/ Upcoming effective date of the CCPA8 July, 2020
Given the proximity of the effective date of the CCPA, it is important that if you are a California provider of services that may be involved in the processing of personal information of California residents, you review and adjust your processes and also be aware of the California Privacy Rights Act (“CPRA”) that shall be submitted for approval in the November election this year.
On June 2, 2020, California Attorney General Xavier Becerra filed with the California Office of Administrative Law the final proposed regulation of the California Consumer Privacy Act (CCPA), which is intended to clarify and provide interpretive guidance regarding the regulation. It also requested an expedited review in order to comply with the July 1, 2020 deadline.
However, the effective date of the CCPA is not yet fully settled, because the Office of Administrative Law has 30 business days to pronounce, with the possibility of adding 60 more calendar days. However, the most likely date is October 1, 2020, because usually the regulations filed with the Administrative Office between June 1 and August 31, become effective on that date. Notwithstanding this, the commitment expressed by the Attorney General to apply the regulations as of July 1, 2020 and the request for expedited review must be considered.
Notwithstanding the fact that the effective date has not yet been defined with certainty, there are certain aspects that have not been resolved and that we should bear in mind, such as:
- The possibility that the Attorney General may establish exceptions to trade secrets and intellectual property rights, when the right to information is exercised by the data owners, which contradicts the California and federal regulations that protect these rights.
- Whether or not the IP address should be considered as personal data.
- Considering the importance of predictive models today, the CCPA and the Attorney General’s statement do not resolve the issue related to profiling services, especially considering that it indicates that these providers may not use personal information acquired on behalf of one company to provide services to another company, i.e. for commercial purposes.
- There is still confusion when prior notice would be required, when the company does not directly collect personal information and/or has registered as a data provider, which would leave it to the Attorney General’s interpretation to qualify the lack of notice of indirect collection as an infringement.