The California Consumer Privacy Act (CCPA) protects the rights of data subjects in California. The CCPA statute of limitations refers to two things, broadly: the timeframe within which legal action may be brought against an organization for violating CCPA rights and the duration for which such an organization is allowed to retain data pertaining to a California consumer. Our guide will break down these definitions and explain other essentials of CCPA compliance.
Understanding CCPA Statute of Limitations
In the most direct sense, the CCPA statute of limitations refers to a threshold within which legal action may be brought against an organization for infringing on CCPA-protected rights.
A data subject who feels their rights have been violated may report their suspicions to the California Office of the Attorney General (OAG) or file a lawsuit. However, the latter only applies in cases involving a data breach. The timeframe within which data subjects must file the lawsuit is as-yet-unspecified, but the organization must respond and resolve the issue in 30 days. The same 30-day rule applies to the remediation and response timeline applied to organizations notified of suspected noncompliance by the California OAG.
With respect to CCPA action brought by the Attorney general, the statute of limitations for any civil action in California unrelated to “real” (i.e., physical) property is four years—see Code of Civil Procedure section 343. And for cases that involve other statutory violations, the statute of limitations is three years—see section 338. Either of these may apply, depending on the case.
But the CCPA statute of limitations also refers to another category altogether: data retention.
Download Our CCPA Compliance Checklist
CCPA and CPRA Restrictions on Data Retention
The CCPA proper guarantees four rights to Californian data subjects (see below); restricted data retention is not one of these rights. However, a new addition to the CCPA, the California Privacy Rights Act of 2020 (CPRA), is likely to restrict the length of time for which organizations can retain protected data—primarily via the augmented “purpose and intent” section.
CPRA Section 3 establishes consumer rights, which inform responsibilities for businesses:
- Consumers in California have the right to know the exact purpose(s) for which their protected, personal data is being collected, used, or retained—at all times.
- Businesses are responsible for using and retaining data for those purposes only, which requires eliminating any uses or retentions outside the stated purposes.
In practice, this means organizations will not be able to retain user data indefinitely. Therefore, unless an express purpose for the retention is consented to, personal data must be safely disposed of.
Failure to do so may result in legal action—along with the increased risk of threat exposure.
Connection to EU GDPR Data Requirements
The CCPA was modeled after the European Union’s General Data Protection Regulation (GDPR). It is not quite as restrictive as its EU equivalent, but the CPRA (and other proposed modifications) attempts to strengthen its protections for data citizens.
In particular, GDPR Article 5.1(e) specifies that personal data that identifies data subjects may be stored “no longer than is necessary” for the specific purposes for which it was collected. The only reasons it may be stored longer are processes conducted in the public interest, per Art.89(1).
Understanding the applicable GDPR rules is one way to prepare for their increasingly strict counterparts in the US. Also, complying with CCPA and other US-based regulations is one way to prepare for growth into EU markets—and the increased GDPR compliance burden it entails.
Other CCPA Provisions and Considerations
Both the data retention and legal action threshold definitions of the CCPA statute of limitations are relatively unstable and subject to change. However, the four other rights guaranteed by the CCPA, and their respective thresholds and implications, are much more permanent. These are:
- The Right to Know About Data Collection – Data subjects may request information on the kind and amount of data collected, the reasons for its collection, with whom it will be shared, and how it will be used—for a period of up to 12 months prior to the request.
- The Right to Delete Personal Data – Data subjects may request to have their personal information deleted; however, there are many reasons a business may deny the request.
- The Right to Opt-Out of Data Processing – Data subjects may also request to “opt out” of their data being sold; barring exceptions, businesses must not sell it immediately upon request and cannot request that the data subject “opt in” for at least 12 months.
- The Right to Non-Discrimination – Businesses may not deny the sale of their products or charge a data subject a different rate because of a CCPA request or complaint.
The best way to ensure your organization upholds these rights—and avoid the threats of civil action brought by an individual or the California GA—is to work with a CCPA compliance partner.
Streamline Your CCPA Compliance
To protect the rights above, and prepare for prompt notification to all parties per the various applicable CCPA statutes, your organization needs robust IT and cybersecurity architecture. RSI Security will assist with every element of ongoing CCPA compliance: initial strategizing, control implementation, and any required assessment or reporting.
To get started with your CCPA statute of limitations preparation, contact RSI Security today!