The CCPA dominated much of the conversation in the privacy and product counseling space in 2020. Organizations spent the bulk of 2019 working to implement the CCPA’s statutory requirements and addressing the first round of regulations issued by the Office of the Attorney General (OAG). For the first half of 2020, companies awaited the OAG’s final regulations as the CCPA’s July 1 enforcement date approached. The OAG kept everyone on their toes, issuing multiple rounds of modifications to the regulations before the final version was adopted on August 14, 2020.
On Election Day 2020, California voters approved the California Privacy Rights Act (CPRA) ballot referendum. Sometimes referred to as “CCPA 2.0,” the CPRA will add to and amend organizations’ CCPA compliance obligations. Although the majority of the CPRA’s amendments will not become effective until January 1, 2023, the CPRA immediately extended the CCPA’s exemptions for personal information obtained in the HR and business-to-business contexts. Below are some facts and statistics regarding our CCPA compliance efforts with clients in 2020.
CCPA Compliance Statistics and Facts
- In 2020, we assisted more than 100 companies from a broad range of industries – including big tech, retail, advertising technology, telecommunications, and others – in developing and implementing CCPA compliance programs.
- BakerHostetler assisted the Interactive Advertising Bureau (IAB) in the development of its CCPA Compliance Framework for Publishers and Technology Companies, a technical and legal framework aimed at addressing the vexing issues arising from the CCPA’s novel “Do Not Sell” right in digital advertising use cases.
Consumer Request Statistics and Facts
- The overwhelming majority of organizations we counseled received at least some CCPA consumer requests, though the numbers varied widely, from a handful of requests to thousands. In general, the volume was higher at the start of 2020, then leveled off or significantly decreased for most companies by the middle of the year.
- Deletion and Do Not Sell requests were the most common type of requests received.
- Placement of a Do Not Sell link on company websites was less common prior to the OAG’s July 1 enforcement date; thereafter, DNS link adoption increased significantly.
- In addition to requests submitted directly by individual consumers, a majority of companies received requests from automated request services.