Lights, Camera, Action! - California Attorney General Releases Proposed Final CCPA Regulations
Effective Date of Regulations Still to Be Determined
There has been no lack of drama with the California Consumer Privacy Act (CCPA) - from its introduction and swift passage by the state legislature in 2018 to the California Privacy Rights Act, a new ballot initiative that would expand the provisions of the CCPA. One of the highly anticipated plot lines in this ongoing drama has been whether final regulations would be in place as of the July 1, 2020 enforcement date of the CCPA. The Office of the California AG (OAG) has consistently indicated that this enforcement date would not be extended, but the rule-making process seemed to have stalled. This plot line is finally taking shape, but not without more drama.
Debut of Proposed Final Regulations
On June 1, 2020, the OAG finally submitted the proposed final version of the CCPA regulations to the California Office of Administrative Law (OAL). OAL has 30 working days, plus an additional 60 calendar days under the state’s new Executive Order N-40-20 related to the COVID-19 pandemic, to review the regulations for procedural compliance with the state’s Administrative Procedure Act. Since the statute mandates that regulations be in place as of July 1, 2020, the OAG petitioned the OAL for an expedited review of the regulations to permit the regulations to be submitted to the California Secretary of State (CSS) prior to July 1. The regulations would become effective upon submission to the CSS.
The proposed final CCPA regulations include a number of requirements not in the statute so these requirements will need to be reviewed by OAL. The OAL currently has a backlog of over 60 regulations under review. If a fast track review by OAL is not possible and the CCPA regulations are not finalized by July 1, but are finalized August by 31, the regulations would take effect on October 1.
The “as yet to be determined” effective date of the CCPA regulations does not change the over-arching story line. Enforcement of the statutory requirements under the CCPA will begin on July 1, 2020, even if the regulations are not in place as of that date, unless the governor or state legislature makes a special cameo appearance to delay the July 1 enforcement date.
Director’s Cut Commentary
As in the movies, we now have bonus footage, formal commentary from the OAG. The OAG also published a Statement of Reasons (SOR) on July 1, which addresses the comments received by the OAG during the formal rule-making process and provides insight on certain positions taken by the OAG in the final regulations.
Memorizing the Script
The final regulations provide guidance on certain key requirements under the CCPA, including the following:
- Definitions (Article 1);
- Consumer Notice Requirements (Article 2);
- Business Practices for Handling Consumer Rights Requests (Article 3);
- Requirements for Verification of Consumers or Agents Making Rights Requests (Article 4);
- Special Rules Regarding Minors (Article 5); and
- Non-discrimination Practices (Article 6).
The regulations do not answer all of the questions raised by the industry. They do not include guidance on the design of a standard “do not sell” opt-out button, determining whether certain data transfers are considered “sales” under the CCPA’s broad definition of this term, or how to treat third-party cookies.
The 29 pages of final regulations and 59 pages of SOR are required reading for those charged with implementing and maintaining compliance with the requirements of the CCPA in their businesses. Some of the guidance outlined in the proposed final regulations is highlighted below:
Section 999.304 of the proposed final regulations provides a “roadmap” for businesses subject to the CCPA that outlines the number and type of and conditions under which certain notices are required to be provided to consumers:
- Notice at Time of Collection - A business that collects personal information (PI) from a consumer must provide a notice at or before the point of collection that describes the categories of PI to be collected from consumers and the purposes for which the PI will be used by the business.
- Notice of Right to Opt-out of Sale of PI - A business that sells PI must provide a notice to consumers permitting them to opt-out or request that the business not sell or stop selling their PI.
- Notice of Financial Incentives - A business that offers financial incentives or price or service differences related to the collection, retention, or sale of PI must provide a notice to consumers that explains the material terms of a financial incentive or price or service difference offered by the business so that the consumer may make an informed decision on whether to participate.
Responses to Consumer Rights Requests
Section 999.313 of the proposed final regulations provides guidance on how to respond to requests to know or requests to delete data submitted by consumers. Businesses should begin reviewing their existing template consumer response forms to determine whether revisions will be needed to add the specific disclosures required under the proposed final regulations. For example, if the proposed final regulations are approved, businesses will need to ensure that when they comply with a consumer’s request to delete data, the business informs the consumer that it will maintain a record of the consumer’s request as required by the CCPA.
For businesses that are subject to the CCPA but have not yet rolled out the CCPA red carpet, it is time to refocus on the script and begin implementing a CCPA compliance program. For those businesses with Oscar-worthy programs, it is time to review the final regulations and SOR to determine if any changes to your current program will be needed to comply with this new guidance.
The statutory requirements have been in place for some time and were effective as of January 1, 2020. The July 1 enforcement date is only a few weeks away. A notice of noncompliance received from the OAG on or after that date is not an invitation to audition your CCPA compliance program. A notice of noncompliance is a demand that you prove to the OAG that your business has a formal, robust, responsive, and adequately resourced CCPA compliance program in place - and has had that program in place since January 1. There is no easy “exit stage left” option once you receive a notice of noncompliance. Is your CCPA compliance program ready for that regulatory spotlight or still in dress rehearsals?