Privacy Law Update: CCPA Proposed Final Regulations Submitted for Approval
The California Consumer Privacy Act, or CCPA, went into effect on January 1, 2020, though enforcement of the Act by the California Attorney General’s Office does not begin until July 1, 2020. Last week the Attorney General’s Office confirmed that it would begin enforcing the CCPA on July 1st, despite lobbying efforts by a number of trade organizations to delay the enforcement date on account of operational interruptions caused by COVID-19. The Attorney General’s Office also submitted its CCPA Final Text of Proposed Regulations (“Final Proposed Regulations”) to the California Office of Administrative Law (“OAL”) for approval last week. The CCPA calls for the Attorney General to adopt regulations in furtherance of the Act by July 1, 2020.
The regulations are intended to provide businesses subject to the CCPA with additional guidance related to compliance with and enforcement of the Act. Under normal circumstances, the OAL has 30 working days to review and approve draft regulations. However, in March of this year, Governor Gavin Newsom signed an executive order extending this review period by an additional 60 calendar days due to COVID-19. The Attorney General requested that OAL expedite its review of the Final Proposed Regulations in order to complete the review by July 1st. However, as of this writing, there are more than 60 proposed regulations under review with the OAL, and whether the OAL completes its review of the CCPA Final Proposed Regulations by or before the CCPA enforcement date of July 1 is far from certain. The practical implication is that businesses subject to the CCPA will be subject to enforcement actions by the Attorney General’s Office while awaiting OAL approval or rejection of the Attorney General’s proposed regulations relating to compliance with the Act.
Applicability of the CCPA: With some exceptions, the CCPA applies to any for-profit business that does business in the state of California; collects, or determines the means and purposes of processing, personal information of California residents; and meets any one of the following thresholds: (1) has annual revenue of $25 million or greater, (2) annually processes the personal information of 50,000 or more California residents for commercial purposes (as defined under the CCPA), or (3) derives 50% or more of its revenue from selling the personal information of California residents.
Despite the potential delay for approval of the Final Proposed Regulations, the version submitted by the Attorney General last week is substantially identical to the draft regulations the Attorney General posted for public comment in early March. Assuming the OAL approves this version of the Final Proposed Regulations, businesses that took steps toward CCPA compliance based on the Attorney General’s last draft of the regulations should not have to make significant changes to their CCPA compliance programs. Also, many of the businesses that meet the thresholds that subject them to the CCPA also have to comply with the European Union’s General Data Protection Regulation (“GDPR”), which has been in effect since May 25, 2018. There are substantial similarities between the GDPR and the CCPA (including the Final Proposed Regulations). Organizations subject to the CCPA that underwent a GDPR compliance lift two years ago may already have the infrastructure in place in their privacy programs to make any nuanced tweaks needed for CCPA compliance.
What the Proposed Final Regulations Address: The Final Proposed Regulations provide useful insight into some of the specific steps businesses can take toward compliance with the CCPA and enforcement by the Attorney General. Some of the areas of emphasis in the regulations include, but are not limited to:
- Notice at the point of data collection: Including putting consumers on notice related to the collection of personal information online, offline, in person, over the phone, just-in-time notices for certain collection through mobile devices, and notices for visually-impaired consumers.
- Disclosure of purpose: Provides guidance regarding required disclosures related to the purpose(s) of data collection, and specifically on when and how a business must notify consumers if it intends to process their personal information for a purpose other than that for which it was initially collected.
- Service providers: Provides guidance intended to clarify the role and responsibilities of service providers with regard to processing personal information on behalf of businesses and responding to requests from consumers to exercise their individual rights granted under the Act.
- Sale of personal information: Provides guidance related to selling personal information, including guidance for data brokers, and operationalizing financial incentive programs and consumer opt-out rights.
Steps the Business Can Take Now: With the CCPA enforcement date of July 1, 2020, rapidly approaching, any business that may be subject to the CCPA should take the following steps, or confirm that it has already done so, toward compliance with the Act, and otherwise to enhance its privacy program:
- If still a question, determine whether it is subject to the CCPA.
- Engage in data mapping to understand the scope of its risks and obligations related to the processing of personal information.
- Determine whether or not the business “sells” personal information as such is defined under the CCPA.
- Ensure the business has procedures in place for receiving and responding to individual data rights requests, including for opting out of the sale of personal information if applicable.
- Review service provider contracts against applicable privacy obligations and work with its vendors and other service providers toward compliance where necessary.
- Review and update internal procedures and processes related to compliance with data protection laws, including workforce training and data security and retention policies.
For questions about the applicability of or obligations under the CCPA, or about more steps to take to prepare for its upcoming July 1, 2020 enforcement date, please consider contacting a lawyer in the privacy group at Schwabe, Williamson & Wyatt, P.C.