On June 1, just one month before the California Attorney General may begin enforcing violations of the California Consumer Privacy Act ("CCPA"), the California Attorney General's Office finally submitted final regulations to the California Office of Administrative Law ("OAL"). Most anticipated that July 1 would also be the date that the final regulations would become effective. However, given the late submission of the final regulations, they could become effective anytime between July and Oct. 1, leaving businesses struggling to prioritize compliance while dealing with the ramifications of the pandemic.  

Traditionally, the OAL has 30 working days to review the rulemaking record. However, in light of COVID-19, California Gov. Gavin Newsom issued Executive Order N-40-20, which extends that deadline by 60 calendar days. Regulations then generally become effective on one of four quarterly dates, the next of which would be Oct. 1. Therefore, assuming that the OAL approves and files the regulations with the California Secretary of State (SOS), the regulations would be scheduled to go into effect Oct. 1. 

Further complicating matters, the attorney general's final regulations submission package included a "Written Justification for Earlier Effective Date and Request for Expedited Review," requesting that the OAL complete its review within 30 business days and make the regulations effective upon their filing with the SOS. Although the OAL is not required to grant that request, it means that the final regulations could go into effect anytime between July and October 1, 2020, and with little to no notice.

Faced with this uncertain timeline, businesses subject to the CCPA must determine how quickly to drive compliance with the final CCPA regulations. That decision is, of course, more difficult for businesses that have been forced to furlough or fire employees who have relevant knowledge and responsibility for CCPA compliance. It also is more difficult for businesses that have been forced to reduce their outside counsel and vendor spend due to pandemic-related budget shortfalls.

Worse yet, the Attorney General's Office has shown little to no sympathy for these challenges. In responding to requests to delay enforcement of the CCPA, the office stated that it "considered and determined that delaying the implementation of [the] regulations is not more effective in carrying out the purpose and intent of the CCPA." The office explained that the modified rules were released Feb. 10 and revised March 11, such that "businesses have been aware that these requirements could be imposed as part of the OAG's regulations." The attorney general's position disregards the fact that the office repeatedly and significantly modified the regulations thereby creating a moving target for compliance. Further, the office stated that "to the extent that the regulations require incremental compliance, the OAG may exercise prosecutorial discretion if warranted, depending on the particular facts at issue. Prosecutorial discretion permits the OAG to choose which entities to prosecute, whether to prosecute, and when to prosecute."

Ultimately, each business will need to evaluate its own circumstance to determine a reasonable timeline for ensuring compliance. Businesses that are subject to the CCPA but have not taken any compliance steps should strongly consider complying by July 1, the CCPA enforcement deadline. This is true particularly in light of the attorney general's prior public statements that his office will be assessing CCPA compliance for the period since the statute became effective (Jan. 1). 

Businesses that already drove compliance with the attorney general's initial proposed regulations issued in October 2019, could theoretically take more time to update their policies and procedures. That is because the last modifications to the regulations reduced the level of detail required for online privacy policy disclosures. However, that decision will likely depend on the business's risk tolerance as well as whether the business diligently followed the requirements in the initial proposed regulations or took a makeshift approach to compliance. 

Businesses also should keep in mind that the attorney general's office made substantial and significant changes to the regulations from the initial draft issued in October 2019 to the final regulations issued in early June. Consequently, the issue is not whether businesses will need to update their policies and procedures but, rather, how quickly they must do so in light of the uncertain time frame for when the final regulations will go into effect.

Businesses will need to implement a number of policies and procedures to comply with the CCPA. As a starting point, businesses will need to update their online privacy policies to disclose the information required by the CCPA and the final regulations. Section 999.308 of the final regulations prescribes many items that must be disclosed, including a description of the rights provided by the CCPA, the categories of personal information collected about consumers in the preceding 12 months, the categories of sources from which the personal information was collected, and the business or commercial purposes for the collection. How a business presents this information in its privacy policy is a business decision.

In the summary and response to comments accompanying the final regulations, the Attorney General's Office rejected a request to "harmonize and align the CCPA's requirements with existing privacy laws" such as the California Online Privacy Protection Act and GDPR. Rather, the office stated that "the regulations leave flexibility for businesses to determine how to present the required information, including whether to draft a generally applicable privacy policy that incorporates the requirements of the CCPA and the regulations as well as those of other laws."

Further, a GDPR-compliant program does not result in a CCPA-compliant program. The Final Statement of Reasons explains that the office considered and rejected a limited exemption for GDPR-compliant firms "because of key differences between the GDPR and CCPA, especially in terms of how personal information is defined and the consumer's right to opt-out of the sale of personal information (which is not required in the GDPR)." Consequently, businesses that are subject to GDPR will need to take additional measures to comply with the CCPA.

In addition to having a CCPA-compliant privacy policy, businesses will need to implement notices at or before the collection of personal information. Those notices, which need to be both online and offline as applicable, must identify the personal information to be collected and the purposes for which it will be used. Importantly, the summary and response to comments accompanying the final regulations make clear that having a "Privacy Policy" link on a website is not enough to satisfy the notice at collection requirement. However, just as with the privacy policy disclosures, the office gives businesses discretion on how to accomplish the requirement. In responding to one comment pertaining to an online notice at collection, the office explained: "The provision does not require a cookie banner, but rather leaves it to businesses to determine the formats that will best achieve the result in particular environments."

Businesses with California employees also will need to provide a notice at collection for the collection and use of employee information. Although the September 2019 amendments to the CCPA created an employee information exemption, that exemption does not apply to the notice at collection requirement. The initial draft regulations issued in October 2019 did not provide guidance on providing an employee notice; however, the office subsequently amended section 999.305 to provide such guidance. Indeed, the comments to the final regulations confirm that the October 2019 draft regulations did not incorporate the September 2019 legislative amendments, including the new employee information and business-to-business information exemptions.

Businesses that "sell" personal information will also need to provide a notice of right to opt out of sales. The statute defines "sale" to mean the transfer of personal information for "monetary or other valuable consideration." The phrase "other valuable consideration" has been met with confusion because it is undefined and susceptible to multiple interpretations. Unfortunately, the final regulations do not provide any guidance on the definition. Rather, in response to a request to clarify the meaning, the Attorney General's Office instead stated that the "CCPA's use of the terms 'valuable' and 'consideration' are reasonably clear and should be understood by the plain meaning of those words."

On a positive note, the final regulations do not include an "opt-out button." The Attorney General's Office published a proposed opt-out button in its February draft regulations and withdrew that proposal in its March draft regulations after it was met with widespread criticism from privacy advocates. The attorney general's comments to the final regulations explain that the proposal was removed to provide the office with more time to develop the button.

Businesses also will need to provide methods for California residents to submit CCPA requests and implement verification procedures for requests to know and delete. Businesses must provide at least two methods for submitting those requests, including providing a toll-free telephone number for requests to know (unless the business operates exclusively online). Businesses that sell personal information must provide an online interactive form for submitting such requests and a link entitled "Do Not Sell My Personal Information" or "Do Not Sell My Info" on their website or mobile application.

Finally, businesses that transfer personal information to other entities will need to amend or implement data sharing agreements to the extent that they want the other entities to be considered service providers under the CCPA. In that regard, the initial draft regulations stated that service providers could only use personal information they collect for the purpose of providing the services and to detect data security incidents or protect against fraudulent or illegal activity. In comparison, the final regulations significantly expand the permissible uses, including allowing service providers to retain and employ subcontractors, use the personal information for certain internal uses, and use it to comply with federal and state law. 

Further, the Final Statement of Reasons states that a service provider's violation of a service provider agreement is not only a breach of contract with the business but also is a violation of the CCPA enforceable by the Attorney General's Office. Specifically, the office states that the "modification to this subsection also clarifies that a service provider's breach of these requirements is a violation of the CCPA and these regulations and thus enforceable by the OAG. This is necessary to ensure that service providers comply with these restrictions set forth in their service-provider contracts even if the business does not enforce those restrictions."

In the end, the attorney general's delay in submitting final regulations has created a difficult situation for businesses trying to drive compliance with the CCPA. That situation has been made even more difficult given the attorney general's request for an expedited review and immediate effective date, which leaves uncertainty as to when the final regulations will become effective. However, careful planning now can avoid serious headaches later. Businesses should evaluate their current compliance stance and create a plan for complying with the final regulations based on that stance, the available resources, and their risk tolerance.

David M. Stauss is a partner at Husch Blackwell and co-leader of the firm's privacy and data security practice group. He regularly assists clients in preparing for and responding to data security incidents, including managing multistate breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation, the California Consumer Privacy Act of 2018 and state information security statutes. He can be reached at [email protected].

Malia Rogers is an associate in Husch Blackwell's Denver office and advises clients of all sizes and across industries on data privacy and security compliance. She leverages her prior professional experience in digital marketing to develop and implement privacy programs compliant with emerging and differing privacy frameworks, including the European Union's General Data Protection Regulation and the California Consumer Privacy Act.