California attorney general submits rules proposal as CCPA enforcement nears

Dive Brief:

California Attorney General Xavier Becerra submitted the final regulation proposal for the California Consumer Privacy Act Tuesday and included guidance on how to calculate the value of consumer data.
Becerra previously said the value of a consumers data was directly tied into the monetary value it brings to the business. However, to better understand consumer data's value, Becerra is asking businesses to "consider," not "use" the given factors in making that determination. Factors include the aggregate value and profit of data in a sale or collection.
The final proposal rejected additional CCPA workarounds for circumventing CCPA compliance for more businesses. In response to requests to know — what data is collected and why — some businesses are "not required to search for personal information" if they meet specified conditions. Among accordance with other conditions, if a business does not maintain consumer data in a "searchable or reasonably accessible format," they are not required to search for personal information.

Dive Insight:

Companies compliant with General Data Protection Regulation are fast-tracked to CCPA compliance. Though the regulations differ in a few key areas and definitions, the methodology is similar: Privacy compliance is reflected in business policy changes.

The final proposal considered rejecting alternatives to consumers' "use of user-enabled privacy controls" that signal their desire to universally opt out of data transactions because businesses might refuse to acknowledge discretionary tools. Becerra said the regulation could also spur more privacy innovation.

The latest revisions also clarified previous ambiguities in "areas where the original requirements were overly onerous on businesses without providing meaningful benefit to consumers," said Buno Pati, CEO of Infoworks, in an email to CIO Dive.

One of the original draft requirements made businesses that don't directly collect consumer data to provide their customers with "signed attestations from notices' data sources, provided at collection," according to Pati.

Regulations filed between June 1 and Aug. 31 typically take effect on Oct. 1, according to the Office of Administrative Law. The OAL has 30 working days and 60 calendar days determine if the regulations "satisfy the procedural requirements of the Administrative Procedure Act," according to the California AG.

The CCPA underwent several rounds of amendments since it was signed into law in June 2018. In October, Becerra released draft regulations, which includes provision for a consumer's right to know or delete data within 10 days of an inquiry. Businesses were given a 45-day period "regardless of time required to verify the request" to complete the action. The rule remains in the final proposal.

Businesses were already inundated with consumer requests in January, when the CCPA went into effect. Companies averaged more than 25 privacy requests per 1 million consumer records, according to DataGrail. The uptick, in part perpetuated by bots, strained manual processes for requests.

Companies are reckoning with data mapping challenges, and depending on the sensitivity of the requested data, what format is best to release it on: password-protected PDF file, download, CVS file or CVP file.

Even though companies had time to prepare for the CCPA's Jan. 1 enactment, the coronavirus pandemic left some organizations asking for an enforcement delay.

"It is true that COVID-19 and the accompanying increase in online activity further highlights the need for data privacy," said Pati. However, the pandemic disrupted already inflexible foundations for privacy compliance. "The real challenge will be the July 1st enforcement date."