Updated June 25, 2020
Since the California Consumer Privacy Act (CCPA) was signed in 2018, it has stirred up considerable controversy among tech companies, privacy advocates, and government officials. This regulation has fueled an increase in state laws and ushered in the possibility of a comprehensive federal privacy law. The road to implementation for the CCPA has been a winding one, and even though the law has already gone into effect, the journey to CCPA compliance is still ongoing. In this blog, we'll provide a closer examination of the CCPA's look-back requirement and reflect on the 2019 public forums hosted by the California Attorney General.
Although the CCPA went into effect on January 1, 2020, companies are responsible for managing consumer information dating back to January 1, 2019. This is because the CCPA has a 12-month “look-back” requirement that allows consumers to request their data records dating back a whole year from when the request is made. When a consumer makes a verifiable request for access of their personal information, organizations are required to provide consumers records covering the 12-month period preceding the date of request. These records must be supplied without delay and free of charge.
Exceptions to the look-back requirement include:
The CCPA “look-back” requirement demands that companies have a strong understanding of the business processes surrounding consumer data. Companies will need to identify the types of personal information being collected, the purpose for collecting such information, where that data is being stored, and if it’s being sold to third parties.
The CCPA has already gone into effect, so companies should have already been maintaining accurate records of consumer information going back to January 1, 2019 in order to respond to any “look-back” requests. But, if your organization has not started modifying your data collection and inventory practices, here are a few things you can do moving forward:
To receive input on the CCPA, the California Attorney General conducted a total of seven public forums between January and March 2019. The topics discussed during these forums included the possible expansion or redefinition of personal information categories, exceptions that allow for state and federal law compliance, and the establishment of rules and procedures in favor of consumers.
In October of 2019, the California Attorney General released proposed regulations for the CCPA that provided additional guidance for how to comply with the new law. These proposed regulations included the requirements surrounding:
The California Attorney General held another four public hearings in early December 2019 and encouraged the public to submit comments on the proposed regulations. Over 300 comments were received during this period, which ended just three weeks before the CCPA officially went into effect.
When the CCPA was first passed in 2018, privacy experts and legislators knew it was only the beginning of a long road to implementation, filled with amendments and concessions from privacy advocates and tech companies. The public forums greatly impacted guidance on the CCPA and assisted the Attorney General in deciding how to enforce the regulation.
Yet, even though the CCPA has been in effect since January 2020, the California Attorney General submitted the final proposed regulations on June 1, 2020, just one month before the CCPA enforcement deadline. While it is unclear if these regulations will be approved by the California Office of Administrative Law, ensuring your organization aligns its business practices to address the CCPA “look-back” requirement now will help as consumer requests start rolling in.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.