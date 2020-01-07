The California Consumer Privacy Act (CCPA), California Civil
Code §1798.100 and following, does not in itself outline
specific training and record-keeping requirements that demonstrate
business compliance with consumer requests. However, in October
2019, the California attorney general proposed additional CCPA
Regulations intended to guide the application of the CCPA, and
Section 999.317 of the proposed Regulations aims to detail what
additional behaviors (such as training) and records are required
under the CCPA for consumer requests.
Specifically, the proposed Regulations require that people who
handle inquiries related to a business's privacy practice or
CCPA compliance be trained in all aspects of the CCPA, including
the proposed Regulations. This expands a lesser requirement in the
CCPA that originally required these individuals to understand only
certain applicable portions of the CCPA. The
proposed Regulations also require training that includes
explanations to consumers of how they can exercise their CCPA
rights (which would in turn incorporate the rights in the proposed
Regulations). To accomplish this, businesses would therefore be
required to develop, document and comply with a CCPA training
policy.
To demonstrate compliance with the CCPA and the proposed
Regulations, the proposed Regulations also specify record-keeping
requirements, where required documentation should not be used for
any other purpose. In short, affected businesses must document all
CCPA-related consumer requests received and all responses to such
requests. This record-keeping can be in various formats (including
ticket or log form) but must include the following:
The request date
The nature of the request (e.g.,
deletion, opt-out)
How the request was made (e.g., in
person, online)
The response date
The nature of the response (e.g.,
complied, denied, partially denied)
If denied, the reason for denying the
request
And helpfully, according to the statement of reasons explaining
the proposed Regulations, maintaining such records as required,
assuming the information is not used for any other purpose, does
not violate the CCPA. In addition, businesses are
not otherwise required to keep any other information for purposes
of demonstrating compliance with CCPA-related consumer
requests.
The stated goal of the attorney general is to balance the need
to prove compliance with the need to delete personal information
upon request. The proposed Regulations aim to minimize the amount
of data businesses need to keep in order to show compliance and to
prevent businesses from using record-keeping as an excuse to avoid
deletion obligations. While the consumer request records discussed
above must only be retained for a minimum of 24
months, the statute of limitations for CCPA enforcement may be as
long as four years – therefore businesses might consider
retaining records for a longer length of time.
While the certainty is nice, the proposed Regulations do operate
to place an additional burden on businesses that deal in large
quantities of California consumer personal information. Businesses
that sell or receive the personal information of more than 4
million California consumers each year for commercial purposes must
additionally compile annual metrics identifying
the number of CCPA-related consumer requests received, complied
with, and denied, as well as the median number of days it took for
the business to reply. These metrics should be compiled separately
for consumer requests to know, requests to delete and requests to
opt out. This information must then be incorporated into the annual
update of the business's privacy policy or posted on its
website, including a link accessible from the privacy policy.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Department of State DDTC has published an interim final rule seeking public comments and clarifying that certain transfers of encrypted technical data are not exports, reexports, or retransfers subject to the ITAR.