California Attorney General Releases Final Text of CCPA Regulations, Starting the Clock for Companies to Come into Compliance
On Monday, June 2, 2020, the California Attorney General (AG) released the final text of the proposed regulations to implement the California Consumer Privacy Act (CCPA). The AG’s regulations are not yet final; they still must clear one final administrative step with the State’s Office of Administrative Law. While the timing of when these rules will go into effect remains to be determined, it could still be as early as July (which is also when AG enforcement can begin). In any case, companies will have a relatively short time to come into compliance with these regulations, and while the CCPA has been in effect since January 1, the regulations add new requirements that may not be easy to quickly implement.
Below we provide an overview of the upcoming process and the new requirements contained in the regulations.
The Timing for the Regulations to Become Effective Is Still Up in the Air, but Could Be As Early As July.
The CCPA went into effect on January 1. The AG’s office first released draft regulations in October 2019 and issued two rounds of subsequent proposed revisions, the office did not finalize the text of the proposed regulations until June 2. The AG submitted the rules for final approval by California’s Office of Administrative Law (OAL), which has 30 working days to review, with an additional 60 calendar days during the coronavirus (COVID-19) pandemic. Enforcement beginning on July 1 – notwithstanding the challenges of complying given the pandemic. While these moving parts and various deadlines are complex, one thing is clear: even if final administrative approval extends beyond July 1, given the current announcement of the final regulations, companies can expect scrutiny shortly after the regulations go into effect.
What Do the Regulations Do?
The regulations add 29 pages of specific requirements on top of the already complex and sometimes confusing statute, and the AG’s filing with the OAL provides another 59 pages of explanation. Almost all aspects of the law, including notice requirements, responses to consumer requests, verification requirements, and non-discrimination rules, are subject to additional detail. Here are some specific areas of importance:
- Consumer requests around IP information. Many companies do not associate IP address information with individual users or subscribers. The AG’s office previously proposed explicitly exempting IP address information in this circumstance from “personal information,” but subsequent revisions – and the final version – omit that clarification. This leaves some degree of uncertainty for many companies about how to respond to consumer requests.
- Detailed notice requirements. A range of companies have already instituted notices that comply with the original draft of the regulations, but others have waited to see what the final regulations require. The final regulations retain most of the separate notice requirements proposed in previous regulations. Of particular note, the final regulation retains heightened recordkeeping and notice requirements for companies that handle the personal information of a large number of consumers, including disclosure about denied consumer requests.
- Complex provision non-discrimination provisions. In general, a business cannot offer a financial incentive or price or service difference when a consumer exercises a CCPA right, unless it is reasonably related to the value of the consumer’s data. The latest provisions provide some additional examples of when this non-discrimination provision does or does not apply, but application remains tricky for companies that provide some incentive or benefit to customers for their business (such as rewards programs or contest promotions). Additionally, the provisions for calculating the value of a consumer’s data remain unclear as a practical matter.
With Attorney General enforcement about to become a reality, companies must now quickly digest the latest regulations – and where the law remains ambiguous, mitigate compliance risk.
Wiley’s Privacy, Cyber, and Data Governance practice helps clients navigate complex privacy and data governance compliance and enforcement matters, involving the CCPA and other federal, state, and international laws. Please reach out to any of the authors for further assistance.