Skip to main content
close search
site logo
Dive Brief

As California data privacy law looms, draft rules revealed

Published Oct. 14, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Ryan McKnight for CIO Dive

Dive Brief:

  • As companies prepare for the California Consumer Protection Act (CCPA) to go into effect Jan. 1, 2020, the state's Attorney General Xavier Becerra​ released draft regulations for compliance. The attorney general's office can begin enforcing CCPA in July, six months after its enactment.
  • The regulation requires businesses confirm a consumer's request to know or delete data within 10 days of receiving an inquiry. Businesses have to act on the request within a 45-day period, "regardless of time required to verify the request," according to the draft regulations. 
  • The regulations are broad-sweeping in identifying those who need to be compliant. Under the Civil Code section, any person or entity that provides services to a person or organization "shall be deemed a service provider for the purposes of the CCPA," according to the document.

Dive Insight:

While the road to data privacy legislation in the U.S. is nowhere near complete, California started paving it in 2018. Currently there's no federal data privacy law in sight, so state governments are picking up the slack. 

In the interim, the Federal Trade Commission (FTC) is seeking greater authority from Congress to pursue data misuse cases. While the FTC can't act in the same way GDPR's data watchdogs can in terms of penalties, there are exceptions. 

In July the FTC handed Facebook a $5 billion fine, nearly 20 times greater than the amount of a privacy or data security penalty "ever imposed worldwide." 

Still, the FTC largely lacks the muscle needed to enforce data privacy. The CCPA, as of right now, has the opportunity to provide that muscle. 

California legislators were crafting the CCPA right before GDPR went into effect last year. Though not directly modeled after the European Union's regulation, the CCPA is largely considered the first step toward a comprehensive law in the U.S.

The expectation for GDPR is not perfection, but its initial fines put a spotlight on how seriously companies are taking compliance. Does a business have the relevant protective measures in place? If the answer is no, a greater fine could be determined. 

U.S. companies adopted a lot of GDPR's policies, whether or not they have business in the European Union, as they prepare for a U.S. version. 

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Editors' picks
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell