Updated June 25, 2020

Since the California Consumer Privacy Act (CCPA) was signed in 2018, it has stirred up considerable controversy among tech companies, privacy advocates, and government officials. This regulation has fueled an increase in state laws and ushered in the possibility of a comprehensive federal privacy law. The road to implementation for the CCPA has been a winding one, and even though the law has already gone into effect, the journey to CCPA compliance is still ongoing. In this blog, we'll provide a closer examination of the CCPA's look-back requirement and reflect on the 2019 public forums hosted by the California Attorney General.

The CCPA 12-Month "Look-Back" Requirement

Although the CCPA went into effect on January 1, 2020, companies are responsible for managing consumer information dating back to January 1, 2019. This is because the CCPA has a 12-month “look-back” requirement that allows consumers to request their data records dating back a whole year from when the request is made. When a consumer makes a verifiable request for access of their personal information, organizations are required to provide consumers records covering the 12-month period preceding the date of request. These records must be supplied without delay and free of charge.

Exceptions to the look-back requirement include:

  • Organizations do not need to provide the same data to a consumer more than twice in a 12-month period.
  • Organizations are not required to retain any personal data collected for a one-time transaction, or if the data will not be sold or retained by the organization.

What Does This Mean for Your Organization?

The CCPA “look-back” requirement demands that companies have a strong understanding of the business processes surrounding consumer data. Companies will need to identify the types of personal information being collected, the purpose for collecting such information, where that data is being stored, and if it’s being sold to third parties.

The CCPA has already gone into effect, so companies should have already been maintaining accurate records of consumer information going back to January 1, 2019 in order to respond to any “look-back” requests. But, if your organization has not started modifying your data collection and inventory practices, here are a few things you can do moving forward: 

  • Identify collected records of personal information that date back to January 1, 2019 (12 months prior to January 1, 2020).
  • Perform a data mapping exercise to understand how your company collects, processes, transmits, and stores data, as well as how it’s used and who uses it.
  • Implement a 45-day timeline to respond to a consumer’s request for personal information.
  • Improve standards for inventorying and classifying personal information.
  • Create the necessary processes for responding to consumer requests in a prompt and timely manner.

CCPA Public Forums

To receive input on the CCPA, the California Attorney General conducted a total of seven public forums between January and March 2019. The topics discussed during these forums included the possible expansion or redefinition of personal information categories, exceptions that allow for state and federal law compliance, and the establishment of rules and procedures in favor of consumers. 

In October of 2019, the California Attorney General released proposed regulations for the CCPA that provided additional guidance for how to comply with the new law. These proposed regulations included the requirements surrounding:

  • Notices to consumers, such as what must be included in the notice and when the notice must be provided
  • The handling and processing of consumer requests, such as requests to delete information
  • The verification processes to ensure consumer requests are valid
  • The requirements for company privacy policies
  • The handling of special situations, such as if the consumer is a minor

The California Attorney General held another four public hearings in early December 2019 and encouraged the public to submit comments on the proposed regulations. Over 300 comments were received during this period, which ended just three weeks before the CCPA officially went into effect.

When the CCPA was first passed in 2018, privacy experts and legislators knew it was only the beginning of a long road to implementation, filled with amendments  and concessions from privacy advocates and tech companies. The public forums greatly impacted guidance on the CCPA and assisted the Attorney General in deciding how to enforce the regulation.

Yet, even though the CCPA has been in effect since January 2020, the California Attorney General submitted the final proposed regulations on June 1, 2020, just one month before the CCPA enforcement deadline. While it is unclear if these regulations will be approved by the California Office of Administrative Law, ensuring your organization aligns its business practices to address the CCPA “look-back” requirement now will help as consumer requests start rolling in.

Stay on Top of National Data Privacy Trends

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.