Skip to Content
Main Content

Hiker Looking Out Over Mountains

4 Minute Read | September 28, 2020

CCPA Privacy Law Regulations Have Been Expanded

Here’s What’s Changed & How to Comply

Updated: Sept. 28, 2020
Originally Published: Aug. 6, 2020

While many of us have been busy trying to figure out what to watch next on Netflix, the California Attorney General (AG) has been busy moving the California Consumer Privacy Act (CCPA) forward. 

On June 1, the California AG submitted the final regulations for the CCPA. These regulations are an extension of the original law. In addition to publishing the new regulations, starting July 1 the California AG began enforcing the original version of the CCPA.

Now that enforcement is in full swing, you’ll want to ensure your business is compliant with the CCPA’s full scope. While many people are familiar with the initial requirements, the proposed final regulations add additional steps for compliance. 

Overview of Updates to the Original CCPA Law

Here are just a few of the takeaways from the newly proposed additions: 

1. Notices to Consumers

Including the required CCPA notices in your privacy policy isn’t the only notice you’re required to provide. Now, you must provide notice at the point of collection. 

Your point of collection notice should include the categories of personal information (PI) that are being collected and the business purpose for them. This notice must be simple and free of legal jargon; and, it must also be compliant with WCAG 2.1 accessibility guidelines. You may link to your privacy policy as part of the notice at the point of collection, but the link must go to the section that directly applies to the data you’re collecting.

2. Privacy Policy

The new regulations also provide a broader definition of what information needs to be included in a company’s privacy policy, such as:

  • The Right to Know About Personal Information Collected, Disclosed, or Sold
  • The Right to Request Deletion of Personal Information
  • The Right to Opt-Out of the Sale of Personal Information
  • The Right to Non-Discrimination for the Exercise of a Consumer's Privacy Rights 
  • How Authorized Agents make requests
  • Provide consumers with a contact for questions
  • The date the privacy policy was last updated

3. Handling Consumer Requests

The original CCPA law laid out several requirements for business when collecting and processing consumer information. One of the first significant changes is that companies that operate exclusively online will now only be required to provide an email address for consumers who wish to submit requests. This change removes the requirement of the toll-free phone number for online-only businesses. In addition to this clarification, there is also clarification on selecting how users submit requests and how to manage incorrectly submitted requests. 

Once these new regulations become law, companies will need to respond to requests within 10 business days. Responses must include confirmation of receipt of the request and provide an overview of what the requester can expect for the remainder of the process. Also included in the new regulations is additional definition around internal training and record keeping.

The full list of regulations totals 29 pages and provides much-needed clarification on the original text of the law. In addition to the 29 pages of regulations, the AG also published a final version of the Statement of Reasons. This document outlines the thinking behind the development and changes to the regulations.

What to Do if You’re Not Yet CCPA Compliant

If you haven’t begun the process of CCPA compliance yet, don’t panic! You’ll want to start as soon as possible, though. The best place to begin is to work with your legal team to understand if your organization is required to comply with the law. Remember, just because your business doesn't operate out of California doesn’t mean it’s exempt from CCPA compliance. 

If your company is required to comply with the law, you’ll want to perform an audit of how you collect and store personal information. Your audit should include data that comes in via your website and other channels, as well. (Here are some additional steps we recommend you take.)

Once you’ve completed your audit, you’ll need to establish and document processes around responding to and receiving requests. Your processes will need to extend to any third parties with whom you share or sell information. 

Now that you have processes in place and your team is thoroughly trained, you’ll need to update your website to support your processes. First, you’ll need to implement methods for allowing users to opt-out of data collection. Online data privacy tools can go a long way in helping with this. Remember, you’re required to receive consent at the point of data collection. In addition to adding opt-out methods, you’ll need to update your privacy policy to inform users of their rights. 

Final Thoughts

As more data privacy laws are passed, companies will need to understand what data they’re collecting and how to respond when consumers exercise their rights. While every privacy law requires slightly different compliance steps (and will likely continue to do so for the foreseeable future), the first step to take toward compliance with any privacy law is an audit of your data.

If you need help with a website data audit, choosing or implementing online privacy compliance tools, or even just advice on the best way to achieve online compliance, don’t hesitate to contact us. We’ve worked through many online CCPA and other privacy regulation compliance projects with our clients and are happy to help!

Authored By

Brett Smoot

Brett Smoot

Digital Account Director

hand-drawn owl

Get Expert Tips

3644727/Blog/CCPA-Privacy-Law-Regulations-Have-Been-ExpandedHere’s What’s Changed & How to Comply4
<p><strong>Updated: Sept. 28, 2020<br /> Originally Published: Aug. 6, 2020</strong></p> <p>While many of us have been busy trying to figure out what to watch next on Netflix, the California Attorney General (AG) has been busy moving the California Consumer Privacy Act (CCPA) forward.&nbsp;</p> <p>On June 1, the California AG submitted the final regulations for the CCPA. These regulations are an extension of the original law. In addition to publishing the new regulations, starting July 1 the California AG began enforcing the original version of the CCPA.</p> <p>Now that enforcement is in full swing, you&rsquo;ll want to ensure your business is compliant with the CCPA&rsquo;s full scope. While many people are familiar with the initial requirements, the proposed final regulations add additional steps for compliance.&nbsp;</p> <h2>Overview of Updates to the Original CCPA Law</h2> <p>Here are just a few of the takeaways from the newly proposed additions:&nbsp;</p> <h3>1. Notices to Consumers</h3> <p>Including the required CCPA notices in your privacy policy isn&rsquo;t the only notice you&rsquo;re required to provide. Now, you must provide notice at the point of collection.&nbsp;</p> <p>Your point of collection notice should include the categories of personal information (PI) that are being collected and the business purpose for them. This notice must be simple and free of legal jargon; and, it must also be compliant with <a href="https://www.w3.org/TR/WCAG21/" linktype="3" target="_blank">WCAG 2.1 accessibility guidelines.</a> You may link to your privacy policy as part of the notice at the point of collection, but the link must go to the section that directly applies to the data you&rsquo;re collecting.</p> <h3>2. Privacy Policy</h3> <p>The new regulations also provide a broader definition of what information needs to be included in a company&rsquo;s privacy policy, such as:</p> <ul> <li>The Right to Know About Personal Information Collected, Disclosed, or Sold</li> <li>The Right to Request Deletion of Personal Information</li> <li>The Right to Opt-Out of the Sale of Personal Information</li> <li>The Right to Non-Discrimination for the Exercise of a Consumer&#39;s Privacy Rights&nbsp;</li> <li>How Authorized Agents make requests</li> <li>Provide consumers with a contact for questions</li> <li>The date the privacy policy was last updated</li> </ul> <h3>3. Handling Consumer Requests</h3> <p>The original CCPA law laid out several requirements for business when collecting and processing consumer information. One of the first significant changes is that companies that operate exclusively online will now only be required to provide an email address for consumers who wish to submit requests. This change removes the requirement of the toll-free phone number for online-only businesses. In addition to this clarification, there is also clarification on selecting how users submit requests and how to manage incorrectly submitted requests.&nbsp;</p> <p>Once these new regulations become law, companies will need to respond to requests within 10 business days. Responses must include confirmation of receipt of the request and provide an overview of what the requester can expect for the remainder of the process. Also included in the new regulations is additional definition around internal training and record keeping.</p> <p>The <a href="https://oag.ca.gov/privacy/ccpa/regs-package-oal" linktype="3" target="_blank">full list of regulations</a> totals 29 pages and provides much-needed clarification on the original text of the law. In addition to the 29 pages of regulations, the AG also published a final version of the <a href="https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-fsor.pdf" linktype="3" target="_blank">Statement of Reasons</a>. This document outlines the thinking behind the development and changes to the regulations.</p> <h2>What to Do if You&rsquo;re Not Yet CCPA Compliant</h2> <p>If you haven&rsquo;t begun the process of CCPA compliance yet, don&rsquo;t panic! You&rsquo;ll want to start as soon as possible, though. The best place to begin is to work with your legal team to understand if your organization is required to comply with the law. Remember, just because your business doesn&#39;t operate out of California doesn&rsquo;t mean it&rsquo;s exempt from CCPA compliance.&nbsp;</p> <p>If your company is required to comply with the law, you&rsquo;ll want to perform an audit of how you collect and store personal information. Your audit should include data that comes in via your website and other channels, as well. (<a href="/Blog/3-Basic-First-Steps-Toward-Online-Data-Privacy-Law-Compliance" linktype="8" target="_self">Here are some additional steps we recommend you take.</a>)</p> <p>Once you&rsquo;ve completed your audit, you&rsquo;ll need to establish and document processes around responding to and receiving requests. Your processes will need to extend to any third parties with whom you share or sell information.&nbsp;</p> <p>Now that you have processes in place and your team is thoroughly trained, you&rsquo;ll need to update your website to support your processes. First, you&rsquo;ll need to implement methods for allowing users to opt-out of data collection. <a href="/Blog/5-Tips-for-a-Successful-Online-Privacy-Tool-Implementation" linktype="8" target="_self">Online data privacy tools</a> can go a long way in helping with this. Remember, you&rsquo;re required to receive consent at the point of data collection. In addition to adding opt-out methods, you&rsquo;ll need to update your privacy policy to inform users of their rights.&nbsp;</p> <h2>Final Thoughts</h2> <p>As more data privacy laws are passed, companies will need to understand what data they&rsquo;re collecting and how to respond when consumers exercise their rights. While every privacy law requires slightly different compliance steps (and will likely continue to do so for the foreseeable future), the first step to take toward compliance with any privacy law is an audit of your data.</p> <p>If you need help with a website data audit, choosing or implementing online privacy compliance tools, or even just advice on the best way to achieve online compliance, don&rsquo;t hesitate to <a href="/Contact-Us" linktype="2" target="_self">contact us</a>. We&rsquo;ve worked through many online CCPA and other privacy regulation compliance projects with our clients and are happy to help!</p>
/Northwoods-2020/Hero-Images/Hiker-Looking-Out-Over-Mountains.pngHiker Looking Out Over MountainsOn June 1, the California AG submitted the final regulations for the #CCPA. In addition to publishing the new regulations, starting July 1 the California AG began enforcing the original version of the CCPA. Find out what that means for you. https://bit.ly/2XZ200u @northwoodsBrett Smoot/Northwoods-2020/People/Brett-Smoot.jpg?ThumbnailMan in front of a log cabin wall with soft, warm lightingDigital Account Coordinatorhttps://ctt.ac/8d0ev<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script><script>hbspt.forms.create({ region: "na1", portalId: "23630176", formId: "40c5bbae-05a2-42ea-94dd-1662181fd56e" });</script>/Northwoods-2020/Blogs/Social-Media-Cards/Blog---CCPA-Privacy-Law-Regulations-Have-Been-Expanded.jpg?LargeCCPA Privacy Law Regulations Have Been Expanded2020-09-28T00:00:00/Northwoods-2020/Blogs/Social-Media-Cards/Blog---CCPA-Privacy-Law-Regulations-Have-Been-Expanded.jpg?LargeCCPA Privacy Law Regulations Have Been ExpandedOn June 1, the California AG submitted the final regulations for the CCPA. In addition to publishing the new and original regulations, starting July 1 the California AG began enforcing the original version of the CCPA. While many people are familiar with the initial requirements, the proposed final regulations add additional steps for compliance.3619310/People/Brett-SmootBrettSmootDigital Account Director<p>Brett has been developing and managing digital marketing projects since 2012 and specializes in UX and Titan CMS documentation. His approach is to take a deep dive into data and find key information that will help optimize results. Brett&rsquo;s prior experience as an agency client allows him to bring a unique perspective to his role as account director and makes him a stickler for keeping budgets accurate and potential risks at bay. His knack for accuracy and problem solving also benefit him outside of work, where he enjoys playing disc golf and board games.</p>Brett Smoot/Northwoods-2020/People/Brett-Smoot.jpgBrett SmootAdd-In Type - NWS Data ModulesCategory - NWS Data ModulesCommittee - NWS Data ModulesDivision - NWS Data ModulesEvent Audience - NWS Data ModulesEvent Service - NWS Data ModulesEvent Type - NWS Data ModulesLocality - NWS Data ModulesModule - NWS Data ModulesPackage Type - NWS Data ModulesPersonID - NWS Data ModulesBrett SmootProductVersion - NWS Data ModulesRecorded Webinar TopicsRegion - NWS Data ModulesSite Display - NWS Data ModulesSkillLevel - NWS Data ModulesTopic - NWS Data ModulesVideoAudience - NWS Data ModulesVideoClassification - NWS Data ModulesVideoStatus - NWS Data ModulesTeamAccount DirectorsAll StaffAdd-In Type - NWS Data ModulesCategory - NWS Data ModulesCommittee - NWS Data ModulesDivision - NWS Data ModulesEvent Audience - NWS Data ModulesEvent Service - NWS Data ModulesEvent Type - NWS Data ModulesLocality - NWS Data ModulesModule - NWS Data ModulesPackage Type - NWS Data ModulesPersonID - NWS Data ModulesBrett SmootProductVersion - NWS Data ModulesRecorded Webinar TopicsRegion - NWS Data ModulesSite Display - NWS Data ModulesNWS DigitalSkillLevel - NWS Data ModulesTopic - NWS Data ModulesData & AnalyticsPrivacyVideoAudience - NWS Data ModulesVideoClassification - NWS Data ModulesVideoStatus - NWS Data Modules02024-02-20T13:18:42.27000