CCPA: California Attorney General Announces Final Implementing Regulations Effective Immediately

On August 14, 2020, California Attorney General Xavier Becerra (the “California AG”) announced that the regulations implementing the California Consumer Privacy Act (the “Act” or the “CCPA”) had been approved by the state’s Office of Administrative Law (“OAL”), with the regulations going into effect immediately. While the CCPA itself has been in effect for some time, the regulations are what effectively provide businesses with a blueprint on how to be deemed CCPA compliant.

The long-awaited announcement comes more than 10 months after the initial implementing regulations were proposed on October 10, 2019, seven months after the CCPA first went into effect on January 1, 2020, and six weeks after the California AG’s office began enforcing the CCPA on July 1, 2020. After three rounds of draft regulations and public comment over the past year, businesses can finally refine their CCPA compliance programs based on more definitive regulatory guidance from the California AG.  Businesses should ensure familiarity with the regulations and their myriad technical requirements, since, as the California AG’s recent flurry of enforcement makes clear – even minor infractions may not go unnoticed by the state as it embarks on its first season of CCPA enforcement.

In a nutshell: the CCPA and the final regulations

The CCPA, as discussed in prior publications,[1] is often compared to the comprehensive General Data Protection Regulation (“GDPR”), in that it applies extraterritorially and gives consumers both the right to know what type of consumer personal information businesses collect about them and the right to request that such data be deleted. But while the CCPA guarantees consumers protective rights, the Act’s accompanying implementing regulations are what establish the specific procedures businesses must comply with in order to be CCPA compliant. Under the regulations, businesses must, among other things:

  • Provide notice of collection of personal information. Under Section 999.305, the regulations require businesses to provide “timely notice” of collection, and to disclose to consumers the purposes for which personal information will be used. This notice must be provided online, in-store and on mobile applications, and it must be updated as the business’s collection practices change.
  • Publish detailed privacy policy disclosures. Section 999.308 requires businesses to provide consumers with a comprehensive description of their online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information, in a way that is easy to read and understandable.
  • Provide notice of right to opt-out of sale of personal information. Section 999.306 requires businesses to provide easy to read and understandable notice of consumers’ right to opt-out of a business’s sale of their personal information. Where the relevant business activities are conducted via a website or mobile application, the regulations require that the notice be posted on the website homepage or the download or landing page of the mobile app, and that it conspicuously reads “Do Not Sell My Personal Information.” 
  • Adjust methods for accepting and responding to consumer requests. Under Section 999.313, businesses are required to implement specific processes and mechanisms for accepting and responding to consumer requests to know what information is collected about them or to delete information that is collected about them. These processes are intended to prevent the disclosure of sensitive personal information (such as account logins and passwords, government ID numbers and/or biometric information).
A long time coming

While the CCPA was signed into law on June 28, 2018, the road to implementation of the final regulations was one that saw two rounds of statutory amendments (in September 2018 and October 2019) and the issuance of draft regulations, which were modified in February and March 2020, before finally being submitted for OAL review on June 1, 2020.

The regulations – which went into effect immediately upon OAL’s approval on August 14, 2020 – were the product of both preliminary and formal rulemaking processes, involving four public hearings throughout California and an extended period for public comment. By the end of the comment periods, OAL had received over 1,000 public comments.

OAL weighs in

The approved regulations are largely consistent with those submitted to OAL in June, with certain noteworthy deletions that tend to favor businesses. Still, owing to the robust protections provided to consumers throughout the CCPA framework, it is unlikely that the deletions of the below provisions will significantly weaken the Act’s consumer privacy protections in the long term:

  • Opt-in consent for new use: Section 999.305(a)(5)

This provision would have prohibited a business from using a consumer’s personal information for a materially different purpose than disclosed in the notice of collection unless it obtained explicit consent from the consumer - what could have been an onerous requirement for businesses. Businesses, however, must still comply with the CCPA’s prohibition on “us[ing] personal information collected for additional purposes without providing the consumer with notice.”[2] And while this CCPA provision does not require express or opt-in consent, the US Federal Trade Commission (“FTC”) has interpreted a federal ban on unfair and deceptive trade practices to require businesses to obtain “opt-in consent” before using information in a materially different manner than stated in the business’s privacy policy when the information was collected.[3]

  • Offline notice of opt-out rights: Section 999.306(b)(2)

This provision would have required a business that substantially interacts with consumers offline to provide a notice to the consumer by an offline method. Even without this requirement, offline businesses covered by the CCPA must still provide consumers notice when their personal information is collected - whether collected online or offline.

  • “Easy” process for opting out: Section 999.315(c)

This provision would have required that a business’s method for submitting requests to opt out be “easy” for consumers, entailing minimal steps. It also would have prohibited a business from using “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.” While imposing these restrictions to have an “easy” opt-out process may well have resulted in more consumer opt-outs, the opt-out process is still regulated under Section 999.315(d), which requires businesses to offer consumers “a global option to opt-out of the sale of all personal information.”

  • Authorized agent requests and “proof”: Section 999.326(c)

This provision would have permitted a business to deny a request from an authorized agent where the agent did not submit proof that they were authorized to act on the consumer’s behalf. Even without this broader ability to deny such requests for insufficient proof, the regulations already permit businesses to deny a request from an authorized agent submitted without the consumer’s “signed permission” under Section 999.315(e).

The road ahead

Though the final regulations had not yet been approved by the OAL, the California AG was authorized to enforce the CCPA beginning July 1, 2020, and did not wait one day longer to do so. On July 1, the California AG sent initial notices of noncompliance with the CCPA to businesses across multiple sectors and industries. The notices – which largely focused on missing privacy notice disclosures and “do not sell my personal information” links – gave recipients 30 days to fix the deficiencies before facing possible fines or lawsuits.

While the final regulations shed more light on the California AG’s regulatory expectations about how businesses must comply with the CCPA, many questions raised during the public comment period remain unanswered, and state regulators exercise considerable discretion over how they interpret and enforce CCPA compliance going forward. Businesses should review and update their approach to CCPA compliance based on the final regulations and maintain a close watch on the California AG’s office as it begins to enforce the CCPA and its accompanying regulations. On the horizon, businesses face further uncertainty still with the introduction of the California Privacy Rights Act (“CPRA”)[4], which if passed would afford California residents even stricter privacy protections and establish more onerous compliance obligations for businesses.

For more information, reach out to one of our firm key contacts.

By Adam Lurie, Aviva Kushner and Caitlin Potratz Metcalf

[1]    California Passes Final 2019 Amendments to CCPA before it Becomes Law (September 2019), available here; The California Consumer Privacy Act: Is my business caught? (July 2019), available here; California – Update on the Latest Amendments to the CCPA (July 2019), available here; The Global Reach of the California Consumer Privacy Act – What to expect in 2020, Webinar (July 2019), available here.

[2]    Cal. Civ. Code § 1798.100(b).

[3]    See In the Matter of Gateway Learning Corp., Complaint (2004), available here (finding that Gateway Learning Corp. had violated the Federal Trade Commission Act where, without customers’ explicit consent, it provided age range and gender of consumers’ children for use by marketers in targeting parents, despite its Privacy Policy stating that it would “not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive a customer’s explicit consent”). 

[4]    For the full text of the CPRA, which will be voted on by California voters as a ballot initiative in November 2020, see here.