New CCPA Regulation Enforcement Delayed Until March 2024
On June 30, 2023, the Sacramento County Superior Court determined that the Agency must wait 12 months to enforce any regulations under the 2020 CPRA amendments but could begin enforcing any CCPA regulations already in effect.
When it passed back in 2018, the California Consumer Privacy Act became the most stringent US privacy law. Mirroring many requirements from the European Union (EU) General Data Protection Regulation (GDPR), the new law sought to give people more control over their data. In November of 2020, California voters passed the California Privacy Rights Act (CPRA) through a ballot initiative, amending the CCPA and establishing additional compliance requirements.
The CPRA’s enforcement requirements tasked the California Privacy Protection Agency (the Agency) with adopting final implementing regulations by July 1, 2022, noting that enforcement would begin no earlier than July 1, 2023.
Throwing a glitch into the enforcement timelines, the Agency only completed the first set of regulation under the CPRA on March 29, 2023. This delay created questions around whether the implementing regulations should be enforced beginning on July 1, 2023.
On June 30, 2023, the Sacramento County Superior Court determined that the Agency must wait twelve months to enforce any regulations under the 2020 CPRA amendments but could begin enforcing any CCPA regulations already in effect.
What is CCPA?
The California Consumer Privacy Act of 2018 (CCPA) is the first US law formally granting people rights and control over their personal information. Similar to the GDPR, the CCPA’s extraterritorial reach applies to all California residents no matter where they currently are.
As enacted in 2018, the CCPA identified the following six consumer rights:
Know the information collected
Know the information sold or disclosed
Ability to opt-out of data sharing
Ability to access data
Protection against discrimination
Request that data be deleted
In November 2020, California voters passed the California Privacy Right Act (CPRA), updating and amending the CCPA. These additions included:
Right to correct
Right to limit use
Further, the CCPA, as amended, also requires businesses to:
Complete risk assessments
Engage in cybersecurity audits
Refrain from automated decision-making
Which CCPA Regulations are Currently Enforced?
The Sacramento County Superior Court’s language creates confusion, especially since cross-referencing with the California Office of the Attorney General (OAG) website fails to distinguish the different enacting regulations.
The OAG has been sending CCPA noncompliance notices since July 1, 2020, and is allowed to continue to enforce these requirements.
1. Right to Know
Consumers have the right to ask businesses about the:
Categories of personal information collected.
Specific pieces of personal information collected.
Categories of sources used to collect information.
Purpose for using information.
Categories of third parties with which the business shares personal information.
Categories of information sold or disclosed to third parties.
2. Right to Deletion
Consumers have the right to:
Ask businesses to delete collected personal information.
Ask businesses to tell service providers to delete sold or disclosed data.
3. Right to Opt-Out
Consumers have the right to request that businesses:
Stop selling or sharing personal information.
Stop targeting advertising based on personal information obtained from online activity across numerous websites.
Businesses must wait 12 months before asking consumers if they want to opt back into data sale or sharing.
4. Right to Non-Discrimination
If consumers exercise their rights under the CCPA, businesses cannot:
Deny goods or services.
Charge a different price for goods or services.
Provide a different level or quality of goods and services.
If a business offers promotions, discounts, or deals as a financial incentive for sharing data, opt-out requests may impact consumer participation in those activities.
5. Privacy Policy
Businesses must provide consumers with an easy-to-understand policy that explains online and offline practices related to personal information, such as:
Collection
Use
Sharing
Sale
The privacy policy must also explain people’s privacy rights and how to exercise them.
Which CCPA Regulations Will Be Enforced in March 2024?
Companies subject to the CPRA have until March 2024 to comply with the two new rights that the CPRA added.
1. Right to Correct
Businesses must update inaccurate consumer data when people ask them.
2. Right to Limit
Consumers can request that businesses only use sensitive information on a limited basis, like for requested services.
Requirements Not Yet Drafted
Finally, as of June 30, 2023, the Agency had yet to finalize regulations implementing the following three areas:
Risk assessments
Cybersecurity audits
Automated decision-making
Businesses will have 12 months from the final publication of the enacting regulations to comply with the requirements.
What Does This Mean for Businesses?
For businesses, the majority of CCPA requirements remain intact, especially since the OAG has already sent noncompliance notices. While companies have some breathing room around responding to requests for correction and limitation on data use, the nine months remaining until enforcement begins provides very little runway.
Further, even though companies have twelve months from the publication of the risk assessment, audit, and automated decision-making requirements to comply, waiting until the last minute could prove chaotic. In the case of CCPA compliance, proactive organizations are more likely to limit their risk of fines and lawsuits.
To experience Drata’s ability to help you accelerate your CCPA compliance, contact us for a demo today.
