Has it been a year already? Many businesses diligently made sure they did their best to hit the moving CCPA target as they welcomed 2020 and the effective date of the statute last year. A year ago, all we had were draft regulations and a statute, and businesses had to do their best to comply. So, it is not surprising many CCPA disclosures had an effective date of January 1, 2020. But if that is the last time your disclosures were reviewed, your business is signaling non-compliance with CCPA.
- Section 999.305(a)(3) of the original draft regulations required a business to get “explicit consent” if it intended to use the personal information for a materially different purpose than what was explicitly disclosed at collection. This language contemplating “explicit consent” has been removed entirely in the final regulations.
- The original draft regulations gave businesses the option to use the link title “Do Not Sell My Personal Information” or “Do Not Sell My Info.” While many chose the latter, this option was removed in subsequent revisions and only “Do Not Sell My Personal Information” remains as the specified link title (see, e.g., Section 999.305(b)(3)).
- The original draft regulations had a process whereby a business that did not directly collect information from a consumer could only sell it by obtaining a signed attestation that the source provided a “Do Not Sell” link. This option was removed entirely and replaced with an implied requirement that a business that does not directly collect information must still provide a notice at collection if they sell the consumer’s personal information (see 999.305(d)).
- The original draft regulations required an “interactive webform” as a method of submitting verified consumer requests but this affirmative requirement has been removed (see final regulations Section 999.312(a) that requires a toll-free number and one other method).
Although CCPA makes this type of annual review a regulatory requirement, privacy is an evolving area of law and privacy reviews should be built into the organizational compliance process of any business. Staying on top of privacy laws, regulations, guidance, and requirements is becoming even more important as we move into 2021, which is likely to be another landmark year for privacy.