On August 14, 2020, California Attorney General (AG) Xavier Becerra announced that the Office of Administrative Law approved the AG’s proposed California Consumer Privacy Act (CCPA) regulations and filed them with the Secretary of State. The final CCPA regulations take effect immediately. This concludes a lengthy period of uncertainty for companies who have invested significant resources to understand their obligations under the statute which went into effect January 1, 2020, with the AG able to start enforcement as of July 1, 2020.
As detailed in the Addendum to Final Statement of Reasons, the final regulations differ slightly from the version proposed by the AG in June. The AG withdrew certain provisions for additional consideration, such as the requirement that a business that substantially interacts with a consumer offline provide an offline method for providing the Notice of the Right to Opt-Out, while noting that the AG may resubmit these provisions after further review and possible revision. Other withdrawn provisions include: (1) the prohibition against using a consumer’s personal information for a materially different purpose than those included in the notice at collection, unless the business directly notifies the consumer of the new use and obtains explicit consent; (2) the requirement that the methods provided to exercise the right to opt out of “sales” of personal information be “easy for consumers to execute” and “require minimal steps”; and (3) the provision that allowed a business to deny a request from an authorized agent that has not submitted proof, although a business can still deny an opt-out request if the agent cannot provide the consumer’s signed permission.
The remaining revisions to the final regulations are “non-substantive” changes for accuracy, consistency, and clarity. While many of these changes appear to be inconsequential grammatical tweaks, at least one may have substantive implications: the final regulations remove the option to use “Do Not Sell My Info” for the link by which the Notice of the Right to Opt-Out is available. This revision forces businesses using this language in their links to change it to the statutorily prescribed “Do Not Sell My Personal Information” language, and cautions all businesses on the importance of adhering to the statutory requirements.
With the regulations now final, compliance will no longer be a “best guess” exercise but an ongoing obligation that will be impacted by enforcement activity, guidance, and changes to technology, business, and data practices. In the absence of an enforcement action, companies seeking guidance may consider looking to the AG’s resources, such as its comprehensive CCPA page, and statements, including its detailed responses to the public comments filed in the CCPA rulemaking process (available here, here, and here). It will also be important to keep an eye towards the future and monitor the outcome of the California Privacy Rights Act ballot initiative (dubbed “CCPA 2.0”), which, if passed in November, would have a significant impact on CCPA compliance.
Goodwin's Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a globally known, solution-oriented privacy practitioner and former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama administration; a Legal 500 “Leading Lawyer” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as four other Legal 500 Cyber Law ranked partners, several former federal prosecutors, and multiple FTC, GDPR, CCPA, HIPAA, GLBA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed practical solutions and strategic privacy, information security, and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general, and regulators across the globe.