Enforcement of the California Consumer Protection Act (CCPA), which went into effect on January 1, 2020, officially started on July 1st. But instead of feeling prepared, many companies are still grappling with how this legislation will impact their operations. In fact, the CCPA has been widely regarded as “unfinished business” since its expedited passage in 2018. On June 2, the California Attorney General (CAG) released the final regulations, along with a “Final Statement of Reasons,” an 89-page document offering a window into the Attorney General’s thinking with respect to why certain regulations were edited from their previous versions. When these resources are read in conjunction with the original legislation, a clearer picture of the CCPA and its impact on businesses emerges. The key takeaways from the CAG’s latest guidance are: (b) Submitting requests to know: the regs clarify that a business operating exclusively online which has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for consumer submissions of requests to know. (e) Confirming receipt of consumer requests: in the case of requests to know or delete, a business must confirm receipt of the request within 10 business days and provide information about how the business will process the request, including its verification process and expected response time. With the release of the final regs and final statement of reasons, businesses are now better able to complete CCPA-related compliance work, including: If you have questions or need assistance with this work, please contact Stephan Grynwajc at [email protected] or 347-543-3035, or another member of the firm’s privacy team listed below. Stephan Grynwajc (NY team) served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. Mark Johnson (Washington D.C. team) has over 20 years of experience advising clients on data privacy regulations and public policy, and is a former member of the Data Privacy practice group at the international law firm, Squire Patton Boggs in Washington D.C. Bill Porter (CA team) has over 20 years of legal experience advising emerging technology companies on a range of corporate and transaction matters, including privacy compliance issues. Lakshmi Sarma Ramani (Washington D.C. team) has over 20 years of experience advising clients on a range of global legal and compliance matters, including cross-border privacy issues. She led global technology and privacy efforts, including GDPR and children’s privacy matters, while General Counsel at NAEYC; served as the lead global attorney for technology and privacy matters at The Nature Conservancy; and handled freedom of information and privacy issues while at the PA Department of Revenue.
In addition to a CCPA-compliant privacy policy, organizations must publish a “notice at collection”, which must be readily available for the consumer at or before the point at which the business collects the personal information.
The notice at collection must provide (a) a list of the categories of personal information to be collected from the consumer, written in a way that enables the consumer to understand what is being collected; (b) the business or commercial purpose(s) for which the categories of personal information will be used; (c) if the business sells personal information, a link titled “Do Not Sell My Personal Information”; and (d) a link to relevant provisions of the business’s privacy policy or to any CCPA-specific addendum to such policy.
When personal information is collected through a mobile application, a business may provide a link to the notice at collection on the mobile app’s download page andwithin the application, such as through the application’s settings menu. However, when personal information is collected on a mobile device for a purpose that the consumer would not reasonably expect, the regs require the business to provide a “just-in-time” notice, such as through a pop-up window when the application opens, containing a summary of the categories of personal information being collected and a link to the full notice at collection.
For businesses engaged in the sale of personal information, the regs require a notice of the right to opt-out separate from the notice at collection, as well as a separate web opt-out mechanism. Furthermore, with respect to any personal information collected prior to January 1, 2020 (in other words, before a notice of right to opt-out was offered), the regs prohibit the sale of such information unless the business obtains the affirmative consent of the consumer.
The final regs emphasize the importance of ensuring that the privacy policy is designed and presented in a clear and “easy-to-read” format, including on smaller screens. The policy must be reasonably accessible to consumers with disabilities, as well as available in a format that allows a consumer to print out the privacy policy as a document. Further, for privacy policies posted on an app, a link to the website policy will not be sufficient. The privacy policy must appear on the download or landing page of the app. However, the app may include a link to the privacy policy in the application’s settings menu, for example, in the “About” or “Information” tab before downloading the application.
The regs address several aspects relating to consumer requests.
(a) Verifying consumer requests: the regs require the privacy policy to describe the process the business will use to verify the consumer request, including any information the consumer must provide.
(c) Submitting requests to delete: businesses must provide consumers with 2 or more designated methods for submitting requests to delete, including a link or online form, an email address, or forms for either in-person or mail submissions. The regs do allow businesses to use a 2-step process for online requests, where the consumer must first submit the request and then second, separately confirm that they want the personal information deleted.
(d) Treatment of deficient submissions: if a consumer submits a request using a method other than one of the designated methods of submission, or if the request is deficient in some manner unrelated to the verification process, the business is expected to either treat the request as if it had been submitted in accordance with the business’s designated manner, or provide the consumer with information on how to submit the request or remedy any deficiencies with the request, if applicable.
(f) Responding to consumer requests: the business shall respond to a request to know or delete within 45 calendar days, beginning on the day that the business receives the request, regardless of the time required to verify the request.
(g) Handling requests to delete: When the business complies with the request, it must inform the consumer that it will maintain a record of the request for at least 24 months to comply with its record-keeping obligations under the regs. However, if the request to delete is denied, the business must do all of the following: (i) inform the consumer that it will not comply with their request, and describe the basis for the denial, (ii) delete the consumer’s personal information that is not subject to the exception under the CCPA; and (iii) not use the consumer’s personal information retained for any other purpose than provided for by that exception.
When a business receives a consumer’s request to opt-out of the sale of personal information, it must comply as soon as possible, but no later than 15 business days from the date of receipt.
The CAG covers others aspects of the CCPA, including what qualifies as an “authorized agent,” what is included in the definition of “household,” and the provision of notices relating to financial incentives, authorized agents, minors, and non-discrimination.
Mabell Aguilar (CA team) has over 25 years of experience advising clients on key business priorities, including privacy compliance matters. As GC at Singularity University, she handled the company’s global GDPR compliance effort; today, she supports her clients in designing “right-sized” compliance models and supporting their implementation efforts.
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.