The CCPA 12-Month Look Back Requirement: What it Means For You
Under the CCPA, organizations are required to provide records covering the 12-month period preceding the date of the request, which is known as the "look back" requirement.
Eliza Crawford · August 30, 2019
The California Consumer Privacy Act (CCPA) is just four months from going into effect on January 1, 2020. Organizations might scramble this fall to make sure they are prepared for CCPA to hit, but there is one thing to be aware of that organizations may be overlooking. The law, which provides California residents with several rights, including the right to request access to their personal information, has a “look back” requirement.
The look back requirement is one of the reasons that businesses should not be waiting to begin their CCPA compliance efforts.
What is the CCPA Look Back Requirement?
The CCPA was passed in June 2018 by the California legislature through AB-375 and amended that August by SB-1121. The law doesn’t explicitly mentions the terms “look back” or “lookback”. Yet, this is the name that has been subsequently used to describe the period which is covered by some of the disclosure requirements of the CCPA.
When the CCPA goes into effect on January 1, 2020, certain disclosures will need to be made based on how the company has been collecting, using and sharing data over the past year. In other words, it will need to disclose information about its privacy practices for the last year to California residents.
Under the CCPA, consumers are allowed to make a request for access to their personal information. If a request is made, organizations are required to provide records covering the 12-month period preceding the date of the request. This means organization should already be maintaining accurate records of consumers’ personal information starting from January 1, 2019.
Important rights for consumers under the CCPA:
Right to request information
The right consumers have to request information can be triggered in two cases: (i) if a business collects personal information about consumers, and (ii) if a business sells or discloses personal information about consumers. Businesses must disclose and deliver the required information within 45 days of receipt of a verifiable consumer request.
Right to opt-out of the sale of personal information
If a consumer has exercised their right to opt-out of the sale of their personal information, the business is prohibited from selling that consumer’s personal information from that point forward unless it subsequently receives express authorization from the consumer for the sale. The business must wait 12 months minimum from the date the consumer opted-out before it can request the consumer to authorize the sale.
Right of deletion
The business must delete from its records a consumer’s personal information after receiving a verifiable consumer request to do so and it must direct service providers it has shared it with to do the same.
What does this mean for your organization?
Companies should already be complying with the CCPA to be prepared respond to the look back requirement and the new rights given to consumers. Organizations must understand where all personal information about consumers reside and where it flows within the organization, creating mechanisms to enable consumers to make those requests, training and potentially hiring new resources to respond to requests from consumers, updating their privacy policies to comply with the newly introduced information disclosure requirements, implementing new and structural processes internally to handle those requests, and more.
Ideally, because the CCPA goes into effect on January 1, 2020, all covered businesses would have already implemented policies and procedures to be able to identify the requisite information starting January 1, 2019. For those covered businesses who have not yet implemented such policies and procedures, it is imperative to begin now, even if work should or could have started sooner.