On June 1, 2020, the California Attorney General submitted the final proposed California Consumer Privacy Act (CCPA) regulations to the California Office of Administrative Law (OAL) for review. According to the Attorney General’s submission, OAL has thirty working days to review the regulations for procedural compliance under the Administrative Procedure Act, plus an additional sixty calendar days under the Governor’s Executive Order N-40-20 related to the COVID-19 pandemic. As these are the last steps in the process of finalizing the CCPA regulations, businesses need to take necessary measures regarding compliance with the law and regulations.
Background of California Consumer Privacy Act
The CCPA, or the California Consumer Privacy Act of 2018, is a law designed to protect the data privacy rights of citizens living in California. The real issue that the CCPA addresses is that most consumers do not realize that their personal information is being shared or sold to others. This law forces companies to provide more information to consumers about what is done with their data and gives them more control over data sharing. It also ensures that consumers are given the chance to opt-out of having their information used in a way that they disapprove of.
With some exceptions, the CCPA applies to any for-profit business that does business in the state of California, collects, or determines the means and purposes of processing personal information of California residents, and meets any one of the following requirements:
- has annual gross revenues in excess of $25 million,
- receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis; or
- derives 50 percent or more of their annual revenues from selling California residents’ personal information.
Final CCPA Regulations Review
The long-awaited CCPA regulations result from months of public hearings and more than 1,000 public comments. Final CCPA regulations consist of forty-two sections, divided into seven articles that provide detailed guidance on what businesses need do in order to comply with the CCPA, including:
- Notice to Consumers;
- Business Practices for Handling Consumer Requests;
- Verification of Requests;
- Special Rules Regarding Minors; and
The proposed regulations set forth procedures and address certain compliance issues for businesses covered under the CCPA, including some new obligations that were not in the statute. Here are some specific areas of importance:
Notice at Collection Requirements
CCPA covered businesses are required to provide notices when they collect information from consumers. Additionally, final CCPA regulations require businesses to provide a just-in-time notice in case they collect personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect.
Opt-in Consent Requirement
All businesses have to give consumers the right to opt-out of the sale of their personal information. Consumers may later choose to opt-in to the sale of their information. For those consumers, final CCPA regulations require businesses to use a two-step process to separately confirm their choice to opt-in after opting out.
Calculating the Value of Consumer PI
Final CCPA regulations provide eight different methods for calculating the value of a consumer’s personal information (PI) to the business. They clarify that for purposes of calculating the value of the consumer’s PI, a business may consider the value of data from all natural persons in the United States rather than limit itself to the value of data from California residents.
Preventing CCPA Non-Compliance
In its Initial Statement of Reasons, the Attorney General stated that the office rejected the creation of a safe harbor exemption from the CCPA for businesses that are compliant with the EU General Data Protection Regulation (GDPR). The reason for this is that the CCPA and GDPR have different requirements, different definitions, and different scopes.
Businesses that violate the CCPA can be subject to civil enforcement actions by the AG. After receiving a notice of non-compliance and a 30-day opportunity to cure it, if they fail to do so, businesses can be subject to a civil penalty ranging from $2,500 for each unintentional violation to $7,500 for each intentional violation. Furthermore, the CCPA is not restricted to a particular industry, type, or use of data. Therefore, it is critical that companies pay attention to CCPA regulations and make efforts to mitigate any compliance risks.
With CCPA’s enforcement date in sight, businesses need to understand the impacts of this law and identify the steps necessary to come into compliance. There are numerous changes compared to initial CCPA regulations, and businesses should carefully review the CCPA statutory text and the final proposed regulations as they adjust their CCPA compliance programs. In addition to updating privacy policies, businesses need to reconsider how they collect, retain, use, and share personal information. While meeting CCPA compliance requirements can be difficult to achieve, integrating proper programs and technologies can simplify the process of data discovery, security, and classification. As a result, companies can adhere to the evolving regulatory landscape, and prevent potential penalties caused by CCPA non-compliance.Use a secure electronic platform to simplify your compliance efforts and ensure the maximum security of your employees, customers, and your company’s data.