Third Set of Modifications to CCPA Prompts California Businesses to Revisit Policy on Consumer Data Privacy

The comment period has closed on the third round of proposed changes to the California Consumer Protection Act (“CCPA”), which were announced October 12, 2020, by the California Office of the Attorney General. There are a number of disputes regarding how the proposed revisions will impact a California consumer, but a number of the proposed revisions appear to address the manner in which a consumer may engage in the opt-out collection process.

The Office of the AG will evaluate the comments and send the proposed regulations for approval by the state’s Office of Administrative Law. The changes, scheduled to take effect on January 1, 2021, will apply to all businesses that satisfy the threshold CCPA requirements. The threshold question is whether the business conducts operations in the State of California and:

  • has a gross annual revenue of over $25 million worldwide;
  • buys, receives or sells personal information of more than 50,000 California residents, households, or devices; or
  • derives 50% or more of its annual revenue from selling California consumer personal information.

The current CCPA language allows for a business to create or implement its own opt-out process or language. There are a number of very confusing terms that a consumer may not reasonably understand. From our review, the proposed changes now require businesses to use ‘non-confusing’ language.

The original rulemaking package and all related documents can be found on the CCPA Regulations page. The Text of Third Set of Proposed Modifications – Comparison Version, pdf can be found here.

The New California Privacy Rights Act to Bring More Change

The underlying confusion that has surrounded the state’s new data privacy laws, however, may linger for some time. As of the drafting of this blog, California voters have approved Proposition 24 – the California Privacy Rights Act (“CPRA”), which is thought to provide California consumers with certain privacy rights and that creates the California Privacy Protection Agency (“CPPA”) that may enforce and implement California privacy laws.

Since the CCPA is still being revised and updated by the California Legislature, it is unlikely that the CPRA will dispense of the CCPA. Rather, approval of the CPRA may result in the underlying concepts being incorporated into the next round of CCPA revisions. As changes continue to occur, and because these two concepts are very similar, it’s important that businesses clearly understand the distinctions between the CCPA and CPRA.

Jacko Law Group cites two possible areas the CPRA may have an impact on the current version of the CCPA once the CPRA becomes law on January 1, 2023. One area of discussion is that the CPRA could restrict who is required to comply with the consumer protections detailed in the CPRA. Specifically, it is thought that the CPRA may limit the definition of what is considered a “business” and may exclude a number of smaller businesses that are now covered by the CCPA. The second area of discussion with the CPRA is a new right for consumers to make corrections to the collected material.

The CPRA may grant consumers a right to request that a business correct inaccurate personal information maintained by the business about the consumer, taking into account the nature of the personal information and the purposes of collecting the personal information.

Mitigate the Risk of Data Privacy

If you’re concerned whether your business is prepared for the next wave of changes coming to California’s data and consumer privacy laws, you’re not alone. Let the experienced team at Jacko Law Group assess your readiness and address the need for any updates to your data and consumer privacy protection policies. Contact us at 619.298.2880 or to schedule a strategy session that can help your business remain compliant with California’s evolving data and consumer protection laws.

Leave a Reply

Your email address will not be published. Required fields are marked *