If your organization operates in California, or processes data from many California residents, you are likely subject to the California Consumer Privacy Act (CCPA). One component of the CCPA requirements is adhering to the new CCPA Lookback Period rules, which extend data subjects’ rights to their data into a retroactive period of 12 months. Following these rules means upholding data subjects’ rights in the present and future while accounting for the past, as well.
Full Guide to the CCPA Lookback Period
The full force of the CCPA will be felt in 2023, when the California Privacy Rights Act (CPRA) comes into full effect. However, one provision in the CPRA is the lookback period, extending its protections retroactively into 2022. Organizations need to prepare now for future compliance.
Preparing for seamless CCPA compliance means understanding:
- What the CCPA Lookback Period is, what it requires, and how it impacts organizations
- The primary consumer rights protected by the CCPA, and whether they apply to you
- The steps to achieving and maintaining compliance with the CCPA and CPRA
Below, we’ll cover all these areas and how CCPA compliance services facilitate compliance.
What is the CCPA Look Back Period?
To begin with, the “lookback” or “look back” period is not a legal term; it is an interpretation of a requirement built into the CPRA. It’s a provision that extends CPRA protections retroactively, such that a consumer can request that a company “looks back” to provide information from before the actual effective date of CPRA regulations—exactly one year before they take effect.
On January 1, 2023, the CPRA will become effective. From that point onward, organizations subject to the CCPA will be legally required to provide consumers with information respective to all data they’ve collected from those consumers upon their request. But even though the law won’t be in effect until 2023, organizations will need to provide information going back to January 1, 2022.
So, in practice, CCPA compliance practices need to start earlier than 2023.
CCPA Look Back Period Requirements
The stipulated requirements of the lookback period all relate to specific information organizations must make available to their consumers, dating back one year prior to the CPRA’s start date.
There are three kinds of information organizations need to be able to share upon request:
- Records of what information was collected, and how, dating back to January 1, 2022
- Records of how information was used, and for what reasons, from January 1, 2022
- Records of how information was shared, and with whom, from January 1, 2022
If a consumer requests any of this information, the organization is obligated to share it with them—thus, by extension, the organization is required to have prepared the information.
How Does the Lookback Period Requirement Affect CCPA-Compliant Businesses?
Ultimately, the impact of the lookback period is relatively minimal for organizations already compliant with the CCPA. Organizations are not necessarily responsible for having upheld data privacy rights of their consumers for the entirety of the lookback period; instead, they just need to make information about collected data available upon request.
The biggest impact of the CCPA lookback period is on organizations preparing for CCPA compliance. Their de facto start date for data collection and preparation needs to have been January 1 of 2022, not 2023.
The Rights for Consumers Under the CCPA
Ultimately, the lookback period retroactively extends the primary rights of consumers protected by the CCPA. These protections are also amplified by the CPRA, but the core rights comprise:
- The right to know – Consumers must have access to detailed information about the information a business collects from or about them and how it is intended to be used.
- The right to delete – Consumers can request that personal data collected from them be deleted, and compliant organizations must honor these requests (with some exceptions).
- The right to opt-out – Consumers must be able to opt-out from sales of their personal information, and compliant organizations must honor these requests (with exceptions).
- The right to non-discrimination – Consumers must be able to exercise their CCPA rights without being discriminated against by organizations via higher fees or penalties.
Compliant organizations must implement security frameworks to ensure these rights are upheld.
Do I have to comply with CCPA?
The CCPA—including the CPRA, the lookback provision, and all requirements above—applies to businesses that conduct business in California and meet any one of the following conditions:
- Generating gross revenue of over 25 million dollars annually
- Processing personal information of 50 thousand or more California residents
- Deriving 50% of annual revenue (or more) from processing California residents’ data
These qualifying conditions apply unilaterally across industries; it also does not matter where a business is located or headquartered, as long as it does business in California. The one major exception is that the CCPA does not apply to governmental agencies or nonprofit organizations.
How to comply with the CCPA Look-Back Provision
The most efficient way to comply with the CCPA lookback provision is to implement CCPA compliant practices as soon as possible. Organizations need to be targeting January 1, 2022, as the date that their data transparency initiatives go into effect. In practice, this means:
- Collecting, protecting, and preparing information on personal data collection
- Collecting, protecting, and preparing information on personal data usage
- Collecting, protecting, and preparing information on personal data sharing
The biggest mistake organizations can make is waiting. To ensure seamless compliance in 2023 and beyond, organizations should contact a CCPA compliance partner sooner rather than later.
How RSI Security Can Help You Achieve CCPA Compliance
RSI Security has helped countless organizations of all sizes and across all industries prepare for and achieve CCPA compliance. Our experts will help your organization implement data security controls and transparency monitoring. We’ll help you rethink data collection and processing, along with reporting protocols to make information available upon request.
To streamline your cyberdefense program and achieve or maintain compliance with the CCPA requirements, including the CPRA and CCPA lookback period, contact RSI Security today!