Looking Ahead to the CCPA’s “Look Back” Requirement

November 2019

Under the California Consumer Privacy Act (CCPA), covered businesses must comply with myriad requirements starting January 1, 2020. Within those requirements, covered businesses must be prepared to deal with the “look back” requirement. Under the CCPA, the disclosure of information to California consumers must cover—that is, “look back” at—the 12-month period preceding the date upon which the covered business receives a verifiable consumer request. See Cal. Civ. Code § 1798.130(a).

As we previously discussed, a California consumer may submit to a covered business a “verifiable consumer request” for certain specified information about their personal information. See Cal. Civ. Code § 1798.100(c). For example, within 45 days, a covered business must provide the categories and the specific pieces of personal information collected, sold, and/or disclosed, the categories of sources from where the personal information was collected, the business or commercial purpose for which the personal information was collected, and the categories of third parties with whom the personal information is shared, for the 12-month period preceding the request. See Cal. Civ. Code § 1798.130(a)(2). Further, the response “may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.” See Cal. Civ. Code § 1798.100(d).

Ideally, because the CCPA goes into effect on January 1, 2020, all covered businesses would have already implemented policies and procedures to be able to identify the requisite information starting January 1, 2019. For those covered businesses that have not yet implemented such policies and procedures, it is imperative to begin now, even if work should or could have started sooner.

Covered businesses should at least:

  1. identify and map all of the information required under the CCPA going back to January 1, 2019;
  2. implement policies, procedures, and training for the collection and retention of such information going forward; and
  3. implement procedures that will allow for ready access to the information so as to comply with the 45-day response period to provide such requested information.

Although enforcement of the CCPA will begin no later than July 1, 2020, compliance must be in place by January 1, 2020. One must work under the assumption that the Attorney General’s enforcement on July 1, 2020 will retroactively look to a covered business’s compliance as of the effective date of the CCPA.

There are two exceptions to the “look back” requirement where the covered business need not disclose information collected for the 12-month period preceding the request:

The same information need not be provided to the same consumer more than twice within a 12-month period. See Cal. Civ. Code § 1798.100(d).

Information need not be retained if used for a single, one-time transaction or if the information will not be sold or retained by the covered business. See Cal. Civ. Code § 1798.100(e).