California Attorney General Submits Proposed Final CCPA Regulations and Affirms That Enforcement Begins July 1
The Office of the Attorney General of California submitted proposed final regulations under the California Consumer Privacy Act of 2018 (the CCPA) to the California Office of Administrative Law (OAL) on June 1. The CCPA has been in effect since January 1, and despite business disruptions caused by the COVID-19 pandemic, AG Xavier Becerra has confirmed that he will begin enforcing the law on July 1, 2020. OAL has 30 working days plus an additional 60 calendar days to review the regulations for procedural compliance with California’s Administrative Procedure Act. Once approved by the OAL, the regulations will be filed with the Secretary of State and become enforceable by law. The AG has asked OAL to expedite its review of the proposed regulations to 30 days so that the regulations will become effective by July 1.
We have previously written about the CCPA here and the draft here. This alert summarizes some of the modifications between the final regulations and the initial draft regulations proposed by the AG’s Office in October 2019, including changes to the disclosures that businesses are required to make when they collect personal information, the time requirement for those disclosures, the CCPA’s restrictions on the sale of personal information, the procedures for responding to requests from consumers who want to exercise their CCPA rights, and the requirement to protect certain records relating to CCPA compliance. As discussed below, we recommend that businesses implement these changes in their own CCPA compliance programs immediately.
The final regulations clarify that every business subject to the CCPA must provide privacy policies to consumers. Businesses must also disclose the categories of sources from which they collect consumers’ personal information and the categories of third parties with whom the business shares personal information. The regulations also clarify that “categories of sources” mean groupings of persons or entities including the consumer directly, advertising networks, internet service providers, data analytics providers, operating systems and platforms, social networks, and data brokers. The regulation’s expand on the definition of “categories of third parties” in a similar way. These modifications make clear that businesses must provide granular information to consumers to show how businesses are obtaining and disclosing their data.
Time of Disclosure
Under the regulations, businesses must provide “timely notice” at or before the “point” of collection of the personal information from the consumer, which may be electronic or in-person. Thus, the requirement encompasses both temporal and physical proximity to the collection of personal information. The regulations include examples illustrating how businesses can make the notices readily available to consumers depending upon how the business is collecting information. For example, when a business collects information through a mobile app, the regulations suggest providing the notice on the app’s download page or settings menu.
Restriction on the Sale of Personal Information
The regulations provide that businesses may not sell any personal information they collect during any time they had not posted a notice of the right to opt-out, unless they obtain the consumer’s affirmative consent for the sale.
Handling Consumer Rights Requests
The regulations also clarify that the two-step process for online requests to delete personal information is optional, not mandatory. Under the two-step process, a business may require a consumer to first request deletion and then confirm the request in a separate communication. A prior draft version of the regulations had made this process a requirement for all requests for deletion. This change simplifies the process for businesses to honor consumers’ requests. The final draft of the regulations also states that a business may deny a consumer’s request if it cannot verify the consumer’s identity within a 45-day time period.
In responding to a consumer’s “request to know,” businesses are not required to search for personal information if all of the following requirements are met: 1) the business does not maintain the personal information in a searchable or reasonably accessible format; 2) the business maintains the information for legal or compliance purposes; 3) the business does not sell the personal information or use it for commercial purposes; and 4) the business describes to the consumer the categories of records that may contain personal information that it did not search pursuant to this provision of the regulations.
Under the final regulations, a company that provides services to an entity that is not a “business” under the CCPA may still qualify as a service provider under the CCPA. This helps clarify the scope of the CCPA’s applicability to entities that provide services to nonprofits that are not “businesses” under the CCPA. Similarly, the regulations make clear that a service provider that collects personal information about or directly from consumers at the direction of a business may also qualify as a service provider under the CCPA.
Finally, the regulations now require businesses to implement and maintain reasonable security procedures and practices to protect the records that the CCPA requires them to maintain about personal information. This modification ensures businesses understand their obligation to securely maintain these required records, which is especially important in light of the CCPA’s requirement that the records be maintained for at least 24 months. The regulations also authorize businesses to use those records “as reasonably necessary for the business to review and modify its processes for compliance with the CCPA and its regulations.”
While it is not yet clear whether OAL will approve the final proposed regulations in time for the July 1 enforcement date mandated by the CCPA, any businesses waiting for the final version of the regulations to update their CCPA compliance programs should proceed with those updates now. There are numerous changes since the initial draft regulations were issued in October including the ones discussed above, so businesses should carefully review the CCPA statutory text and the final proposed regulations as they update their CCPA compliance programs before the July 1 enforcement date.
Saul Ewing Arnstein & Lehr’s lawyers are available to assist with any questions you may have regarding issues raised in this alert. For further information, please contact the authors of this alert, the Saul Ewing Arnstein & Lehr lawyer with whom you usually work, or any of the leaders of the Firm’s Cybersecurity and Privacy Practice.