Cybersecurity Alert: California Consumer Privacy Act Finality on the Horizon
on June 12, 2020
The long-awaited California Consumer Privacy Act (CCPA) effective date is coming into view. On June 1, 2020, the California Attorney General (AG) submitted his final proposed rule to the Office of Administrative Law (OAL) which has ninety (90) days to approve the proposed regulations after verifying that the AG appropriately followed necessary administrative procedures after a 60-day extension was made available because of COVID-19. However, the AG requested an expedited review in order to effectuate the rules on July 1, 2020. Once approved, they will be filed officially with the California Secretary of State and become law.
This final version of the CCPA is relatively unchanged from the latest draft published in March 2020. Here are some of the notable clarifications and changes included in this final version:
- Finalizes specific terms used in the CCPA and the regulations that could have multiple meanings depending on their context and use, including the definition of “personal information”, to align with other privacy laws such as GDPR.
- Clarifies the notices that businesses must give to consumers, including details on when and how businesses must provide:
- a notice of collection;
- a notice of right to opt-out of sales;
- a notice of financial incentive; and
- Modifies the rules and procedures for businesses to accept and respond to consumers' requests to know and requests to delete.
- Clarifies who is a service provider, for what purposes a service provider may use personal information, and how service providers should respond to consumer requests.
- Provides guidance on opt-out methods and procedures, including:
- easy opt-out request submission methods, with minimal steps for consumers;
- user-enabled global privacy controls; and
- businesses' obligation to notify third-parties of consumer opt-out requests.
- Details when businesses may inform consumers who have opted-out that they can reverse that request and opt-in to sales of their personal information.
- Addresses public comments regarding operational concerns and burdens related to recordkeeping, training, and compiling metrics.
- Helps businesses distinguish and handle three types of household-related data requests, including those affecting:
- non-password-protected accounts;
- password-protected accounts; and
- minors under 13.
- Prohibits businesses from charging consumers a fee to verify their requests to know and requests to delete.
- Clarifies requirements and provides examples regarding consumer request verification when consumers do not have a password-protected account with the business.
- Addresses how businesses may verify consumer authorization of an agent, including authorized agents' responsibilities and limitations.
- Better aligns with the CCPA and the Children's Online Privacy Protection Act (COPPA) for handling minors' personal information.
- Provides guidance on offering financial incentives, including:
- supporting consumer transparency and control; and
- calculating the value of consumer data to design and disclose non-discriminatory financial incentive offerings.
Since its inception, this law is arguably one of the most prescriptive laws with respect to providing very specific guidance to businesses as to how to comply. Even after the public notice and comment period required by the Administrative Procedures Act, the law remains relatively so. Rather, that period of time emphasized the burden that would be placed on businesses in order to comply. Due to the prescriptive nature of this law, it takes most businesses several months to assess and implement the required measures, so compliance takes time.
Most importantly, one thing that is unchanged is the criteria under which businesses are subject to the CCPA. If your business handles personal information about California residents, processes that information, does business in California and has annual gross revenues in excess of $25 million, or annually handles the personal information of at least 50,000 consumers, households or devices, derives more than 50% of its annual revenue from selling personal information, your business is subject to CCPA. This list sounds like it may not apply to many Midwest and East Coast businesses; however, be mindful that based on the definitions within the regulation, your business may meet this threshold by virtue of simply having a website that sees 50,000 California visitors per year. If you would like to discuss the CCPA’s applicability to your business, please contact us.
Brouse McDowell’s Cybersecurity and Data Privacy Practice Group can assist your business with an assessment of your internal policies, advise you as to your risk, and work with you to provide your business with tools to help you become secure and compliant. Contact us for more information.