California Attorney General (AG) Xavier Becerra has issued a brief advisory that (i) highlights consumers’ basic rights under the CCPA; (ii) reminds companies of the CCPA’s threshold triggers for “businesses”; and, importantly, (iii) describes the new registration requirement for businesses that qualify as “data brokers.” The advisory does not, however, provide insight into the status of the proposed regulations, nor does it offer additional guidance on how businesses can comply with the CCPA. The advisory is intended in part to make California residents aware of their rights, but businesses may find it to be a useful reminder of the statute’s core obligations and scope.
What to Know About the CCPA Advisory
Specifically, the advisory highlights consumers’ right to know, delete, and opt out of sales of their personal information, as well as their right to sue for damages for data breaches. The advisory also notes that not all companies doing business in California are subject to the CCPA; rather, only those meeting certain statutory thresholds are considered a “business” with direct legal obligations. (See our previous alerts here and here for more detailed information.)
The advisory also provides that businesses handling personal information of more than four million California residents will have additional record-keeping obligations. The AG’s inclusion of this requirement in the advisory, which is not found in the statute but was introduced in the proposed regulations, indicates the AG’s commitment to record-keeping and that a record-keeping requirement may be retained in the final regulations that will ultimately be promulgated.
Although technically not a feature of the CCPA, the advisory also addresses a new requirement, established in A.B. 1202, that data brokers register with the AG. A.B. 1202 broadly defines a “data broker” as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The law does not define what it means to have a “direct relationship,” but the AG could construe the term to include any business that collects personal information from sources other than consumers themselves for purposes of commercializing the information.
Data brokers must pay a fee and register with the AG, which will publish the registry on its website, and provide their name and primary physical, email, and internet website addresses, as well as “[a]ny additional information or explanation the data broker chooses to provide concerning its data collection practices.”
In addition to the foregoing statutory requirements, the AG’s registration form requires data brokers to provide information about how a consumer may opt out of sale or submit other CCPA rights requests, as well as how a “protected individual” can demand deletion of certain information posted online regarding elected officials or domestic violence survivors. Together, the required responses seem intended to help effectuate the CCPA’s goal of providing consumers with actionable transparency regarding downstream uses of their data. While the additional required responses in the data broker registration form may facilitate data brokers’ compliance with their obligation to offer consumers an opt out of the sale of their personal information, the additional responses again demonstrate the AG’s apparent willingness to go beyond the statute to achieve policy objectives through available tools.
Companies who may be subject to the CCPA should monitor developments, including being on the look out for additional advisories by the AG.
The CCPA took effect January 1, 2020.