On August 14, 2020, the final version of the regulations for the California Consumer Privacy Act (“CCPA”) were issued by the California Attorney General (“AG”). See here.
The final regulations are intended to flesh out areas of confusion in the statute itself and, also, to aid the AG’s Office in its enforcement efforts. For most aspects of the CCPA, there is no private right of action for consumers to sue if their rights under the CCPA have been violated. Rather, the AG’s Office is empowered to enforce compliance and punish violations. Enforcement of the CCPA began on July 1, 2020 and these final regulations are effective immediately. See here for Revision Legal’s discussion of previous drafts of the CCPA regulations.
The final regulations include a few last-minute changes. Some changes were minor. For example, section 999.305(a) was changed to disallow a shorthand wording for consumers’ right to opt out. The draft regulations allowed a shorthand “Do Not Sell My Info.” Now a more complete statement is required: “Do Not Sell My Personal Information.”
However, some changes and omissions were significant and will be welcomed by businesses trying to comply with the CCPA. One major change relates to how consumers are able to demand to know what information has been collected and to demand deletion of information. In general, the CCPA allows consumers to contact a business directly, but also allows for “authorized agents” to request to know and delete information. Previous drafts of the CCPA regulations were somewhat cumbersome and vague with respect to the process. Businesses were allowed to deny requests from “authorized agents” if the agent did not “submit proof” that they were duly authorized. The final regulations have simplified this procedure. Now, businesses are allowed to deny a request from an agent if the agent cannot provide a “signed permission” from the consumer. See Section 999.315(g).
The final regulations also avoided adding some provisions that caused concern among businesses. The original draft regulations were issued in October 2019 and, then a substantially modified draft was issued in February 2020. See here.
One major item that was added in February related to notices and consents needed for the collection of personal information. In general, the statutory provisions require that a business that collects, sells, and/or transfers personal information must notify consumers of the “business purpose” for which the information is being collected and sold/transferred. An example of a “business purpose” might be “to complete the consumer’s transaction” or “to ensure quality control.” In addition to providing notice, consent is required from the consumer.
Under proposed regulations published in February 2020, any NEW business purpose for which the information would be used required new notices to be sent to consumers and required that new consents be obtained. See former section 999.305(a)(5). These new notices and new consents were to be required if the new purpose was “materially different” from the business purpose(s) that were initially disclosed.
These proposed regulations were omitted in the final draft. See Final Regulations, section 999.305(a)(5). This is good news for businesses since this removes a potentially large administrative burden and litigation risk. This may also have been deemed “good” for enforcement purposes since defining and proving a “material different” business purpose might have consumed excessive enforcement resources. In practice, however, businesses will likely continue disclosing very broad and all-encompassing business purposes at the point of collection.
Another February 2020 proposal that was omitted from the final version related to “offline notices.” “Offline notices” and consents are required by the CCPA for businesses that “substantially interact” with consumers at physical locations. The draft regulations required that customers were to be given paper versions of notices, consents and as a method of “opting-out” of having their information shared. Signage might also have been acceptable. See proposed section 999.306(b)(2). The final regulations omitted these provisions.
However, this area of CCPA compliance remains murky. The statute and other provisions in the final regulations make it clear that “offline” notices and consents are required. But it is unclear exactly when and exactly how these notices and consents are to be delivered, confirmed, and tracked. Physical retailers who collect significant consumer personal information must tread carefully. See sections 999.305(b)(3) and 999.312(c).
In a similar vein, the final version of the regulations omitted some controversial rules with respect to the online methods offered by businesses for consumers to opt-out of having their information collected. In the February 2020 draft regulations, businesses were required to offer methods that were “easy for consumers to execute” and that required “minimal steps to allow the consumer to opt-out.” Further, the opt-out methods could not have had a “substantial effect of subverting or impairing a consumer’s decision to opt-out.” See former section 999.315(c).
These proposed regulations were not included in the final regulations. Instead, section 999.315(c) now mandates that businesses must allow user-controlled and user-installed global privacy software, such as an app or add-on or plug-in, to constitute or “signal” opt-out choices. This is another “win” for businesses in the final regulations.
While the CCPA remains an important milestone on the road to protecting the privacy and personal information of consumers and employees, as can be seen, many aspects of the compliance regime remain unsettled and in flux. In the near future, we, here at Revision Legal, expect significant enforcement decisions from the California AG’s Office and a significant amount of enforcement litigation. Businesses, the AG’s Office and the courts will need to resolve the nuances of CCPA compliance. We do not expect that the process will be easy or quick.
For more information or if you have legal questions about consumer privacy and data security, contact the privacy lawyers at Revision Legal at 231-714-0100.