5 Takeaways from California’s ‘Final’ CCPA Regulations
Last month—more than two years after the California Consumer Rights Act was signed into law by Governor Gerald Brown, Jr.—California’s Office of the Attorney General has published the final regulations implementing the CCPA.
Although the final regulations provide much-needed guidance and clarification to businesses and privacy professionals, no one should make the mistake of getting too comfortable just yet: California voters will have the opportunity to propel the State into more groundbreaking privacy territory on November 3, 2020, when they will vote to approve the California Privacy Rights Act of 2020.
What’s new and what’s next for California? Here are five takeaways from the CCPA final regulations, and a quick look at what’s on the horizon.
1 • Now we know for sure: The $25 million does not have to be generated in California
For two years, practitioners have debated whether a business is subject to the CCPA if it does business in California, collects personal information, determines what to do with it, and has gross revenues of more than $25 million but only a fraction of that revenue is generated from California consumers (yep, we are super fun at cocktail parties!).
The OAG has made it clear that the CCPA is not limited to revenues generated in California or from California residents.
2 • Privacy Policies must contain a description of consumers’ rights—even the ones that don’t apply
In the last round of comments leading up to the final regulations, a number of commenters asked the OAG to clarify that a business should not be required to inform consumers about their right to delete information if all of the personal information held by the business was exempt from the requirement to delete upon request.
3 • The final regulations alleviate some business burdens
From a business compliance perspective, there is some good news:
- Businesses that operate exclusively online and who have a direct relationship with consumers from whom they collect information are no longer required to provide consumers with a toll-free telephone number to submit consumer requests to know, delete, and opt-out. These businesses are required to provide only an email address for requests to know and delete.
- Businesses are still required to acknowledge receipt of consumer requests within 10 days, but they can acknowledge the requests in the same manner in which the request is received. In other words, businesses can automate their acknowledgment process so that their acknowledgement is sent instantaneously upon the receipt of the consumer’s request.
- Businesses that delete consumer information are no longer required to tell consumers how their information was deleted.
- In certain circumstances, businesses are not even required to search for personal data in response to a request to know. This subsection was added to alleviate the burden on businesses where businesses maintain unstructured or unsearchable data, the information is maintained solely for legal or compliance purposes, the business does not sell the information or use it for any commercial purpose, and the business describes to the consumer the categories of records that may contain personal information that it did not search because it meets these conditions.
4 • The CCPA final regulations finally define “accessible”
Earlier versions of the CCPA regulations required that CCPA Notices and Privacy Policies be “reasonably accessible to persons with disabilities.” The final version explains that for notices and privacy policies published online, business are required to follow generally recognized industry standards, such as the Web Content Accessibility Guidelines (WCAG) version 2.1.
5 • Service providers’ use of personal information is limited to, well, providing services
Although the CCPA allows businesses to transfer personal information to “service providers” without the transfer being a “sale” of the personal data, it was a little vague on what service providers could do with the personal information once they got it. The final regulations now expressly prohibit service providers from retaining, using, or disclosing personal information obtained in the course of being a “service provider” except as necessary to provide services in compliance with their written contract and for four other limited circumstances.
What’s next, California?
On November 3, 2020, California voters will get the chance to vote on the California Privacy Rights Act of 2020, a new privacy law that is similar to the CCPA but with some add-ons (think of it as “CCPA 2.0”). Among other things, the CPRA would create a new regulatory entity with a $10 million budget (the “California Privacy Protection Agency”) to replace the attorney general’s office as the regulator enforcing the CPRA. The CPRA also would grant consumers additional rights, would require businesses to enter into contracts with all entities to which the business discloses personal information, and would eliminate the CCPA’s current 30-day “cure” period.
And in good news for businesses, the CPRA would extend the CCPA’s employee and business-to-business limitations to January 1, 2023. Current polling shows that the CPRA is enjoying a 90% approval rating among California voters. (By the way, the employee and B2B exemptions enjoy widespread support. On September 2, 2020, the California legislature voted to extend the current employee and B2B exemptions to January 1, 2022, even if the CPRA is not approved by voters (AB 1281). Governor Gavin Newsom has until September 30, 2020 to sign AB 1281 into law.)