Last week, the California Attorney General submitted the final proposed regulations for the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The submission of the final proposed regulations caps an exhaustive process which has included three separate rounds of modifications and over 1,000 public comments as businesses try to grasp how to comply with the CCPA. The OAL has 30 business days, plus an additional 60 calendar days due to an executive order related to the COVID-19 pandemic, to review and approve the final regulations. The California Attorney General has requested that the OAL complete its review within 30 business days so that the regulations are approved by the July 1, 2020 enforcement date under the CCPA.
The final regulations submitted to the OAL are essentially the same as the proposed regulations released in March 2020 with some minor changes. However, as the July 1, 2020 CCPA enforcement date looms, it is essential that all businesses subject to the CCPA have a strong compliance program in place to address the mountain of new obligations created by the most comprehensive privacy law in U.S. history. With less than one month to go, below are some notable items that your business should be thinking about for the CCPA.
- Review Your Disclosures Regarding the Collection and Use of Personal Information. The final regulations require a business to disclose the categories of personal information collected and the business or commercial purpose for collecting or selling personal information. This may have been an exercise that your business did as part of planning for the CCPA several months ago. However, the COVID-19 pandemic has undoubtedly created a litany of additional considerations for businesses regarding the collection and use of personal information from consumers and employees. How your business collected and used personal information in February may be different from how it collects and uses personal information today. Therefore, all businesses should review such disclosures and confirm that all notices and privacy policies reflect current practices.
- Ensure Your Privacy Policy Reflects Information Required Under the CCPA. In addition to identifying the categories of personal information collected from consumers, the final regulations require businesses to identify the categories of sources from which the personal information is collected and the categories of third parties to whom information was disclosed or sold. These categories have been the subject of much debate during the drafting process by the California Attorney General. Therefore, a business should ensure that its privacy policy accurately reflects where it collects personal information from and any third parties to which personal information is disclosed.
- Remember Your Service Providers. No part of the proposed regulations changed more from start to finish than the regulations governing service providers. While the final regulations allow service providers to use personal information internally for specified uses, businesses must still ensure that proper contractual provisions are in place with third party vendors to qualify them as "service providers" under the CCPA. If such provisions are not in place, then any personal information shared with such third parties may be considered a "sale" under the CCPA and require businesses to offer opt-out rights to consumers. Businesses should be reviewing all vendor agreements to confirm that the required language is in place.
- Are You Offering a Financial Incentive? The Notice of Financial Incentive has been a significant point of contention for businesses under the CCPA. If a business offers a difference in the price charged for goods and services related to the "collection, retention, or sale of personal information," then a Notice of Financial Incentive may be required. This includes the use of discounts or other benefits which are contingent upon the collection of personal information. If a Notice of Financial Incentive is required, a business is required to include a good-faith estimate of the value of the consumer's data which forms the basis for the financial incentive. This can be a cumbersome effort for many businesses. Therefore, determining whether your business offers financial incentives under the CCPA is of paramount importance.
- Confirm Procedures for Handling Consumer Requests. The CCPA has extremely narrow deadlines for confirming and responding to consumer requests. The final regulations state that a request to know or request to delete must be confirmed by a business within 10 business days and responded to within 45 calendar days. A request to opt-out must be honored within 15 business days from the date the request is received. Businesses should ensure that they have consumer request response procedures in place to reflect different response deadlines and provide proper training to employees handling consumer requests to understand how to respond to such requests.
- The CCPA Applies to All Formats. Businesses must keep in mind that the CCPA applies to the collection of personal information across all formats – online and offline. In addition to posting conspicuous links to the Notice at Collection and Privacy Policy on a website, businesses must also consider separate and distinct requirements for mobile applications, physical locations, or over the phone. This includes posting required notices on a mobile application's download page and having paper notices or prominent signage in place at physical locations.
- Don't Forget About Your Employees. While employee data has been largely exempted under the CCPA until 2021, businesses are still required to issue a notice at collection to employees identifying the categories of personal information they collect about employees and the business or commercial purpose for which the categories will be used. All businesses must ensure that they have a protocol in place to issue this notice to employees.
- Verify the Applicable Scope of Exemptions. To the extent that your business is relying upon a specific exemption (e.g., the Gramm-Leach-Bliley Act exemption), your business should verify the scope of the exemption and whether any personal information collected by your business falls outside the exemption. The definition of "personal information" under the CCPA is extremely broad. With many CCPA exemptions being specific to the type of data collected, all businesses should evaluate whether they are collecting personal information outside of an exemption and, thus, subject to the CCPA.
If you have questions about the CCPA, please contact Alex Koskey or any member of Baker Donelson's Data Privacy and Cybersecurity team.