California Attorney General Releases Final CCPA Regulations, With Enforcement Imminent
Privacy in Focus®
On June 2, the California Attorney General (AG) released the final text of the proposed regulations to implement the California Consumer Privacy Act (CCPA). The regulations are not yet final, as they still must clear one final administrative step. While the timing of when these rules will go into effect remains to be determined, it could still be as early as July – which is also when AG enforcement can begin.
In any case, companies will have a relatively short time to come into compliance with these regulations, and while the CCPA has been in effect since January 1, the regulations add new requirements that may not be easy to quickly implement. Below we provide an overview of the regulatory process and highlight key new requirements from the regulations.
The regulations are the culmination of a complex process.
The CCPA itself has never been a particularly clear statute, for reasons rooted in its legislative history. In late 2017 through mid-2018, a group of Californians amassed enough signatures to get a comprehensive state privacy law – the Consumer Right to Privacy Act (CRPA) – on the ballot through the state’s ballot initiative process. The potential passage of the CRPA – which contained a private right of action and other provisions that were heavily opposed by industry stakeholders – led to a legislative deal with the CRPA’s proponents. The legislature agreed to pass a comprehensive privacy law, and, in exchange, the ballot initiative proponents agreed to withdraw the CRPA. As a result, the governor signed the CCPA into law on June 28, 2018, following a legislative blitz.
Passage of the CCPA in June 2018 was just the beginning – not the end – of the process to stand up the new California privacy regime. After widespread criticism of the statute’s substantive provisions, haphazard drafting, enforcement timeline, and more, the legislature amended the CCPA in September 2018 and again in October 2019. In a strange sequence of events, the CCPA became “operative” on January 1, 2020, although the AG was given until July 1, 2020 – six months after the operative date – to promulgate regulations to explain how businesses should comply with the law. Adding more complexity still, the statute barred enforcement until the earlier of July 1, 2020, or six months after the publication of final regulations by the AG.
The process of developing the AG’s regulations – like the legislative process before it – has been convoluted. Draft versions of the AG regulations have provided a moving target for compliance efforts. Prior to releasing the final text of the regulations on June 2, the AG released draft regulations in October 2019 and issued two rounds of subsequent proposed revisions after significant public feedback.
The AG has now submitted the rules for final approval by California’s Office of Administrative Law (OAL), which has 30 working days to review, with an additional 60 calendar days due to the coronavirus (COVID-19) pandemic. Thus, it is unclear when the rules will actually become effective.
In any event, the July 1 enforcement date is now on the near horizon. The AG has made clear that despite the ongoing COVID-19 pandemic and the last-minute finalization of the CCPA regulations, the office will not delay enforcement past July 1. Additionally, the AG’s office has indicated that its enforcement actions will be retrospective, looking back at conduct starting on the January 1 operative date.
The regulations provide some additional clarity, but ambiguity remains.
The regulations add 29 pages of specific requirements on top of the already complex and sometimes confusing statute, and the AG’s filing with the OAL provides another 59 pages of explanation. Almost all aspects of the law, including notice requirements, responses to consumer requests, verification requirements, and nondiscrimination rules, are subject to additional detail. Here are some specific areas of importance:
- Consumer requests around IP information. Many companies do not associate IP address information with individual users or subscribers. The AG’s office previously proposed explicitly exempting IP address information in this circumstance from “personal information,” but subsequent revisions – and the final version – omit that clarification. This leaves some degree of uncertainty for many companies about how to respond to consumer requests.
- Detailed notice requirements. A range of companies have already instituted notices that comply with the original draft of the regulations, but others have waited to see what the final regulations require. The final regulations retain most of the separate notice requirements proposed in previous regulations. Of particular note, the final regulation retains heightened recordkeeping and notice requirements for companies that handle the personal information of a large number of consumers, including disclosures about denied consumer requests.
- Complex nondiscrimination and financial incentive provisions. In general, a business cannot offer a financial incentive or price or service difference when a consumer exercises a CCPA right, unless it is reasonably related to the value of the consumer’s data. The latest provisions provide some additional examples of when this nondiscrimination provision does or does not apply, but application remains tricky for companies that provide some incentive or benefit to customers for their business (such as rewards programs or contest promotions). Additionally, the regulations require calculations of the value of a consumer’s data in certain circumstances, but the implementation of those provisions remains unclear as a practical matter.
With Attorney General enforcement about to become a reality, companies must now quickly digest the latest regulations – and, where the law remains ambiguous, mitigate compliance risk.
Wiley’s Privacy, Cyber & Data Governance Practice helps clients navigate complex privacy and data governance compliance and enforcement matters involving the CCPA and other federal, state, and international laws. Please reach out to any of the authors for further assistance.
© 2020 Wiley Rein LLP