Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

February 2020
CyberInsecurity News has merged with TAG Cyber. We will continue to bring you news lawyers and their colleagues need to know, only now as part of a growing leader in this exciting field. 
The law took effect in January, but enforcement won’t begin until July.
The California Consumer Privacy Act (CCPA) took effect on New Year’s Day. Right on time. But the California attorney general has not yet issued regulations. Those will not go into effect until July 1, which leaves many companies under the law’s jurisdiction with questions. And the companies aren’t limited to those located in California. The law applies to all businesses that collect data from at least 50,000 California consumers.
     Scott Pink has been advising clients on this subject. Pink is special counsel in O’Melveny & Myers’ Silicon Valley office, and a member of its Data Security and Privacy practice group. He and his partners have prepared an online CCPA Toolkit for companies, which is an excellent resource. He recently took time out to answer our questions.

TAG Cyber Law: Journal: Has anything about the rollout of the CCPA surprised you?
Scott Pink: I was expecting final regulations to be issued before the effective date.

TCLJ: Enforcement won’t begin until July 1. What will be clarified then?
SP: The attorney general will likely issue regulations before the July 1 enforcement date, which should assist in clarifying how the CCPA will be applied. However, enforcement activity by the attorney general will provide further clarification on how it will interpret various provisions of the law and what it considers to be compliance.

TCLJ: What do you expect the AG’s approach to enforcement will be?
SP: I expect the AG to initially focus on the most egregious violators, depending on the volume of complaints that are filed.

TCLJ: Are there unanswered questions that you expect will only be answered after July 1? If so, what are some examples?
SP: This is difficult to answer, because the final regulations have not yet been issued. One area that may be clarified is the scope of what is required when a consumer asks for specific pieces of information.        

TCLJ: You told us that some aspects of the law are straightforward, and others are complicated and ambiguous. Can you provide examples?
SP: The timing by which requests must be responded to is pretty straightforward. How to verify a consumer request remains ambiguous, particularly when a company does not have many data points about that consumer. Also, the scope of what is required when responding to a request for specific pieces of information is unclear, given that the definition of personal information is quite broad.

TCLJ:What data is subject to the law? What data is not?
SP: Generally speaking, “personal information” is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. There are a number of exceptions, including publicly available information and de-identified and aggregate information.  

TCLJ: What are some of the tricky issues you’ve been grappling with?
SP: I think verification of consumer requests is a bit tricky, when you have a relatively limited data set and perhaps want to avoid getting more personal information. Another area that has yet to be clarified is responding to requests made by “authorized agents.” Businesses need to be careful to confirm that the agent has actually been authorized to make the request and receive the information.
     For deletion requests, businesses have the right to keep information for a variety of specified reasons in the law. When a deletion request is made, a company will need to review the data they have and then determine which data can and should be retained before responding to the request.

TCLJ: Are there any fuzzy lines concerning who is subject to the law?
SP: The law has a specific definition of what “businesses” are subject to the law. But the application of that definition could be a challenge in certain circumstances. For example, one of the questions is the extent to which the CCPA applies to various companies in a corporate group. That needs to be determined by applying the CCPA’s definition of “control.”

TCLJ: Can companies be held accountable for violations of the law before July 1?
SP: The law indicates that it takes effect on January 1, but it is still uncertain the extent to which the attorney general will seek remedies for violations prior to July 1, particularly given that final regulations have not yet been issued.

TCLJ: Is there general advice that would be useful for all companies under the CCPA’s jurisdiction to consider?
SP: They should conduct a data inventory to understand what personal information they are collecting and establish a process for updating their policies and procedures as products are developed and data collection practices evolve. This is not a static one-time process, but a continuing ongoing obligation.