Business Considerations for Complying With the Final CCPA Regulation
Faced with the uncertain timeline of the California Consumer Privacy Act, businesses subject to the CCPA must determine how quickly to drive compliance with the final CCPA regulations.
June 19, 2020 at 12:50 PM
11 minute read
The original version of this story was published on Corporate Counsel
On June 1, just one month before the California Attorney General may begin enforcing violations of the California Consumer Privacy Act ("CCPA"), the California Attorney General's Office finally submitted final regulations to the California Office of Administrative Law ("OAL"). Most anticipated that July 1 would also be the date that the final regulations would become effective. However, given the late submission of the final regulations, they could become effective anytime between July and Oct. 1, leaving businesses struggling to prioritize compliance while dealing with the ramifications of the pandemic.
Traditionally, the OAL has 30 working days to review the rulemaking record. However, in light of COVID-19, California Gov. Gavin Newsom issued Executive Order N-40-20, which extends that deadline by 60 calendar days. Regulations then generally become effective on one of four quarterly dates, the next of which would be Oct. 1. Therefore, assuming that the OAL approves and files the regulations with the California Secretary of State (SOS), the regulations would be scheduled to go into effect Oct. 1.
Further complicating matters, the attorney general's final regulations submission package included a "Written Justification for Earlier Effective Date and Request for Expedited Review," requesting that the OAL complete its review within 30 business days and make the regulations effective upon their filing with the SOS. Although the OAL is not required to grant that request, it means that the final regulations could go into effect anytime between July and October 1, 2020, and with little to no notice.
Faced with this uncertain timeline, businesses subject to the CCPA must determine how quickly to drive compliance with the final CCPA regulations. That decision is, of course, more difficult for businesses that have been forced to furlough or fire employees who have relevant knowledge and responsibility for CCPA compliance. It also is more difficult for businesses that have been forced to reduce their outside counsel and vendor spend due to pandemic-related budget shortfalls.
Worse yet, the Attorney General's Office has shown little to no sympathy for these challenges. In responding to requests to delay enforcement of the CCPA, the office stated that it "considered and determined that delaying the implementation of [the] regulations is not more effective in carrying out the purpose and intent of the CCPA." The office explained that the modified rules were released Feb. 10 and revised March 11, such that "businesses have been aware that these requirements could be imposed as part of the OAG's regulations." The attorney general's position disregards the fact that the office repeatedly and significantly modified the regulations thereby creating a moving target for compliance. Further, the office stated that "to the extent that the regulations require incremental compliance, the OAG may exercise prosecutorial discretion if warranted, depending on the particular facts at issue. Prosecutorial discretion permits the OAG to choose which entities to prosecute, whether to prosecute, and when to prosecute."
Ultimately, each business will need to evaluate its own circumstance to determine a reasonable timeline for ensuring compliance. Businesses that are subject to the CCPA but have not taken any compliance steps should strongly consider complying by July 1, the CCPA enforcement deadline. This is true particularly in light of the attorney general's prior public statements that his office will be assessing CCPA compliance for the period since the statute became effective (Jan. 1).
Businesses that already drove compliance with the attorney general's initial proposed regulations issued in October 2019, could theoretically take more time to update their policies and procedures. That is because the last modifications to the regulations reduced the level of detail required for online privacy policy disclosures. However, that decision will likely depend on the business's risk tolerance as well as whether the business diligently followed the requirements in the initial proposed regulations or took a makeshift approach to compliance.
Businesses also should keep in mind that the attorney general's office made substantial and significant changes to the regulations from the initial draft issued in October 2019 to the final regulations issued in early June. Consequently, the issue is not whether businesses will need to update their policies and procedures but, rather, how quickly they must do so in light of the uncertain time frame for when the final regulations will go into effect.
Businesses will need to implement a number of policies and procedures to comply with the CCPA. As a starting point, businesses will need to update their online privacy policies to disclose the information required by the CCPA and the final regulations. Section 999.308 of the final regulations prescribes many items that must be disclosed, including a description of the rights provided by the CCPA, the categories of personal information collected about consumers in the preceding 12 months, the categories of sources from which the personal information was collected, and the business or commercial purposes for the collection. How a business presents this information in its privacy policy is a business decision.
In the summary and response to comments accompanying the final regulations, the Attorney General's Office rejected a request to "harmonize and align the CCPA's requirements with existing privacy laws" such as the California Online Privacy Protection Act and GDPR. Rather, the office stated that "the regulations leave flexibility for businesses to determine how to present the required information, including whether to draft a generally applicable privacy policy that incorporates the requirements of the CCPA and the regulations as well as those of other laws."
Further, a GDPR-compliant program does not result in a CCPA-compliant program. The Final Statement of Reasons explains that the office considered and rejected a limited exemption for GDPR-compliant firms "because of key differences between the GDPR and CCPA, especially in terms of how personal information is defined and the consumer's right to opt-out of the sale of personal information (which is not required in the GDPR)." Consequently, businesses that are subject to GDPR will need to take additional measures to comply with the CCPA.
In addition to having a CCPA-compliant privacy policy, businesses will need to implement notices at or before the collection of personal information. Those notices, which need to be both online and offline as applicable, must identify the personal information to be collected and the purposes for which it will be used. Importantly, the summary and response to comments accompanying the final regulations make clear that having a "Privacy Policy" link on a website is not enough to satisfy the notice at collection requirement. However, just as with the privacy policy disclosures, the office gives businesses discretion on how to accomplish the requirement. In responding to one comment pertaining to an online notice at collection, the office explained: "The provision does not require a cookie banner, but rather leaves it to businesses to determine the formats that will best achieve the result in particular environments."
Businesses with California employees also will need to provide a notice at collection for the collection and use of employee information. Although the September 2019 amendments to the CCPA created an employee information exemption, that exemption does not apply to the notice at collection requirement. The initial draft regulations issued in October 2019 did not provide guidance on providing an employee notice; however, the office subsequently amended section 999.305 to provide such guidance. Indeed, the comments to the final regulations confirm that the October 2019 draft regulations did not incorporate the September 2019 legislative amendments, including the new employee information and business-to-business information exemptions.
Businesses that "sell" personal information will also need to provide a notice of right to opt out of sales. The statute defines "sale" to mean the transfer of personal information for "monetary or other valuable consideration." The phrase "other valuable consideration" has been met with confusion because it is undefined and susceptible to multiple interpretations. Unfortunately, the final regulations do not provide any guidance on the definition. Rather, in response to a request to clarify the meaning, the Attorney General's Office instead stated that the "CCPA's use of the terms 'valuable' and 'consideration' are reasonably clear and should be understood by the plain meaning of those words."
On a positive note, the final regulations do not include an "opt-out button." The Attorney General's Office published a proposed opt-out button in its February draft regulations and withdrew that proposal in its March draft regulations after it was met with widespread criticism from privacy advocates. The attorney general's comments to the final regulations explain that the proposal was removed to provide the office with more time to develop the button.
Businesses also will need to provide methods for California residents to submit CCPA requests and implement verification procedures for requests to know and delete. Businesses must provide at least two methods for submitting those requests, including providing a toll-free telephone number for requests to know (unless the business operates exclusively online). Businesses that sell personal information must provide an online interactive form for submitting such requests and a link entitled "Do Not Sell My Personal Information" or "Do Not Sell My Info" on their website or mobile application.
Finally, businesses that transfer personal information to other entities will need to amend or implement data sharing agreements to the extent that they want the other entities to be considered service providers under the CCPA. In that regard, the initial draft regulations stated that service providers could only use personal information they collect for the purpose of providing the services and to detect data security incidents or protect against fraudulent or illegal activity. In comparison, the final regulations significantly expand the permissible uses, including allowing service providers to retain and employ subcontractors, use the personal information for certain internal uses, and use it to comply with federal and state law.
Further, the Final Statement of Reasons states that a service provider's violation of a service provider agreement is not only a breach of contract with the business but also is a violation of the CCPA enforceable by the Attorney General's Office. Specifically, the office states that the "modification to this subsection also clarifies that a service provider's breach of these requirements is a violation of the CCPA and these regulations and thus enforceable by the OAG. This is necessary to ensure that service providers comply with these restrictions set forth in their service-provider contracts even if the business does not enforce those restrictions."
In the end, the attorney general's delay in submitting final regulations has created a difficult situation for businesses trying to drive compliance with the CCPA. That situation has been made even more difficult given the attorney general's request for an expedited review and immediate effective date, which leaves uncertainty as to when the final regulations will become effective. However, careful planning now can avoid serious headaches later. Businesses should evaluate their current compliance stance and create a plan for complying with the final regulations based on that stance, the available resources, and their risk tolerance.
David M. Stauss is a partner at Husch Blackwell and co-leader of the firm's privacy and data security practice group. He regularly assists clients in preparing for and responding to data security incidents, including managing multistate breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation, the California Consumer Privacy Act of 2018 and state information security statutes. He can be reached at [email protected].
Malia Rogers is an associate in Husch Blackwell's Denver office and advises clients of all sizes and across industries on data privacy and security compliance. She leverages her prior professional experience in digital marketing to develop and implement privacy programs compliant with emerging and differing privacy frameworks, including the European Union's General Data Protection Regulation and the California Consumer Privacy Act.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250