Legislative Updates

Final CCPA Regulations


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

CCPa regulations

On June 1, 2020, the California Attorney General submitted the final proposed California Consumer Privacy Act (CCPA) regulations to the California Office of Administrative Law (OAL) for review. According to the Attorney General’s submission, OAL has thirty working days to review the regulations for procedural compliance under the Administrative Procedure Act, plus an additional sixty calendar days under the Governor’s Executive Order N-40-20 related to the COVID-19 pandemic. As these are the last steps in the process of finalizing the CCPA regulations, businesses need to take necessary measures regarding compliance with the law and regulations.

Background of California Consumer Privacy Act

The CCPA, or the California Consumer Privacy Act of 2018, is a law designed to protect the data privacy rights of citizens living in California. The real issue that the CCPA addresses is that most consumers do not realize that their personal information is being shared or sold to others. This law forces companies to provide more information to consumers about what is done with their data and gives them more control over data sharing. It also ensures that consumers are given the chance to opt-out of having their information used in a way that they disapprove of.

With some exceptions, the CCPA applies to any for-profit business that does business in the state of California, collects, or determines the means and purposes of processing personal information of California residents, and meets any one of the following requirements:

  • has annual gross revenues in excess of $25 million,
  • receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis; or
  • derives 50 percent or more of their annual revenues from selling California residents’ personal information.

Final CCPA Regulations Review

The long-awaited CCPA regulations result from months of public hearings and more than 1,000 public comments. Final CCPA regulations consist of forty-two sections, divided into seven articles that provide detailed guidance on what businesses need do in order to comply with the CCPA, including:

  • Notice to Consumers;
  • Business Practices for Handling Consumer Requests;
  • Verification of Requests;
  • Special Rules Regarding Minors; and
  • Non-Discrimination.

The proposed regulations set forth procedures and address certain compliance issues for businesses covered under the CCPA, including some new obligations that were not in the statute. Here are some specific areas of importance:

Privacy Policy

According to the final CCPA, every business has to provide a privacy policy in accordance with the guidelines. A business’s privacy policy should provide consumers with a description of the online and offline practices regarding the collection, use, disclosure, and sale of PI, and of the rights of consumers regarding their PI. The privacy policy should also identify the categories of sources from which the PI is collected.

Notice at Collection Requirements

CCPA covered businesses are required to provide notices when they collect information from consumers. Additionally, final CCPA regulations require businesses to provide a just-in-time notice in case they collect personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect.

Opt-in Consent Requirement

All businesses have to give consumers the right to opt-out of the sale of their personal information. Consumers may later choose to opt-in to the sale of their information. For those consumers, final CCPA regulations require businesses to use a two-step process to separately confirm their choice to opt-in after opting out.

Calculating the Value of Consumer PI

Final CCPA regulations provide eight different methods for calculating the value of a consumer’s personal information (PI) to the business. They clarify that for purposes of calculating the value of the consumer’s PI, a business may consider the value of data from all natural persons in the United States rather than limit itself to the value of data from California residents.

Preventing CCPA Non-Compliance

In its Initial Statement of Reasons, the Attorney General stated that the office rejected the creation of a safe harbor exemption from the CCPA for businesses that are compliant with the EU General Data Protection Regulation (GDPR). The reason for this is that the CCPA and GDPR have different requirements, different definitions, and different scopes

Businesses that violate the CCPA can be subject to civil enforcement actions by the AG. After receiving a notice of non-compliance and a 30-day opportunity to cure it, if they fail to do so, businesses can be subject to a civil penalty ranging from $2,500 for each unintentional violation to $7,500 for each intentional violation. Furthermore, the CCPA is not restricted to a particular industry, type, or use of data. Therefore, it is critical that companies pay attention to CCPA regulations and make efforts to mitigate any compliance risks.

With CCPA’s enforcement date in sight, businesses need to understand the impacts of this law and identify the steps necessary to come into compliance. There are numerous changes compared to initial CCPA regulations, and businesses should carefully review the CCPA statutory text and the final proposed regulations as they adjust their CCPA compliance programs. In addition to updating privacy policies, businesses need to reconsider how they collect, retain, use, and share personal information. While meeting CCPA compliance requirements can be difficult to achieve, integrating proper programs and technologies can simplify the process of data discovery, security, and classification. As a result, companies can adhere to the evolving regulatory landscape, and prevent potential penalties caused by CCPA non-compliance.

Use a secure electronic platform to simplify your compliance efforts and ensure the maximum security of your employees, customers, and your company’s data.

The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.