The CCPA’s evolving implementation rules: how to keep up with confidence

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.


The California Consumer Privacy Act (CCPA), the first comprehensive privacy regulation in the United States, officially went into effect January 1, 2020, but the rulemaking to implement the law continues to evolve. On February 7, California Attorney General Xavier Becerra released draft regulations for implementing the CCPA, designed to help businesses interpret and comply with the law. The new release incorporates changes in response to feedback received during the 45-day public comment period following the release of the October 11, 2019 draft. If any substantive changes are made, another draft must be posted, allowing at least 15 days for public comment on the revisions. On March 11, the AG released updated draft regulations with additional modifications, allowing until Mar. 27 for public comment. The AG must then submit the final rulemaking record to the Office of Administrative Law for approval and submission to the Secretary of State for finalization of regulations implementing the CCPA.

Revised regulatory requirements could trigger operational changes

As of Jan. 10, PwC’s analysis of the websites of the 600 largest publicly traded companies and 100 largest privately held corporations found that only 16% provided a do-not-sell (DNS) link. Just 40% offered operational CCPA rights portals, and of these, the majority restricted those rights to Californians.

For those companies that have already started complying or are currently mid-stream in their efforts, the revisions in the Feb. 7 and Mar. 11 releases may mean operational changes. Some of these changes may require redesign of the DNS portal and consumer-facing websites, while others may require revisions around the processes for responding to customer requests and for determining when to notify third parties of the sale of personal information. 

More modifications may be made in the coming months. Regulators face the challenge of a balancing act: how can consumers’ privacy be protected without making it too burdensome and costly for businesses to comply? Already privacy advocates have said that changes in the Feb. 7 release have made it harder for people to exercise their rights, weakening consumer protection. Attorney General Becerra issued another set of revisions after reviewing the comments on the Feb. 7 draft on Mar. 11, with the goal of issuing finalized regulations before enforcement begins July 1, 2020.

How can companies keep up with the evolving rules?

For some organizations, new tools, like Risk Atlas, can help when it comes to navigating evolving CCPA requirements. Risk Atlas offers a single source of truth by centralizing myriad global privacy, security and data protection laws, regulations, secondary materials and enforcement actions from more than 2,000 sources.

Beyond a catalog of privacy laws, Risk Atlas provides a customized view on CCPA and other global regulations through the lens of regions, industries and business processes specific to an organization. It identifies updates and revisions, with links to official documentation, evaluates an organization’s exposure to privacy risk with a Global Risk Analysis and risk score and offers a roadmap, providing visibility to plan and track tasks, level of effort, costs and resulting risk reduction through up-to-date reporting. The tool effectively enables a company to confidently develop a privacy and security strategy while simultaneously meeting CCPA compliance goals.

Which Feb. 7 revisions will have the greatest impact?

1. A simpler opt-out process

The proposed modifications mandate an easy opt-out process, eliminating multiple steps or pre-selected settings, which can create technical burdens for consumers. Consumers are required to make a choice to opt out, and the method for opting out must be clearly communicated. The example of an opt-out button provided in the first set of draft regulations was removed in the second set of modifications. The format of the notice of the right to opt out should draw the consumer’s attention, and be easily readable, even on smaller screens.

View more

2. Less stringent parameters to notify third parties of the sale of personal information

A business that receives a consumer’s opt-out request is only required to notify third parties to refrain from selling that consumer’s personal information if it sells the personal information in the time period between the submission of request and the fulfillment of that request. Prior to this change, the business was required to notify all third parties to which it sold the consumer’s personal information within the 90 days preceding the request.

View more

3. Requests to search records declined under certain conditions

Businesses may decline to search certain records in response to right-to-know requests if the business meets these four conditions

  1. It does not maintain personal information in a searchable or reasonably accessible format
  2. It maintains the personal information only for legal or compliance purposes
  3. It does not sell the information or use it for a commercial purpose
  4. It describes to the consumer the categories of records not searched because it satisfied the three conditions above.

View more

4. Unverified requests to delete no longer treated as opt-out requests

The new requirements eliminate the obligation to treat unverified deletion requests as an opt-out request. Instead, if a business engaging in the sale of personal information cannot verify the identity of the individual submitting the request for deletion, the business must ask the consumer if they would like to opt out. Additionally, if a business denies a request to delete information and the consumer has not already submitted a request to delete, the business must inform the consumer of their right to opt out of the sale of their personal information.

View more

5. Just-in-time notices required for mobile

The modified draft includes a specific focus on data collection involving mobile technology. Now, when a business uses an atypical or unexpected method to gather personal information from a consumer’s mobile device, like a flashlight application that collects geolocation data, the business must provide just-in-time notice detailing the type of personal information being collected. Studies suggest that about 70% of mobile applications collect such information, ranging from weather apps to navigation to music sharing services.

View more

6. Biometric data now covered under data not to be disclosed in a “Right to Know” request

Biometric data is now on the list of data categories that organizations shall not disclose in response to a “Right to Know” request, along with data such as a consumer’s Social Security number, driver’s license number, health insurance or medical identification numbers, or any other government issued identification number. Biometric data is increasingly used in many applications and services, and is collected from facial recognition, fingerprint scanners, iris recognition, hand geometry and tracking behaviors like keystrokes. The business must inform consumers with sufficient particularity that it collects this data, but must not disclose the actual data collected (e.g., actual fingerprint scan, Social Security number, medical identification number, etc.).

View more

Bottom line

Companies that are serious about protecting their consumers’ data and privacy will want to comply with unfolding CCPA requirements in a speedy and efficient manner, and at scale. Centralized data on regulations, tied to an organization’s specific business processes, can help the organization quickly visualize how the latest changes in CCPA requirements translate into necessary operational changes.

Contact us

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Follow us