The Westin Research Center has released a new tool to help IAPP members understand the California Consumer Privacy Act. The “CCPA Rights and Obligations Tool” organizes the act’s consumer rights and business obligations around the different phases of interaction with a consumer described in the act — initial disclosure and notice requirements and receipt and response to a consumer request — the act’s enforcement provisions, and its security obligations. The tool is intended to help privacy professionals navigate the network of consumer rights, the business obligations that flow from those rights, and the independent obligations placed on a business that comprise the CCPA.
Existing CCPA resources describe the various rights, notice obligations, and disclosures required by the law, but few tie those requirements to the provisions in the statute that create them. As public forums about the law and commentary since its passage reveal, “the contours of the CCPA’s requirements are taking significant time to come into focus.” The main culprits for the law’s ambiguity are its occasionally contradictory internal cross-referencing and sometimes confusing definitions. The devil is in the details.
The “CCPA Rights and Obligations Tool” seeks to shed light on the details of each business obligation found in the law. It is intended to enable privacy professionals to identify gaps in compliance or understanding within their organization by compiling the elements that combine to create a business obligation and identifying the sources within the law for each element. With each element of an obligation sourced, privacy professionals can dig into the text of the CCPA to understand how it applies to their organization or what type of guidance is required to close a gap in understanding.
The tool represents the Westin Research Center’s best interpretation of the current version of the CCPA. It will be updated as amendments pass the state legislature and the California Attorney General’s Office releases additional guidance and conducts the statutorily required rule making prescribed in the law. Included in the tool are notes regarding ambiguities and other commentary on certain provisions of the CCPA to aid understanding or emphasize a noteworthy distinction made in the law (intentionally or unintentionally). We hope this tool can be a valuable resource as the privacy community continues to work together to understand the details of the CCPA.
Top image courtesy of @carlevarino via Unsplash.