NEWS12 December 2019

Insights body calls for changes to CCPA

GDPR Legal News North America Privacy

US – Research industry organisation the Insights Association has asked for changes to be made to the proposed regulations implementing the California Consumer Privacy Act (CCPA).

CCPA california consumer privacy act_crop

The new privacy law comes into effect from 1st January 2020 but enforcement will not begin until 1st July. It is intended to improve privacy rights and consumer protection for residents of California.

The Insights Association has written to California’s attorney general to make several recommendations on the draft regulations, which were released in October and were open for initial public comment until 6th December.

“The CCPA will have a profound impact on the business community, including the marketing research and data analytics industry,” the Insights Association said in the letter (dated 6th December), which is co-signed by Howard Fienberg, the organisation’s vice-president of advocacy, and outside general counsel Stuart Pardau.

The Insights Association has made the following recommendations:

  • The ‘authorised agent’ concept – which, under the draft regulations, would allow a consumer to designate an authorised agent to submit opt-out requests, and requests to know and delete – should be limited to minors, and elderly or incapacitated individuals
  • Marketing research should be exempted from notices of financial incentives for research participation
  • Email requests should be allowed in lieu of an interactive webform
  • There should be clarification on how one of the regulations relates to existing ‘do not track’ requirements
  • The timeframe to respond to all requests to know or delete information should be set at 45 days
  • Further guidance should be issued on how CCPA applies to personal data collection via telephone.

The CCPA has been compared to the introduction of the General Data Protection Regulation (GDPR) in Europe, but there are differences – notably, the CCPA does not require organisations to have a ‘legal basis’ for the collection and processing of personal data, unlike GDPR.