With slightly less than one month before the July 1, 2020 enforcement date of the California Consumer Privacy Act (“CCPA”), California's Attorney General announced on June 2, 2020 that he had submitted the proposed final regulations to the California Office of Administrative Law (“OAL”). In order to have a chance for the regulations to be finalized before the date that the CCPA will be enforced, Attorney General Xavier Becerra requested an expedited review from the OAL. The OAL will have thirty 30 working days and 60 additional calendar days to review the regulations to confirm that they comply with California's Administrative Procedure Act. In the Attorney General's press release, he reiterated that his office is committed to enforcing the CCPA as of July 1, 2020. The Attorney General's final Statement of Reasons further clarify his office's understanding of the relationship between the regulations and the statute.
Effective Date Not Set
The regulations' effective date remains uncertain. Given that the regulations are to be filed by the OAL between June 1 and August 31, the regulations would typically become effective on October 1, 2020. However, as mentioned above, the Attorney General requested an expedited regulatory review, asking the OAL to complete its review within 30 days. The Attorney General, in an effort to align the regulations' effective date with the statutory enforcement date, also asks that the regulations become effective upon filing with the Secretary of State—presumably before October 1.
There were not significant changes from the most recent draft of the regulations, but there are still many uncertainties remaining in the final draft. For example:
- The regulations do not fulfill the statute's requirement that the Attorney General promulgate exceptions relating to trade secrets and other intellectual property rights. Many organizations, however, will continue to consider trade secret protection when determining what personal information must be disclosed in response to access requests. Although for now, those organizations can rely on applicable state and federal law definitions of trade secrets outside of the CCPA, the Attorney General may choose to act on the statutory requirement in future amendments, undermining practices based on trade secrets law.
- In the first round of revisions to the regulations, the Attorney General clarified that IP addresses are not personal information under the CCPA if the business collecting the IP address does not and cannot reasonably link the IP address to a particular consumer or household. However, the second set of revisions and final version of the regulations did not contain that guidance, leaving uncertain if the Attorney General considers IP addresses to be so directly identifying that IP addresses qualify as personal information even if not otherwise linkable to a particular consumer.
- The regulations allow service providers to build or improve their services, unless such service improvement does not include building consumer profiles. The regulations do not define, and the Statement of Reasons does not further clarify, what activities qualify as profile building. The Statement of Reasons, however, reiterates that service providers may not use personal information acquired from or on behalf of one business to provide services to another business—i.e., for commercial purposes.
- Under the regulations, businesses that do not collect personal information directly from consumers must nonetheless deliver a notice at the point of collection. However, a business need not deliver the notice if the business either does not sell personal information or registers as a data broker with the Attorney General. A business registers under the data broker registration statute if it sells personal information of California residents with whom it has no “direct relationship”. Therefore, businesses (not specifically excepted by the data broker registration statute) which “sell” personal information that need not register as data brokers but must deliver notices at the point of collection are those that have a direct relationship with the consumer, but do not collect the personal information directly, posing new frontiers of uncertainty for CCPA metaphysicians. More pragmatically, the Attorney General might choose to treat a notice of indirect collection as a possible admission of violation of the data broker registration statute.
Requirements for Businesses
Now that we have what the Attorney General considers to be final regulations, it's time for companies do one last look at their compliance strategies to confirm that they are ready for the July 1st enforcement date of the CCPA. For those companies that are considered to be “businesses” under the CCPA, they should ensure that they have done the following:
- Added a “Do Not Sell My Personal Information” button to their website if required by the CCPA.
- Entered into agreements or addenda with their service providers to ensure that transfers of California personal information to such service providers are not considered to be a “sale” under the CCPA.
- Deliver a notice at the point collection for both online and offline collection of personal information.
- Document standards for verifying the identity of consumers exercising rights requests.
- Maintain records of rights requests under the CCPA and a business's response to such requests for 24 months after the request date.
- Updated its employment applications and employee policies to include the notices required by the CCPA.
Requirements for Service Providers
For those companies that are considered to be “service providers” under the CCPA, they should ensure that they have done the following:
- Ensure that disclosures of California personal information are made only to other service providers or under other exceptions to the CCPA's definition of “sale”.
- Review whether the service provider's use of personal information comports with uses permitted by the CCPA.
- Establish whether the service provider will respond to access or deletion requests from consumers or whether the service provider will pass along such requests to its business customers. The CCPA permits either response.
- Clarify with respect to what personal information it operates as a business, such as for the organization's own marketing, and to what information the organization operates as a service provider.
Once you confirm that you're adequately prepared for the CCPA, take a small breath and start to prepare for the California Privacy Rights Act (“CPRA”), which could be approved by California voters in November 2020.