information to consumer, including financial incentive offerings
- Verification of consumer’s request
Here are some of the key requests for clarification/definition that were mentioned during the workshop:
- Lower the levels that determine who must comply with the CCPA. (The thresholds are now $25 million in annual revenues or 50,000 consumer records or primarily in the business of selling personal data.)
- Define or calculate the value of user data. How will the state assign a price/value to personal information?
- Define the term “sale of personal information.”
- Can identifiable/associated data be removed and the remaining disassociated data be used or sold?
- Define what information on employees can be retained and for how long during/after employment if they opt out.
- Define the “minimal level of security” required for companies to protect personal information. Recommend using CIS top 20.
- Will a compliance certificate be made available to companies?
- Clarify the requirements when personal data is attached to the sale of a financial product like a mortgage.
These requests are considered informal comments that are taken into consideration by California’s Office of the Attorney General during the rulemaking process. Formal hearings will be held in the fall of 2019 once all rule proposals and clarifications have been made by the A.G. The office is accepting comments on the new law’s definition and enforcement through March 8. Full details can be found here.
Not based in California, or don’t conduct business in California? It is still important to check with your state legislature and be informed. Most states are considering stricter personal information laws. Protecting your customers’ data and your revenue is more important than ever.