Skip to main content
close search
site logo
Dive Brief

As California data privacy law looms, draft rules revealed

Published Oct. 14, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Ryan McKnight for CIO Dive

Dive Brief:

  • As companies prepare for the California Consumer Protection Act (CCPA) to go into effect Jan. 1, 2020, the state's Attorney General Xavier Becerra​ released draft regulations for compliance. The attorney general's office can begin enforcing CCPA in July, six months after its enactment.
  • The regulation requires businesses confirm a consumer's request to know or delete data within 10 days of receiving an inquiry. Businesses have to act on the request within a 45-day period, "regardless of time required to verify the request," according to the draft regulations. 
  • The regulations are broad-sweeping in identifying those who need to be compliant. Under the Civil Code section, any person or entity that provides services to a person or organization "shall be deemed a service provider for the purposes of the CCPA," according to the document.

Dive Insight:

While the road to data privacy legislation in the U.S. is nowhere near complete, California started paving it in 2018. Currently there's no federal data privacy law in sight, so state governments are picking up the slack. 

In the interim, the Federal Trade Commission (FTC) is seeking greater authority from Congress to pursue data misuse cases. While the FTC can't act in the same way GDPR's data watchdogs can in terms of penalties, there are exceptions. 

In July the FTC handed Facebook a $5 billion fine, nearly 20 times greater than the amount of a privacy or data security penalty "ever imposed worldwide." 

Still, the FTC largely lacks the muscle needed to enforce data privacy. The CCPA, as of right now, has the opportunity to provide that muscle. 

California legislators were crafting the CCPA right before GDPR went into effect last year. Though not directly modeled after the European Union's regulation, the CCPA is largely considered the first step toward a comprehensive law in the U.S.

The expectation for GDPR is not perfection, but its initial fines put a spotlight on how seriously companies are taking compliance. Does a business have the relevant protective measures in place? If the answer is no, a greater fine could be determined. 

U.S. companies adopted a lot of GDPR's policies, whether or not they have business in the European Union, as they prepare for a U.S. version. 

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Blackpoint Cyber Launches Global Partner Program and Enablement Platform Emphasizing a Focus o…
From Blackpoint Cyber
October 30, 2024
Editors' picks
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell