California’s Sweeping Privacy Act Has Lookback Provisions

A blog on the threat stack site provides an overview of California’s Consumer Privacy Act (CCPA), passed on June 28, 2018 with the goal of increasing transparency, access, and control over a consumer’s personal information and stipulating considerable penalties to organizations for infringement of the Act’s provisions. Although its effective date is January 1 2020, the author notes that compliance requires immediate attention to ensure that accurate data registers are in place and contain a years’ worth of data collection, selling, and disclosure activities on the go-live date. Within 45 days of receiving a request an enterprise must deliver information free of charge to a consumer, including: Personal information collected in the preceding 12 months in certain categories referenced elsewhere in the CCPA; Personal information that the business sold in the preceding 12 months; Personal information that the business disclosed for a business purpose in the preceding 12 months. Additionally, the author suggests being aware of the date that California’s attorney general can enforce the law, which is six months after the publication of the final regulations or July 1, 2020, whichever is sooner. Publication is dependent on the timeline for issuing adoption and implementation guidance to the Act’s requirements.