Enforcement of the California Consumer Protection Act (CCPA), which went into effect on January 1, 2020, officially started on July 1st. But instead of feeling prepared, many companies are still grappling with how this legislation will impact their operations. In fact, the CCPA has been widely regarded as “unfinished business” since its expedited passage in 2018.
On June 2, the California Attorney General (CAG) released the final regulations, along with a “Final Statement of Reasons,” an 89-page document offering a window into the Attorney General’s thinking with respect to why certain regulations were edited from their previous versions. When these resources are read in conjunction with the original legislation, a clearer picture of the CCPA and its impact on businesses emerges.
The key takeaways from the CAG’s latest guidance are:
- Requirements for the “Notice at Collection”
- Mobile App Collections
When personal information is collected through a mobile application, a business may provide a link to the notice at collection on the mobile app's download page andwithin the application, such as through the application's settings menu. However, when personal information is collected on a mobile device for a purpose that the consumer would not reasonably expect, the regs require the business to provide a “just-in-time” notice, such as through a pop-up window when the application opens, containing a summary of the categories of personal information being collected and a link to the full notice at collection.
- Notice of Right to Opt-Out
For businesses engaged in the sale of personal information, the regs require a notice of the right to opt-out separate from the notice at collection, as well as a separate web opt-out mechanism. Furthermore, with respect to any personal information collected prior to January 1, 2020 (in other words, before a notice of right to opt-out was offered), the regs prohibit the sale of such information unless the business obtains the affirmative consent of the consumer.
- Consumer Requests to Know/Delete
The regs address several aspects relating to consumer requests.
(b) Submitting requests to know: the regs clarify that a business operating exclusively online which has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for consumer submissions of requests to know.
(c) Submitting requests to delete: businesses must provide consumers with 2 or more designated methods for submitting requests to delete, including a link or online form, an email address, or forms for either in-person or mail submissions. The regs do allow businesses to use a 2-step process for online requests, where the consumer must first submit the request and then second, separately confirm that they want the personal information deleted.
(d) Treatment of deficient submissions: if a consumer submits a request using a method other than one of the designated methods of submission, or if the request is deficient in some manner unrelated to the verification process, the business is expected to either treat the request as if it had been submitted in accordance with the business's designated manner, or provide the consumer with information on how to submit the request or remedy any deficiencies with the request, if applicable.
(e) Confirming receipt of consumer requests: in the case of requests to know or delete, a business must confirm receipt of the request within 10 business days and provide information about how the business will process the request, including its verification process and expected response time.
(f) Responding to consumer requests: the business shall respond to a request to know or delete within 45 calendar days, beginning on the day that the business receives the request, regardless of the time required to verify the request.
(g) Handling requests to delete: When the business complies with the request, it must inform the consumer that it will maintain a record of the request for at least 24 months to comply with its record-keeping obligations under the regs. However, if the request to delete is denied, the business must do all of the following: (i) inform the consumer that it will not comply with their request, and describe the basis for the denial, (ii) delete the consumer's personal information that is not subject to the exception under the CCPA; and (iii) not use the consumer's personal information retained for any other purpose than provided for by that exception.
- Consumer Requests to Opt-Out
When a business receives a consumer’s request to opt-out of the sale of personal information, it must comply as soon as possible, but no later than 15 business days from the date of receipt.
- Other clarifications
The CAG covers others aspects of the CCPA, including what qualifies as an “authorized agent,” what is included in the definition of “household,” and the provision of notices relating to financial incentives, authorized agents, minors, and non-discrimination.
With the release of the final regs and final statement of reasons, businesses are now better able to complete CCPA-related compliance work, including:
- a complete review of their privacy policies;
- "just in time" privacy notices; and
- internal policies and procedures to ensure alignment with the legislation.
If you have questions or need assistance with this work, please contact Stephan Grynwajc at email@example.com or 347-543-3035, or another member of the firm's privacy team listed below.
Stephan Grynwajc (NY team) served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape.
Mabell Aguilar (CA team) has over 25 years of experience advising clients on key business priorities, including privacy compliance matters. As GC at Singularity University, she handled the company’s global GDPR compliance effort; today, she supports her clients in designing "right-sized" compliance models and supporting their implementation efforts.
Mark Johnson (Washington D.C. team) has over 20 years of experience advising clients on data privacy regulations and public policy, and is a former member of the Data Privacy practice group at the international law firm, Squire Patton Boggs in Washington D.C.
Bill Porter (CA team) has over 20 years of legal experience advising emerging technology companies on a range of corporate and transaction matters, including privacy compliance issues.
Lakshmi Sarma Ramani (Washington D.C. team) has over 20 years of experience advising clients on a range of global legal and compliance matters, including cross-border privacy issues. She led global technology and privacy efforts, including GDPR and children’s privacy matters, while General Counsel at NAEYC; served as the lead global attorney for technology and privacy matters at The Nature Conservancy; and handled freedom of information and privacy issues while at the PA Department of Revenue.