5 Takeaways From the Newly-Modified CCPA Regulations

On February 10, the California Attorney General’s office published modified CCPA regulations. Some of these changes substantially revise previous regulatory proposals that were published in October of last year—including revisions to the consumer notices requirements for receiving and responding to Data Subject Access Requests (DSARs).

These changes follow the public commentary period, which ended last week on February 25, but the final changes are still up for debate. The AG’s office is expected to publish their final regulatory guidance in advance of the CCPA’s anticipated July 1 enforcement date.

David Stauss, a partner at Husch Blackwell, offers his commentary on the regulatory changes below, while Exterro’s Director of Strategic Planning Rebecca Perry tells us what those changes mean to those in the industry.

Updates to the CCPA Regulations

The modified regulations affect five primary areas: Responding to consumer requests, clarification of timeframes in which to respond to those request, new exemptions to responding to requests, changes to online privacy policy requirements, and updates regarding biometric information.

Receiving “Requests to Know” (DSARs)

“The modified proposed regulations no longer mandate that companies use an interactive webform to receive requests to know,” says Stauss. “Despite this change, businesses should still strongly consider using interactive webforms to streamline the request process by collecting necessary information from the requestor at the point of the initial request.”

What These Changes Mean:

“Having a portal can help streamline the process, but I think the bigger challenge lies in addressing how to securely collect data across various applications, disparate unstructured sources, and even third parties,” says Perry. “How are you going to review and redact sensitive personal information? How are you going to securely provide this back to data subjects? The online portal is just one component of the bigger picture, and addressing more important data management concerns should be the priority.”

Clarification of Timeframes to Respond

“The modified regulations clarify that businesses have 10 business days to confirm receipt of requests to know, and 45 calendar days to substantively respond,” says Stauss. “While linking the 45-day response timeframe to calendar days is not surprising, it reinforces the need for businesses to proactively take steps to respond to requests.”

Stauss goes on to say that this includes inventorying data flows, developing workflows and response templates, assigning internal responsibility for handling requests, analyzing any applicable exemptions, and substantively responding (including collecting or deleting personal information).

What These Changes Mean:

“It’s clear that companies must have a well-orchestrated process to manage requests in compliance with these timeframes,” says Perry. “Developing robust, automated workflows with built-in calendaring, template responses, and escalations will be essential to meeting these tight timelines and developing an audit trail.”

New Exemptions for Responding to Requests to Know (DSARs)

Stauss says that businesses will no longer have to respond to requests to know if they meet the following four criteria:

• The business does not maintain the personal information in a searchable or reasonably accessible format
• The information is maintained solely for legal or compliance purposes
• The business does not sell the information or use it for any commercial purpose
• The business describes to the consumer the categories that may contain personal information that it did not search because it meets these conditions

“An example could be records that a business stores only because a law requires the business to maintain them for a set period of time,” says Stauss.

What These Changes Mean:

“This exemption makes it even more critical for companies to develop a granular data inventory that clearly documents legal and regulatory obligations, including record retention regulations, that is also harmonized with any current and applicable legal hold obligations,” says Perry. “This logic must be documented for defensibility.”

Biometric Information Cannot Be Provided in Response to a Request to Know

“Businesses are now forbidden from turning over biometric information in response to a request to know,” says Stauss. “Businesses already were forbidden from turning over information such as Social Security numbers, driver’s license numbers, and financial account numbers.”

What These Changes Mean:

“For every request to access data, companies must have an effective and secure way to review potentially responsive personal information and redact sensitive information that now includes Biometric Information as well as other elements like Social Security numbers, driver’s license numbers, credit cards, etc.,” says Perry.

Changes to Online Privacy Policy Requirements

“The AG’s office modified the requirements for online privacy policies, including making changes to the content and format,” says Stauss. “businesses will need to revise their online privacy polices to align them with these changes.”

To read the full regulations, visit the CCPA regulatory rulemaking site.