California Finalizes CCPA Regulations, Which Are Effective Immediately
On Friday, August 14, 2020, the long-awaited California Consumer Privacy Act (CCPA) Final Regulations were finally approved by the State and became effective immediately. The rules went through multiple iterations, with the California Attorney General’s (AG) office releasing several drafts before submitting the Proposed Final Regulations to the Office of Administrative Law (OAL) in June. During OAL’s final review, the rules were even further amended, as we discuss below.
The CCPA has been in effect since January 1, 2020, with AG enforcement already beginning July 1, 2020. With this update, covered businesses must now comply with the AG’s Final Regulations, which as we have detailed, add new requirements and complexities. There is no grace period for enforcement.
There Were Several Noteworthy Changes to the Final Regulations
The Final Regulations approved by OAL are—for the most part—the same as what the AG proposed in June. But businesses subject to the CCPA should take note: changes were made between the AG’s Proposed Final Regulations and the actual Final Regulations. Certain provisions of the regulations were withdrawn for additional consideration and other changes were made, including changes intended to be “non-substantive changes for accuracy, consistency, and clarity,” according to the Addendum to the Final Statement of Reasons (FSOR Addendum). Of note:
Do Not Sell My Personal Information. The statute requires any business that “sells” personal information—as that term is broadly construed—to “[p]rovide a clear and conspicuous link on the business’s Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.” The AG’s Proposed Final Regulations had contemplated that businesses could provide a link titled either “Do Not Sell My Personal Information” or “Do Not Sell My Info.” However, as explained in the FSOR Addendum, in the Final Regulations approved by OAL, “[t]he words ‘or “Do Not Sell My Info”’ have been deleted throughout the regulations to align with the express language of the statute.”
Withdrawn Provisions. Several provisions were withdrawn during OAL review. The FSOR Addendum makes clear in each instance that the AG “may resubmit [these sections] after further review and possible revision,” but for now, these provisions are not part of the Final Regulations. The withdrawn provisions are:
- Under the Notice at Collection rules, the provision which would have held that “[a] business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection” and that would have required direct notification and explicit consent for such a materially different use.
- Under the Notice of the Right to Opt-Out rules, the provision dealing with businesses that substantially interact with consumers offline.
- In the Requests to Opt-Out rules, the provision that: “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”
- In the Authorized Agent rules, the provision that: “A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.”
Definitions. Several edits were made to the definitions. Of note, the definition of financial incentive—which is important given the complex notice requirements associated with financial incentives—was changed “to align with the express language of the statute.”
The Final Regulations are effective immediately and fair game for AG enforcement, which began July 1, 2020. Our team has helped entities of all sizes from across various sectors parse through complicated CCPA issues—from determining whether the CCPA applies to developing compliance programs. If your organization has questions about the newly effective Final Regulations or the CCPA in general, do not hesitate to reach out.