CCPA Look Back Period Requirement
The CCPA requires covered businesses to disclose certain information about data collection, usage and sharing over a 12 month look back period. The requirement is contained in Section 1798.130 of the California Consumer Privacy Act and applies to disclosures made pursuant to certain other sections.
There was a lot of discussion online about the one year lookback period around the New Year because that was when it technically started, even though the effective date of the law was not until January 1, 2020. It is one of the reasons that businesses should not be waiting to begin their CCPA compliance efforts.
The intent of the law appears to be to limit the requirements to a defined period that can be handled by covered businesses without posing a substantial problem. It makes particular sense around the general privacy disclosures that must be posted online for consumers. However, the text of SB-1121 could even apply this to the right to access.
What is the CCPA Look Back Period?
The CCPA was passed in June 2018 by the California legislature through AB-375 and amended that August by SB-1121. However, neither bill explicitly mentions the terms “look back” or “lookback”. Yet, this is the name that has been subsequently used to describe the period which is covered by some of the disclosure requirements of the CCPA.
When the CCPA goes into effect on January 1, 2020, certain disclosures will need to be made based on how the company has been collecting, using and sharing data over the past year. In other words, it will need to disclose information about its privacy practices for the last year to California residents.
The look back period requirement potentially takes two forms:
Privacy Notice Disclosures
For the preceding 12 months, Sections 1798.130(a)(5)(B) and 130(a)(5)(C) require the company to disclose the categories of personal information it has collected about consumers, a list of the categories of personal information sold about consumers, and a list of the categories it has disclosed about consumers for a business purpose. This is the core of what most people consider the look back period requirement.
Right to Access Disclosures
The complete implications of the lookback period on the right to access are still unknown.
Section 198.100 requires businesses to make certain disclosures following a verifiable consumer request. According to that section, it includes the categories and specific pieces of personal information the business has collected. Additional information that can be requested in a verifiable consumer request is included in Section 1798.110(a), which provides a list of five areas that may be requested and fulfilled as part of a verifiable consumer request.
In Section 1798.130(a)(2), the CCPA specifies that the disclosure shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request. If this was applied across the board to the right to access, it might be a limitation on a consumer’s ability to get access to personal information collected prior to one year. Yet, the restriction is explicitly applied to Sections 1798.100, 1795.105, 1798.110, 1798.115, and 1798.125, so it remains uncertain at this point.
Alternatively, it may be that the 12 month requirement in this section only applies to some, rather than all, of the disclosures that need to be made. Additionally, businesses might voluntarily choose to provide all of the information they possess rather than just some of the information possessed. As far as public norms, it is rare to hear anyone mention the one year limitation on the disclosure of specific pieces of personal information.
Should certain disclosures occur over the entire period rather than the look back period?
The question of the breadth of the right to access regarding specific pieces of personal information is a tricky one. If a business takes a narrow view, it only needs to provide the personal information collected in the prior year. On the other hand, if a business is to take this view, it potentially puts a restriction on the scope of the law that was not intended and now must go through the additional procedure of recording when information was collected. It would also severely weaken the power of providing the information in a portable format since the information provided would be complete.
Since the scope of the right to access is such an important one to any compliance effort, it seems likely that it will be one clarified by the Attorney General’s final regulations. However, if it is not, businesses will need to decide whether they are going to provide the right to access for personal information collected at any time (similar to GDPR) or only collected during the last year. Businesses will definitely need to take into account consumer expectations or set them appropriately when making this decision.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
Additional Resources:
CCPA Summary
Data Portability for CCPA DSAR Access Responses
What is a CCPA business purpose or commercial purpose?
The Broad CCPA Definition of Sale
CCPA Definition of Consumer
CCPA Household Definition & Challenges
CCPA Training Requirement – Section 1798.130(a)(6)
CCPA Regulations: Coming Soon from the California Attorney General
Loyalty Programs, AB-846, and the CCPA Anti-Discrimination Clause