Since the California Consumer Privacy Act went into effect on Jan. 1, many businesses have been eager to receive the promised accompanying regulations. Without the final version of regulations, varying interpretations of the CCPA, and the need to revise policies and procedures on a rolling basis, have been quite burdensome. But the wait is over.
On June 1, the final version of the proposed regulations was submitted by Attorney General Xavier Becerra to the California Office of Administrative Law. The OAL has 30 working days (plus an additional 60 calendar days under Executive Order N-40-20 due to the COVID-19 pandemic) to review the proposed regulations for procedural compliance with the Administrative Procedure Act. Once approved by the OAL, the text of the final regulations' will be filed with the secretary of state and become enforceable by law.
The Regulations' Impact on the CCPA
Within the CCPA is a provision (Section 1798.185) that allows the attorney general to adopt additional regulations as necessary to further the purposes of the CCPA, as well as to provide additional guidance for compliance. The final version of the proposed regulations does this by:
• Detailing specific placement, content, timeline and methods acceptable for the notification and execution of the right to opt-out of a sale;
• Requiring that businesses treat user-enabled global privacy controls, (e.g., browser plugin or privacy setting) as a valid request to opt-out of a sale;
• Providing specific content, timelines, verification of identity procedures and methods for handling consumer (including household) requests to exercise their other CCPA rights;
• Clarifying that the right to "delete" may be executed by "de-identifying" or "aggregating" personal information;
• Outlining the role and definition of service providers;
• Detailing training and record-keeping requirements;
• Providing qualifications for "authorized agents" to act on behalf of a consumer;
• Detailing the appropriate consent methods for selling the personal information of minors;
• Clarifying what the CCPA considers "discriminatory practices"; and
• Listing factors for determining how to calculate the value of consumer data, in order for business' to provide adequate financial incentives.
July 1 Enforcement
The Jan. 1 effective date is the date in which "businesses" under the CCPA were required to provide new rights to certain consumers in California. However, the statute also stipulates that "the Attorney General shall not bring an enforcement action under [the CCPA] until six months after the publication of the final regulations issued ... or July 1, 2020, whichever is sooner."
The OAL has until Sept. 1 to review the final proposed regulations for procedural compliance with the APA, and then turn them into law by filing them with the secretary of state. This means that the attorney general can begin to enforce the CCPA on July 1 (the "sooner" date). The accompanying regulations will follow, once they are filed with the secretary of state, presumably sometime before Sept. 1.
From Becerra's comments over the past year (as well as his unsuccessful attempt to amend the law to expand his and consumers' rights to bring claims -- including, by removing the 30 day notice and right to cure provision), we can surmise that the attorney general's office intends to aggressively enforce the CCPA. The attorney general can bring suit for any CCPA violation, for statutory penalties of up $2,500 for each non-intentional violation or $7,500 for each intentional violation. That being said, the initial focus of enforcement appears to be directed at companies who:
• have not demonstrated efforts to comply with the law;
• handle more sensitive or critical data (e.g., minor data) -- in particular, where minors' data is sold; and
• are larger or have more resources for compliance (noting that ignorance of the law, will not be an excuse for non-compliance, and all companies, large and small, are expected to make clear, reasonable efforts to comply).
For these companies, Becerra has stated, "I will descend on them and make an example of them, to show that if you don't do it the right way, this is what is going to happen to you."
Becerra has also repeated that while enforcement efforts will not begin before July 1, the attorney general's office has been monitoring compliance activities since the CCPA's effective date, and that the six-month gap should not be seen by companies as a "safe harbor." This is true despite the current economic and health crisis caused by COVID-19.
While the right to private action is limited under the CCPA, many legal experts agree that CCPA privacy rights are not actionable under other statutes. Plaintiff's attorneys are testing this theory, by bringing suit for CCPA violations under the Unfair Competition Law (Cal. Bus. and Prof. Code Section17200), and others. Until courts officially weigh-in on these alternative theories of recovery, many businesses may be confronted with additional litigation risks.
CCPA Statute and Regulations
Who Is Subject to the CCPA?
As a reminder and with limited exceptions, your business may be directly subject to the CCPA if it:
1. collects the personal information of California residents (or has a third-party vendor collect such information on its behalf);
2. controls the means and purposes of use of such information;
3. does business in California; and
4. either has company-wide, annual gross revenues of more than $25 million; alone or in combination, annually buys, receives, sells, or shares, the personal information of at least 50,000 or more California residents; or derives at least 50% of its annual revenue from selling personal information of California residents.
Alternatively, your company may be subject to the CCPA, indirectly, if it controls or is controlled by a business that is directly subject to the CCPA, and there is a common branding between the entities.
In preparation for the July 1, CCPA enforcement, companies should ensure implementation of some of its key provisions:
1. Notice at Collection: California residents -- including employees and contractors -- have the right to receive notice upon collection, of the personal information being collected, and the purposes for which it will be used.
3. Right of Access: California residents have the right to request that a business provide them with: (i) the categories and specific pieces of information, that it has collected about them over the past 12 months; (ii) the categories of sources, from which such information came from; (iii) the business or commercial purpose for the collection or selling of the information; (iv) the categories of third parties with whom the business shares the information; and (v) for each category of personal information, as applicable, the third party to whom it was either sold or disclosed for a business purpose. To exercise this right, a webform or closely monitored email address (noting the 45-day time limit for responses) should be posted on your website.
4. Right of Deletion: With some exceptions, California residents have the right to request that a business delete their personal information. This right also requires business to forward such requests to any vendors who also hold the personal information.
5. Method of Identity Verification: Before executing a request for access or deletion, a requestor must provide adequate verification of identity, to prevent unauthorized access or deletion. Adequate methods are prescribed in the Regulations.
6. Right to Opt-Out of a Sale: California residents have the right to stop the sale of their personal information. We note that a "sale" under the CCPA is quite broad and includes any selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information for valuable consideration -- money does not need to be exchanged. The CCPA and accompanying Regulations provide very specific parameters for proper implementation of this right.
7. Minors' Right to Consent to a Sale: While most California residents have the right to "opt-out" of a sale, minors under the age of 16, must first "opt-in" before their personal information can be sold.
8. Right to Not Be Discriminated Against for Exercising Rights: With limitations, California residents cannot be discriminated against for, for example, opting-out of the sale of their personal information. However, financial incentives can be offered for the sale or other processing of personal information.
9. Review Security Practices: The CCPA provides a private right of action -- even for employees and contractors -- for data breaches, to California residents. It is important to encrypt and redact personal information where possible to prevent hefty statutory damages. While there is little guidance on proper security measures, the attorney general's office published a report in 2016, offering some guidance on minimum standards.
Currently, the above, unless indicated otherwise, does not apply to employees, contractors, or business contacts.
Just Around the Corner
CCPA Rights for Employees, Contractors and Business Contacts
The CCPA currently only offers California employees and contractors (but not business contacts): (i) the right to notice upon collection of their personal information, and (ii) the right to bring suit for statutory damages for a data breach. However, beginning Jan. 1, 2021, unless otherwise extended, all California residents, including employees, contractors and business contacts will gain full rights under the CCPA, including the right to access, delete, and opt-out of the sale of their personal information.
With an eye toward the coming months, companies should begin to prepare their current data rights performance mechanisms, for expansion to include these other categories of California residents. This may consist of additional data mapping exercises, and changes to privacy notices and policies.
CPRA (CCPA 2.0)
Despite the CCPA being in its infancy, a proposed ballot initiative to expand the CCPA was introduced and has since qualified for the November 2020 election.
The California Privacy Rights Act of 2020 (CPRA, or CCPA 2.0), if passed will, among other things, include: (i) a distinction for "sensitive personal information," (ii) the right to restrict processing of sensitive personal information, (ii) the right to correct personal information, (iii) the right to notice of retention practices, (iv) the right to restrict automated decision-making; (v) a requirement for businesses to enter into specific privacy-related contractual provisions with third parties, and (vi) a requirement for businesses to implement reasonable security obligations. It will also expand the scope of the current CCPA definitions, fines, enforcement abilities, rights of access and deletion, and the right to opt-out of the sale of personal information. The CPRA seeks to align the CCPA more closely to its 2016 cousin, the GDPR.
We note however, while in most cases, the CPRA creates additional privacy requirements for businesses, it also could help push the 2021 CCPA requirements for employees, contractors, and business contacts to Jan. 1, 2023.