New Required CCPA Reading
Final CCPA Regulations were Approved and Effective on August 14, 2020
School may not be back in session in your area yet, but there is some new required reading for businesses subject to the California Consumer Privacy Act (CCPA). On Friday, August 14, 2020, the California Attorney General Xavier Becerra (AG) released final regulations governing compliance with the CCPA, as approved by the California Office of Administrative Law (OAL). The regulations were filed with the California Secretary of State on that same date and became effective immediately. The AG did not provide a grace period for compliance with these new regulatory requirements.
In a news release published with the final regulations, the AG advised that the regulations establish procedures for compliance and exercise of rights and clarify important transparency and accountability mechanisms for businesses subject to the CCPA. To borrow a phrase from the sports world, the regulations provide “color commentary” on the requirements of the CCPA.
The AG also noted that “[w]ith these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”
The proposed final regulations were submitted to the OAL for review on June 1, 2020. The AG asked the OAL for an expedited review so the regulations could be in place by the July 1, 2020 enforcement date of the CCPA. Although the regulations were not in place by that date, the AG could still enforce the requirements of the statute as of that date and the AG sent notices of noncompliance, the first step in the enforcement processes, to a number of businesses in July 2020. With the final regulations in place, the AG may now also enforce these new regulatory requirements.
In its notice of approval, the OAL indicated that it had withdrawn certain provisions from the proposed final regulations for additional consideration and made other non-substantive changes for accuracy, consistency, and clarity. The provisions that were withdrawn would have:
- Required businesses to obtain express consent from consumers before using previously collected personal information for any purposes materially different than those disclosed when the business collected the information;
- Required businesses substantially interacting with consumers offline to provide notice of the right to opt-out of the sale of personal information via an offline method;
- Established minimum standards for submitting requests to opt-out to businesses; and
- Provided businesses with the ability to deny certain requests from authorized agents.
Business should note that the OAL’s revisions also removed all references to the “Do Not Sell My Info” link. This means that businesses will need to describe their opt-out link using the statutory title, “Do Not Sell My Personal Information.”
The CCPA has traveled a long and winding road. The CCPA was signed into law on June 28, 2018 and was further amended on September 23, 2019 and on October 11, 2019. The law went into effect on January 1, 2020 with an enforcement start date of July 1, 2020. After multiple public forums and comment periods, the CCPA regulations were effective on August 14, 2020.
Businesses subject to the CCPA should carefully review the final regulations and implement any changes to their existing CCPA compliance programs, as needed to comply with the new regulatory requirements. Businesses that have been waiting on implementing a CCPA compliance program until this last piece of the puzzle was in place can no longer use the “wait and see” excuse. The “wait and see” recess is over. The formula to remember is: Law + Regulations = Full Compliance Textbook.