The California Consumer Privacy Act took effect in January, with enforcement officially beginning on July 1, despite pushback from some organizations and companies to the law that offers California residents access to, and more control over, personal data collected on them by businesses.
Organizations such as the Association of National Advertisers requested a delay to the enforcement date, citing several reasons, including confusion over specifics within the law, and financial and logistical worries related to COVID-19.
The state responded with numerous updates and clarifications. One of the main requirements of the law-that customers are notified of their rights at or before the point of personal data collection-was recently clarified, according to an article in JD Supra.
In addition, service providers now have more flexibility in how they can use, retain, and disclose personal information. Further clarifications allow for service providers to use a subcontractor to improve services, mitigate security risks, and comply with applicable laws. They are under no obligation to give a detailed response to any consumer request, and instead can refer the consumer directly to the business.
When it comes to consumer requests, the state confirmed businesses are required to verify and respond within specific timeframes. For example, a consumer request to opt out of the sale of their personal information must be fulfilled within 15 days. Companies have to provide at least two methods of submission–not just email–for most types of consumer requests. They need to treat consumer-enabled privacy controls, such as disabling cookies, as a valid request to opt out of the sale of their personal information.
The updates and clarifications may give businesses a bit more leeway as they work quickly to meet the law’s requirements. CCPA enforcement may experience “some bumps in the road,” since the law is the first of its kind in the U.S., according to Adweek. Many businesses have been preparing since the law took effect in January, and have already taken concrete steps to comply.
Media organizations, such as Vox, have already made platform additions for advertisers; others, including Bloomberg, are working on overhauling their previous data strategies. Companies that haven't started making changes to meet CCPA regulations need to work fast to create compliant policies now that enforcement has begun.
Please visit LRN’s resource page for more on CCPA and other data privacy laws and issues.
About the Author
Ethics and compliance leader providing tools, education, and advisory services for global companies to inspire principled performance.More Content by LRN Corporation