California Attorney General Issues Final Proposed CCPA Regulations

On Monday, June 1, 2020, California Attorney General Becerra submitted the final text of proposed regulations for the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). This is the final step before the regulations go into effect. OAL has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the package for procedural compliance with the Administrative Procedure Act. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

This is the result of an eight-month process, starting with the initial draft in October 2019, public hearings, two sets of modifications, and several public review and comment periods. Hundreds of comments were submitted during this process from a variety of industry stakeholders, government, private citizens, and public interest groups. The Attorney General provided with his submission a Statement of the Reasons explaining the basis for changes made to the first draft issued last October. The final draft is the same as the second set of modifications that were released in March 2020.

The Attorney General has requested expedited review, but the regulations will not likely become effective before July 1, 2020, which is when the Attorney General can begin to enforce the CCPA. This means that the Attorney General may not be able to cite to the regulations in his initial enforcement actions. Despite this temporary lack of clarity, businesses should update their policies, notices, and practices to ensure they are in compliance as soon as possible, since a violation of the law authorizes the Attorney General to seek civil penalties up to $7500 per violation. This is particularly important for policies that were drafted on the draft regulations issued in October 2019 since the final regulations contain some material differences.

The final regulations address the following topics:

• Definitions of certain key terms, such as “affirmative authorization,” “authorized agent,” “financial incentive,” “household,” “value of consumer data,” and “verify.”
• Requirements for notice at collection, notice of the right to opt-out of sale, notice of financial incentives, and privacy policy, including the content, format, accessibility, and method and location of providing the same.
• Business practices for handling consumer requests, including methods for submitting and responding to requests to know, requests to delete, and requests to opt-out, and guidance for service providers on responding to the same.
• Procedures for obtaining consent from minors to opt-in to the sale of personal information and for obtaining opt-in from a person that had previously opted-out.
• Training and record-keeping requirements for businesses with respect to consumer requests, including the requirement of special disclosures if a business sells or shares for commercial purposes the personal information of more than 10 million consumers in a calendar year.
• Procedures for verifying and responding to requests for household information.
• Procedures for verifying requests made by authorized agents.
• Procedures for verification of requests, including the different procedures for password-protected account holders and non-account holders.
• Procedures for offering financial incentives, including the requirement that such a financial incentive be reasonably related to the value of the consumer’s data. The regulations provide guidelines for how to calculate the value of that data and what disclosures need to be made.

For more information on the regulations, and CCPA compliance, please see our prior alerts and our CCPA toolkit.