{"id":2894,"date":"2020-08-18T11:20:00","date_gmt":"2020-08-18T17:20:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&#038;p=2894"},"modified":"2024-12-12T13:08:13","modified_gmt":"2024-12-12T19:08:13","slug":"ccpa-regulations-take-effect","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/ccpa-regulations-take-effect\/","title":{"rendered":"CCPA Regulations Take Effect"},"content":{"rendered":"\n\n\t<section id=\"block_6eaa406a2d109eabe35eb8dbf6966a5f\" class=\"columns-content\">\n\t\t<div class=\"container\">\n\t\t\t<div class=\"left\">\n\t\t\t\t\t\t\t<\/div>\n\t\t\t<div class=\"middle\">\n\t\t\t\t<div class=\"content\">\n\t\t\t\t\t<h2>Final CCPA regulations approved and now effective immediately<b><br \/>\n<\/b><\/h2>\n<p>On August 14, 2020, the California Office of the Attorney General (\u201cOAG\u201d) sent out a notice that the final CCPA regulations have been approved by the California Office of Administrative Law (\u201cOAL\u201d) and filed with the California Secretary of State.<b><\/b><\/p>\n<p><b>Effective immediately, all organizations subject to CCPA statutes must comply with both the statutes and the regulations.<\/b><\/p>\n<p>In the\u00a0<a href=\"https:\/\/oag.ca.gov\/sites\/all\/files\/agweb\/pdfs\/privacy\/addendum-fsor.pdf\"><i>Addendum to Final Statement of Reasons<\/i><\/a>, the OAG noted several changes from the version of the draft regulations submitted on June 1, 2020 to the OAL.<\/p>\n<p>The changes were described as \u201cnon-substantive\u201d as the OAG deemed them not to materially change \u201cthe requirements, rights, responsibilities, conditions, or prescriptions\u201d contained in the June 1, 2020 version.<\/p>\n<p>Some of the changes do, however, appear to change the requirements for businesses subject to the withdrawn provisions as described below:<b><\/b><\/p>\n<ul>\n<li><b>Effect of withdrawn provision \u00a7 999.305(a)(5)\u00a0<\/b>\u2013 Businesses will not be required to directly contact consumers and obtain explicit consent if they plan on using their personal information for purposes that are materially different than those disclosed in the privacy notice at the time of collection.<\/li>\n<li><b>Effect of withdrawn provision \u00a7 999.306(b)(2)\u00a0<\/b>\u2013 Businesses that primarily interact with consumers offline will not be required to provide notice of their right to opt-out of the sale of their personal information using an offline method.<\/li>\n<li><b>Effect of withdrawn provision \u00a7 999.315(c)\u00a0<\/b>\u2013 The provision that was withdrawn (1) required that a business\u2019s opt-out method be \u201ceasy for consumers to execute,\u201d and \u201crequire minimal steps to allow the consumer to opt-out,\u201d and (2) prohibited using a method that intended or had the substantial effect of \u201csubverting or impairing\u201d a consumer\u2019s decision to opt-out.\u201d The withdrawal of these requirements does not mean, however, that a business may have a convoluted opt-out method or one that is designed or has the effect of subverting or impairing a consumer\u2019s decision to opt-out.<\/li>\n<li><b>Effect of withdrawn provision \u00a7 999.326(c)<\/b>\u00a0\u2013 Businesses may deny requests from authorized agents who do not provide signed written permission from the consumer demonstrating they have been authorized to act on the consumer\u2019s behalf. The withdrawn \u00a7 999.326(c) would have permitted businesses to deny requests from authorized agents who did not submit \u201cproof\u201d of the authorization, but\u00a0the regulations specify in other sections what is specifically required as a method proof, including signed written authorization.<\/li>\n<\/ul>\n<h2>What has changed since the CCPA regulation went into effect?<\/h2>\n<p>Though \u201cnon-substantive\u201d changes were made between the June 1, 2020 draft regulations and the August 14, 2020 final regulations, a lot has changed since the CCPA statutes went into effect on January 1, 2020.<\/p>\n<p>With the CCPA regulations now enforced, here are some important takeaways organizations subject to CCPA statutes will need to make note of:<\/p>\n<h3>Accessibility<\/h3>\n<ul>\n<li>Notices provided online must follow generally recognized industry standards for accessibility, like the\u00a0<a href=\"https:\/\/www.w3.org\/TR\/WCAG21\/#intro\">Web Content Accessibility Guidelines (WCAG) version 2.1<\/a>.<\/li>\n<li>Notices must be easy to read and understand, using plain, straightforward language.<\/li>\n<li>Notices must be available in the languages in which the business ordinarily provides information to consumers.<\/li>\n<\/ul>\n<h3>Notice<\/h3>\n<ul>\n<li>Notice must be given at or before the time of personal information collection or a business may not collect personal information from a consumer.<\/li>\n<li>Businesses may not collect categories of personal information not disclosed in its notice.<\/li>\n<\/ul>\n<h3>Individual rights requests<\/h3>\n<ul>\n<li>Confirmation of requests to know or request to delete must occur within 10 business days, and businesses must provide a description of the identity verification process.<\/li>\n<li>Businesses must respond to requests to know and requests to delete within 45 calendar days of receipt. If identity cannot be verified within 45 calendar days, the request may be denied.<\/li>\n<li>Businesses may take an additional 45 calendar days to respond to a request to know or request to delete if necessary (for a total of 90 calendar days) if it provides notice and an explanation for the time extension.<\/li>\n<li>Certain types of personal information may never be disclosed, including for example, Social Security numbers, driver\u2019s license numbers, financial account numbers, health insurance or medical identification numbers, and account passwords.<\/li>\n<li>Exceptions to complying with a request to delete include personal information on archived or back-up systems (unless and until the information is restored), deidentified personal information, or aggregated consumer information.<\/li>\n<li>Records of consumer requests, including responses, must be kept for at least 24 months.<\/li>\n<\/ul>\n<h3>Requests to opt-out of the sale of personal information<\/h3>\n<ul>\n<li>Businesses must comply with a request to opt-out within 15 days.<\/li>\n<li>Requests to opt-out needs not be verified.<\/li>\n<li>Browser plug-ins or privacy settings must be considered a valid request to opt-out.<\/li>\n<li>If a consumer who has opted out of the sale of personal information requests to opt-in, the business must use a two-step process requiring (1) a clear request to opt-in and (2) a separate step to confirm the choice to opt-in.<\/li>\n<\/ul>\n<h3>Identity verification<\/h3>\n<ul>\n<li>Businesses are required to have a more stringent identity verification process for requests concerning high risk personal information.<\/li>\n<li>Businesses must avoid collecting new personal information for the purpose of identity verification where possible.<\/li>\n<li>Authentication through an online account may be used to verify identity, though a business must require re-authentication before disclosing or deleting a consumer\u2019s data.<\/li>\n<\/ul>\n<h3>Financial incentive programs<\/h3>\n<ul>\n<li>Businesses offering financial incentives, including price and service differences, related to the collection, deletion, or sale of personal information must provide in its notice:\n<ul>\n<li>A summary and description of terms of the financial incentive and the value of the consumer\u2019s personal information.<\/li>\n<li>An explanation of how the incentive is reasonably related to the value of the consumer\u2019s data.<\/li>\n<li>A good faith estimate of the value of the consumer\u2019s data that serves as the basis for offering the financial incentive and a description of the method used to calculate the value of the consumer\u2019s data.<\/li>\n<\/ul>\n<\/li>\n<li>Businesses offering financial incentives must provide instructions for opting in to the incentive and for withdrawing from it.<\/li>\n<li>Except in the case of offering financial incentives, businesses may not discriminate against consumers for exercising their rights under the CCPA or the regulations.<\/li>\n<\/ul>\n<p><strong>These are only some of the important takeaways from the regulations.<\/strong>\u00a0If your business is subject to the CCPA,<a href=\"https:\/\/www.oag.ca.gov\/sites\/all\/files\/agweb\/pdfs\/privacy\/oal-sub-final-text-of-regs.pdf\" target=\"_blank\" rel=\"noopener\">\u00a0<strong>it is important to know the requirements<\/strong><\/a>. With both the CCPA statutes and regulations now in effect, prioritizing compliance elements is key.<\/p>\n<p>Companies are understandably in varying stages of preparedness.<\/p>\n\t\t\t\t\t\t\t\t\t<div class=\"question-box-multiple\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-dark\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Online-Privacy_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Nymity Research<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Get detailed insights, tools, and templates to help you manage the CPA and other regulations.<\/p>\n<a href=\"https:\/\/trustarc.com\/free-trial\/nymity-research\/\" class=\"cta\">Start today<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-dark\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Update_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Automate Your Privacy Program<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Centralize privacy tasks, automate your program, and seamlessly align with laws and regulations.<\/p>\n<a href=\"https:\/\/trustarc.com\/products\/privacy-data-governance\/privacycentral\/\" class=\"cta\">Learn more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t<div class=\"right sm\">\n\t\t\t\t<div class=\"share-it\">\n\t\t\t\t\t<strong class=\"title block uppercase\">Follow us<\/strong>\n\t\t\t\t\t<div class=\"soc-list\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/company\/trustarc\/\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/li-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"\nhttps:\/\/twitter.com\/TrustArc\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/tw-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"javascript:;\" id=\"copy-url\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/link-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<span class=\"copied\" style=\"display:none;\">Link Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"key-topics\">\n\t\t\t\t\t\t<strong class=\"title block uppercase\">Key Topics<\/strong>\n\t\t\t\t\t\t<ul>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/ccpa-cpra\/\" class=\"badge\">CCPA\/CPRA<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/us-consumer-privacy-laws\/\" class=\"badge\">US Consumer Privacy Laws<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"cta-area\">\n\t\t\t\t\t<p>Get the latest resources sent to your inbox<\/p>\n\t\t\t\t\t<a href=\"\/subscription-center\/\" class=\"cta\">Subscribe<\/a>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t","protected":false},"excerpt":{"rendered":"<p>Final CCPA regulations have been approved by the California Office of Administrative Law and are effective immediately, all organizations subject to CCPA statutes must comply with the statutes and the regulations.<\/p>\n","protected":false},"featured_media":1689,"template":"","topic-resource":[75,114],"type-resource":[6],"class_list":["post-2894","resource","type-resource","status-publish","has-post-thumbnail","hentry","topic-resource-ccpa-cpra","topic-resource-us-consumer-privacy-laws","type-resource-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>CCPA Regulations Take Effect | TrustArc<\/title>\n<meta name=\"description\" content=\"Final CCPA regulations have been approved by the California Office of Administrative Law and are effective immediately, all organizations subject to CCPA statutes must comply with the statutes and the regulations.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustarc.com\/resource\/ccpa-regulations-take-effect\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-regulations-take-effect\\\/\",\"url\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-regulations-take-effect\\\/\",\"name\":\"CCPA Regulations Take Effect | TrustArc\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-regulations-take-effect\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-regulations-take-effect\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-plus-gray.png\",\"datePublished\":\"2020-08-18T17:20:00+00:00\",\"dateModified\":\"2024-12-12T19:08:13+00:00\",\"description\":\"Final CCPA regulations have been approved by the California Office of Administrative Law and are effective immediately, all organizations subject to CCPA statutes must comply with the statutes and the regulations.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-regulations-take-effect\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-regulations-take-effect\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-plus-gray.png\",\"contentUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-plus-gray.png\",\"width\":610,\"height\":152},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\",\"url\":\"https:\\\/\\\/trustarc.com\\\/\",\"name\":\"TrustArc\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/trustarc.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"CCPA Regulations Take Effect | TrustArc","description":"Final CCPA regulations have been approved by the California Office of Administrative Law and are effective immediately, all organizations subject to CCPA statutes must comply with the statutes and the regulations.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustarc.com\/resource\/ccpa-regulations-take-effect\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustarc.com\/resource\/ccpa-regulations-take-effect\/","url":"https:\/\/trustarc.com\/resource\/ccpa-regulations-take-effect\/","name":"CCPA Regulations Take Effect | TrustArc","isPartOf":{"@id":"https:\/\/trustarc.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustarc.com\/resource\/ccpa-regulations-take-effect\/#primaryimage"},"image":{"@id":"https:\/\/trustarc.com\/resource\/ccpa-regulations-take-effect\/#primaryimage"},"thumbnailUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-plus-gray.png","datePublished":"2020-08-18T17:20:00+00:00","dateModified":"2024-12-12T19:08:13+00:00","description":"Final CCPA regulations have been approved by the California Office of Administrative Law and are effective immediately, all organizations subject to CCPA statutes must comply with the statutes and the regulations.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustarc.com\/resource\/ccpa-regulations-take-effect\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/trustarc.com\/resource\/ccpa-regulations-take-effect\/#primaryimage","url":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-plus-gray.png","contentUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-plus-gray.png","width":610,"height":152},{"@type":"WebSite","@id":"https:\/\/trustarc.com\/#website","url":"https:\/\/trustarc.com\/","name":"TrustArc","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustarc.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource\/2894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media\/1689"}],"wp:attachment":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media?parent=2894"}],"wp:term":[{"taxonomy":"topic-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/topic-resource?post=2894"},{"taxonomy":"type-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/type-resource?post=2894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}