• Home
  • About Us
  • Contact Us
  • Privacy Policy
  • Special Offers
Business Intelligence Info
  • Business Intelligence
    • BI News and Info
    • Big Data
    • Mobile and Cloud
    • Self-Service BI
  • CRM
    • CRM News and Info
    • InfusionSoft
    • Microsoft Dynamics CRM
    • NetSuite
    • OnContact
    • Salesforce
    • Workbooks
  • Data Mining
    • Pentaho
    • Sisense
    • Tableau
    • TIBCO Spotfire
  • Data Warehousing
    • DWH News and Info
    • IBM DB2
    • Microsoft SQL Server
    • Oracle
    • Teradata
  • Predictive Analytics
    • FICO
    • KNIME
    • Mathematica
    • Matlab
    • Minitab
    • RapidMiner
    • Revolution
    • SAP
    • SAS/SPSS
  • Humor

California’s data privacy rules get clearer

February 16, 2020   Big Data
California’s data privacy rules get clearer

On Friday, February 7, the California Office of the Attorney General (CAG) published a “notice of modifications” to the California Consumer Privacy Act (CCPA), followed by an update on Monday, February 10. Although the CCPA is now law, the rulemaking process is still ongoing, with a final draft of the law expected sometime before the anticipated enforcement date of July 1, 2020. The CAG is now accepting public comments on these proposed modifications until Tuesday, February 25.

While the latest update doesn’t provide us with the final regulations, it offers much needed clarity in several key areas.

1. The scope of data & businesses subject to CCPA processes is clearer

One of the critical lessons from December’s CCPA hearings was that the law required further clarification on terms essential to the operationalization of the CCPA. This month’s updates do a decent job of alleviating some of the uncertainty by providing definitions, examples, and additional clarifying language. Some highlights include:

Clarification on the definition of “personal information.” A new section titled “Guidance Regarding the Interpretation of CCPA Definitions” (§ 999.302) has been created. Currently, there’s only one subsection (a), which defines what qualifies as personal information (PI) under the CCPA using IP addresses as an illustration. The key takeaway is that whether data is classified as PI depends on if it is — or can be — linked to a consumer or household. Given the title of the section, other terms may be clarified in this fashion at a later point.

New communication methods for accepting data requests are specified. Section 999.312, “Methods for Submitting Requests to Know and Requests to Delete,” now clarifies that businesses should consider making consumer requests for data available through “the methods by which it primarily interacts with consumers.” Subsection (a) states that online-only businesses need only provide an email for customers to submit requests to know. The language around how to accept delete requests, however, remains largely the same.

Exclusions now exist for fulfilling consumer requests to know. New language in subsection (c) of § 999.313, “Responding to Requests to Know and Requests to Delete,” excludes businesses from having to search for PI to fulfill a consumer request for data if several conditions are met. The business must not maintain the PI in a searchable or reasonably accessible format, and the PI must only be maintained for legal or compliance purposes. Finally, the business cannot sell the PI or use it for commercial purposes. If a business informs consumers of these reasons, then it can be exempt from having to include PI meeting these conditions within a consumer request for data.

Explicit details now exist for how service providers can use PI. Section § 999.314 (Service Providers) goes into greater detail about what any entity defined as a service provider can and cannot do with PI. Specifically, subsection (c) has been completely rewritten to list five exceptions where service providers are permitted to retain, use, or disclose personal information. One of the exceptions allows service providers to use data to improve the quality of their services or clean and augment data.

In addition to these highlights, the proposed changes also elaborate on the scope of the CCPA as it applies to entities like authorized agents, who can make requests on a consumer’s behalf, as well as data brokers and other third parties.

2. We now have more details on how opt-out requests and do not track will work

New language in § 999.315, “Requests to Opt-Out” suggests that regulators intend for consumer opt-out requests to be as painless as possible. Subsection (c) seems to be worded explicitly to address the problem of UX “dark patterns” within privacy controls, stating “… a business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.” Given that dark patterns are suspected of helping companies circumvent parts of the GDPR, the new CCPA subsection makes sense, though it’s not clear how it’ll be enforced.

Additionally, subsections (d)(1) and (d)(2) discuss the role that global privacy controls, such as browser settings like do not track, will play in opt-out requests. Privacy controls that function in accordance with the CCPA are to be treated as opt-out requests, even in the instance they conflict with a consumer’s business-specific settings. Businesses, however, may notify consumers of the conflict and how it might impact their service.

3. The rules on how to provide consumer notices have new detail

The CCPA requires that companies inform consumers about company practices as well as customer’s rights at specific points in the customer’s interaction. The new modifications have specified that online CCPA-required notices should follow industry-recognized accessibility standards like the Web Content Accessibility Guidelines, version 2.1.

Sections for specific notices, like the notice at collection of personal information (§ 999.305) and the notice of right to opt-out of sale (§ 999.306), now include details about where notices should be displayed. For example, the modifications in § 999.305 (4) state that if PI collection happens in a mobile application for a purpose not reasonably expected by a consumer, a “just-in-time” notice with a summary of the collected PI should be provided. Modifications in § 999.306 say that opt-out notices within mobile applications may be provided through a link in the application’s settings menu. For a more thorough understanding of how notice requirements have changed, organizations should take a deeper look at these sections.

What’s next for privacy compliance?

From now until February 25, the CAG will be accepting comments on the current round of CCPA modifications via email or mail. From there, we’ll likely see the process for the final rulemaking record begin. Once the AG prepares the final rulemaking record and the Final Statement of Reasons, these will be submitted to the Office of Administrative Law (OAL) for approval. After 30 working days, the OAL will decide whether to approve the record. If approved, the final record will go to the California Secretary of State. All of this will likely take place sometime before July 1, leaving any stragglers with little time to make significant changes.

Although the CCPA is currently on everyone’s mind, the California law is merely a bellwether of an emerging change taking place within the compliance landscape. Beyond the CCPA, organizations should watch for The California Privacy Rights Act of 2020 (CalPRA), dubbed “CCPA 2.0.” The group Californians for Consumer Privacy is hoping to get the act on November’s ballot. Nebraska, New York, and a handful of other states also seem intent on joining California in implementing privacy legislation. Finally, developments in other countries — India, for example — illustrate how the demand for privacy legislation is growing abroad.

Privacy compliance does seem to be a trend that’s here to stay. Organizations that take the time to thoroughly ensure CCPA compliance today will likely have the systems in place needed to ensure compliance with future legislation.

Michael Osakwe is a tech writer and Content Marketing Manager at Nightfall AI.

Let’s block ads! (Why?)

Big Data – VentureBeat

California’s, clearer, data, privacy, rules

  • Recent Posts

    • George Carlin on Germs and the Immune System
    • Microsoft Azure: Companies Work Remotely During COVID-19
    • It’s Never Been More Important to Reflect on Your Core Values
    • Viral Spending
    • Microsoft’s AI determines whether statements about video clips are true

  • Categories

  • Archives

    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    • December 2016
    • November 2016
    • October 2016
    • September 2016
    • August 2016
    • July 2016
    • June 2016
    • May 2016
    • April 2016
    • March 2016
    • February 2016
    • January 2016
    • December 2015
    • November 2015
    • October 2015
    • September 2015
    • August 2015
    • July 2015
    • June 2015
    • May 2015
    • April 2015
    • March 2015
    • February 2015
    • January 2015
    • December 2014
    • November 2014
© 2020 Business Intelligence Info
Power BI Training | G Com Solutions Limited