Californians who have noticed new warnings, disclaimers and privacy policies on websites are experiencing the first wave of changes brought about by the tough new California Consumer Law.
The CCPA entered into force on January 1. Enforcement will not start until July. In the meantime, Attorney General Xavier Becerra has published legislative proposals, and technology companies have struggled to understand what they can and cannot do to be in line.
Under the CCPA, consumers have the right to request a copy of the data that tech companies like Google and Facebook have collected on them. You have the right to request the deletion of your data if you no longer want the companies to have it. You have the right to prevent companies from selling the data to third parties.
However, there is no one-size-fits-all process for handling these requests, and some users were frustrated that they could not find the “data portal” where they could request a copy of their data or their deletion. According to the consulting firm PwC, only 40% of the 600 largest US companies have a data portal for inquiries under the Data Protection Act.
One problem is to confirm the identity of the person making the data request. Companies that do something wrong can inadvertently disclose confidential personal information to the wrong person. However, requesting sensitive identification information such as full social security numbers carries the risk of a data breach. Verizon prompts customers to upload their driver’s license or status ID. Comcast goes one step further and asks customers to send a selfie before data requests are considered.
Businesses could face heavy fines for not complying with the law or high lawsuits for identity thief fraud.
Becerra published draft CCPA regulations in October and released revised regulations on Friday. The updated rules, which reflected around 200 public comments, were revised again on Monday. The change clarified that only companies that collect, sell, or share the information of at least 10 million Californians annually are required to report annually how many consumers have made CCPA requests and how quickly the company has responded. Friday’s rules set the threshold for this reporting requirement at 4 million Californians a year.
A new public comment period now runs until February 25th. Becerra has until July 1st to complete the regulations.
However, some companies argue that if the regulations aren’t final, they won’t be able to comply with the complex law until July 1st. You are asking for a delay.
You could get more than that from privacy advocates who are frustrated by industry resistance. Alastair Mactaggart, who proposed an election initiative for data protection rights in 2018 that led the legislator to pass the CCPA, is now proposing another election initiative. The new law, known as the California Privacy Rights and Enforcement Act, would restrict the collection and use of data and would increase disclosure requirements for all companies. In addition, large data companies would have to carry out cybersecurity and risk assessments. The measure requires around 623,000 verified signatures by June 25 to be able to participate in the November 2020 vote.
Regardless, the legislator could tinker with the Consumer Protection Act and also consider new laws that deal with the data protection and privacy of employees in business transactions.
The fight for data protection has only just begun.