Update on the operational impact of CCPA

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Do you need to give a recap to your stakeholders of the new CCPA regulations but don’t have the time to sift through dense reading? Use this summary for your talking points.

The California Attorney General (AG) released proposed rulemakings in early October clarifying a range of topics in the landmark California Consumer Privacy Act (CCPA). The AG is now taking public comments on the draft through December, coinciding with the conclusion of several public hearings on the rulemakings.

Explore further

If all the rules are codified as written, companies subject to CCPA are likely to be most affected by these seven proposed CCPA regulations.

1. Treating a rebuffed deletion request as a "do not sell" request

Many companies have been struggling with how to verify the identity of people who have not previously established accounts with them and who present themselves with a CCPA request. The new rules just complicated their plans: “For requests to delete, if a business cannot verify the identity of the requestor pursuant to the regulations set forth in Article 4, the business may deny the request to delete. The business shall inform the requestor that their identity cannot be verified and shall instead treat the request as a request to opt-out of sale. (§ 999.313(d)(1)” Businesses affected by this requirement will need to figure out how to convert a potentially wide array of digital identities not meeting minimum authentication standards into identities robust enough to prevent their data from being ‘sold’. This requirement could require for large corporations, for example, a central control of third-party cookies on various brand websites to be integrated with a consumer identity-management platform.

View more

2. Calculating the value of personal data

This rule, if finalized as written, will bring together marketing and privacy leaders like never before. It says businesses “shall use and document a reasonable and good faith method for calculating the value of the consumer’s data” (§ 999.337) and provides a number of examples that could meet their criteria. Businesses will need to formalize their consumer-data strategies and a corresponding financial model for which there are few industry standards.


View more

3. Giving a notice of financial incentive for data retention or sale

Businesses will now need to “explain to the consumer each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information” (§ 999.307). Businesses operating loyalty programs or other incentives for data collection will need to adopt a new level of transparency that may affect both consumer perceptions as well as their competitive positioning.

View more

4. Record-keeping requirements for businesses that receive or buy personal information

A business that alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers…” (§ 999.317(g), shall be required to maintain statistics on the number of requests received, responded to, and number of days the response was provided in, and include these statistics in its privacy policy or its website. Tracking and reporting these metrics could require a new level of ongoing oversight of a company’s supply chain and create a new level of transparency affecting competitive positioning.

View more

5. Attestations for the sale of personal information

Businesses that intend to sell personal information that was not obtained directly from a consumer must “obtain signed attestations from the source describing how the source gave the notice at collection and including an example of the notice. Attestations shall be retained by the business for at least two years and made available to the consumer upon request.” (§ 999.305(d)(2)(b) Business that extract value from client or partner data and do not collect information directly from consumers—such as data brokers, credit-reporting agencies, and re-insurers—may be required to revisit their data collection and consent processes.

View more

6. Opt-out notification to third parties

Upon receiving an opt-out request from a consumer, businesses are required to notify all third parties to whom they have “sold the consumer’s personal information within the prior 90 days” (§ 999.315(f) that the consumer has exercised their right to opt-out. This notification must instruct third parties to stop the sale of the consumer’s information and businesses must also inform the consumer when this notification has been provided. Businesses involved in ‘data selling’ will need to maintain meticulous personal information inventories using time thresholds not typically tracked in order to meet this 90-day timeline.

View more

7. Training individuals responsible for handling consumer inquiries

All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA shall be informed of all the requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations.” (§ 999.317(a) Businesses preparing for large volumes of requests will be most impacted, as they will now have to train their workforce on CCPA requirements.

View more

Not all of the proposed rules would negatively impact a company’s business operations. On the positive side, businesses that were concerned about producing and manually redacting raw data to complete CCPA data-subject access requests will breathe a sigh of relief. The new rules allow for data-subject access reports to only specify the categories of information collection, use, and selling for an individual or household, not the actual raw data, if the disclosure of raw data would create significant risk. A multi-layered approach can also be used for fulfilling data-subject access requests—using one approach, for example, for sensitive consumer data, and another for non-sensitive data.

Three other proposals will be welcomed by businesses. The proposed rules clarify that if your business does not ‘sell’ personal data, it does not need to provide a ‘do not sell’ button or link on its website. In addition, the new rules clarify that de-identifying or aggregating personal information can be sufficient in meeting the CCPA’s deletion requirements. This clarification will be welcomed by businesses as they will continue to be able to use such information for business intelligence, analytics, and marketing purposes. Finally, the rules clarify that all members of a household would need to agree on a CCPA data-subject request before it could be fulfilled, a high standard for the requestor likely to reduce these complex requests.

With no time between the release of the final rules and the beginning of consumers trying to exercise their new CCPA rights, companies will need to decide if they design to these new requirements as-is or be ready to pivot quickly in January.

With research and contributions from Jake Meek, Smita Baliga, Manuj Lal, Michael Budnevich, and Hillary Cook.

Contact us

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Follow us