Page 8 Summer 2019 Points of Interest Consumer Privacy Act – continued from page 7 from exercising rights under the Act, and by providing a complete private right of action for any violation of the Act, not just for data breaches. Many businesses are turning their hopes to the California Attorney General to provide much-needed guidance. The Attorney General has been holding public comment sessions throughout the state in January – March 2019 regarding it’s rulemaking authority under the Act. However, comments made by the representatives of the Attorney General’s Office at those sessions have suggested that the rule-making process may not even start until the Fall of 2019 or later. Accordingly, as businesses gear up for the January 1, 2020 effective date of the CCPA, the ambiguities noted in this article (and others) are likely to persist. When Does the Act Go Into Effect? The answer to this question seems easy. Newly added California Civil Code Section 1798.198 (a) provides that “this title shall be operative January 1, 2020.” When the Legislature amended the CCPA for the first time in September 2018, it delayed enforcement of the provisions of the Act by the California Attorney General to July 1, 2020, but left the effective date (in other words, the date on which consumers can start making requests under the Act) in tact. However, it is not quite that simple. The Act provides that as of January 1, 2020, consumers will be permitted to make verifiableconsumerrequestsofbusinesses in California requiring them to disclose information regarding consumer data that the business has collected and sold (includingpotentiallyprovidingconsumers withcopiesofallofthatinformation)going back one calendar year to the beginning of 2019. In other words, businesses should begin to comply with the CCPA effective January 1, 2019. If you are just beginning your compliance efforts, you’re already behind. How Does a Business Verify a “Verifiable Consumer Request”? Abusinessmustprovidevariousdisclosures and other rights provided under the CCPA to consumers upon receipt of a “verifiableconsumerrequest.” A“verifiable consumer request” is defined in the Act to mean a request by a consumer (or, in certain circumstances, an authorized representative of the consumer), that the business can reasonably verify to be from the consumer about whom the business has collected personal information. However, beyond this basic definition, the Act does not specify or provide guidance regarding how a business is supposed to goaboutverifyingaconsumerrequest,nor does it provide any “safe harbor” if certain practices are followed. It is not hard to imaginecircumstancesinwhichindividuals may seek to obtain personal information about consumers by impersonating them continued on page 9