California AG Issues Final California Consumer Privacy Act Regulations And Will Begin Enforcement On July 1, 2020

On July 1, 2020, the California Attorney General will begin enforcement of the California Consumer Privacy Act (“CCPA”), despite any state governmental delays caused by the COVID-19 pandemic. The CCPA, which creates new data rights for California residents around the use of their personal information, is the strictest privacy law in the nation.

Key Exceptions to Applicability:

• Small businesses generating less than $25 million in gross annual revenue are exempt.
• Non-profit companies are exempt.
• Personal information collected from a person who is a job applicant, employee, owner, officer, or contractor of a business is generally exempt until January 1, 2021.

The office of California Attorney General Xavier Becerra recently issued final regulations implementing the CCPA. Because of some steps required by California administrative law, the regulations themselves are unlikely to take effect on July 1, although General Becerra has requested expedited review of the regulations by the California Office of Administrative Law (OAL). Nevertheless, Mr. Becerra announced that he will begin enforcing the statute itself on July 1. Therefore, to the extent that the regulations clarify gray areas under the law, those regulations probably will not take effect when the statute itself does. Of course, the regulations do indicate the AG’s expectations as to how businesses should comply with the law.

The final regulations are substantively identical to the modified draft regulations of March 27, 2020, with some exceptions. Among the requirements now included in the final regulations are:

• Do Not Sell Notice: A business that sells consumers’ personal information must post a conspicuous “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on its website homepage or mobile app landing page allowing consumers to opt out. However, the final regulations do not include a previous proposal to specify the precise look of that notice.
• Conspicuous Privacy Policy: A privacy policy must be conspicuous and provide California consumers with a comprehensive description of the business’s “online and offline practices” regarding the “collection, use, disclosure and sale” of personal information and of the rights of consumers regarding their personal information. This must include identifying the “categories of sources” from which the personal information is collected, and the business or commercial purpose for collecting or selling personal information. The final regulations provide additional details about this requirement.
• Responding to Consumer Requests: California consumers may submit requests to know how their information is used and requests to delete their personal information to businesses. A business must confirm receipt of the request within 10 business days and respond within 45 calendar days (with a possible 45 calendar day extension with notice and an explanation of the reason for delay). If the business denies a request to delete and the business sells personal information and the consumer has not already made a request to opt out, the business must ask the consumer if they would like to opt out of the sale of their personal information and include a link to or details on the right to opt-out. The final regulations provide additional details about this requirement.
• Sale of Data to Service Providers: The CCPA exempts sharing of personal information by a business with a service provider from the definition of “sale” of personal information but significantly limits how a service provider may use shared personal information. Under the Final Regulations, a “Service provider” may “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA….” The final regulations therefore severely restrict how a service provider may use personal information provided by a business. Service providers are strongly advised to consult with a lawyer to understand these limitations.
• Consumer Verification: Verification of requests to know for “specific pieces of personal information” by consumers without a password-protected account, must be to a “reasonably high degree of certainty.” This requires matching at least 3 pieces of personal information provided by the consumer with personal information maintained by the business. Verification could include requiring a signed declaration from the consumer under penalty of perjury. Signed declarations must be maintained as part of a business’s record-keeping obligations.
• Requests to Delete: The final regulations provide much-needed detail regarding when and how a business must comply with a consumer’s request to delete the personal information held by the business about that consumer.

Separately, advocates have filed more than 900,000 signatures to have a privacy referendum (called the “California Privacy Rights Act”) placed on the November 2020 ballot. The proposed referendum would both establish additional privacy requirements and make them more difficult for a future legislature to modify. If the state verifies the existence of a sufficient number of authentic signatures, the measure will go on the ballot.