California Attorney General Xavier Becerra’s enforcement of the California Consumer Privacy Act of 2018 (CCPA) is likely to begin on July 1, almost two years to the day since its whirlwind passage. The enforcement landscape remains largely unclear, however, as it is uncertain if and when the attorney general’s proposed final implementing regulations under the CCPA will take effect.
This is particularly significant because the proposed regulations impose numerous substantive obligations that extend above and beyond those included in the CCPA itself, presenting covered businesses with significant compliance challenges on the eve of enforcement.
THE REGULATIONS: BACKGROUND
The CCPA, California’s landmark privacy law, gives California residents several new rights with respect to the collection, use, sale and other disclosures of their personal information (PI). Although the law became operative on January 1, 2020, it specifies that the attorney general may not bring an enforcement action until six months after the publication of the final regulations or July 1, whichever is sooner.
The implementing regulations have not yet been approved, but Becerra has consistently reaffirmed his intention to begin enforcing the CCPA at the start of next month.
Becerra’s proposed final regulations, issued on June 1, clarify a number of the CCPA’s ambiguities, including by:
- Specifying that a business need not provide a consumer with a required collection notice if the business does not collect PI from the consumer directly, unless it intends to sell the consumer’s PI
- Detailing the specific mechanisms that a business may or must make available for consumers to submit requests under the CCPA
- Outlining general principles to guide businesses’ verification of consumer requests – the process by which a business verifies that the requester is the consumer at issue – and discouraging the collection of additional PI for verification purposes
- Clarifying that businesses are not required to search for PI that is not maintained in a reasonably accessible format solely for the purpose of responding to a consumer request
- Prohibiting the disclosure of certain high-risk data in response to a consumer’s request to access specific pieces of his or her PI
- Establishing permitted uses of consumer PI by service providers.
But the regulations also leave several questions unanswered, including what constitutes a ‘sale’ under the CCPA – an important definition given the frequency with which the term is used in the law – and introduce a number of new substantive requirements that businesses must review to avoid inadvertently violating the law.
FIVE NEW RISKS
Although the regulations include many new requirements not found in the CCPA itself, five areas may warrant particularly close attention.
- Notices, including a company’s privacy policy
The regulations contain a new requirement that a business obtain a consumer’s explicit consent if it intends to use the consumer’s PI for a materially different purpose from those outlined in the notice provided when PI is collected. In other words, simply notifying a consumer that the business intends to use his or her PI for a new purpose and permitting the consumer to opt out of such use will not suffice.
Consequently, a business should be sure to include both its current and reasonably foreseeable uses of consumer PI in its initial privacy notice.
The regulations also require a business that provides consumers with a financial incentive related to the collection, retention or sale of their PI to include additional details in its required notice of the financial incentive. This includes a ‘good faith estimate’ of the value of the consumer’s PI that forms the basis for offering the incentive.
Finally, the regulations broaden the CCPA requirement that a business’ privacy policy list the categories of third parties to which the business sold or disclosed consumer PI in the preceding 12-month period. The regulations require that the privacy policy include, for each category of PI, the categories of third parties to which that PI was sold or disclosed for a business purpose. Thus, two exhaustive lists – one containing the categories of consumer PI that the business collects and another containing the categories of third parties to which any of that PI is sold or disclosed – will not suffice.
- Submission of consumer requests
The regulations require a company to handle a consumer’s request to know or request to delete even if it is not submitted through one of the business’s designated mechanisms for that type of request and/or is otherwise deficient.
For example, if the business designates a toll-free number and an email address as its two designated methods for the submission of deletion requests, and a consumer submits his or her deletion request by postal mail, the regulations require the business to treat the request as though it was submitted through one of the proper channels.
Further, if the consumer’s request is deficient in another way (for example, if the consumer did not provide all of the necessary information to enable the business to respond to the request), the regulations require the business to inform the consumer of the deficiency and explain how to correct it. The business may not simply ignore the request.
- Responding to consumer requests
The regulations significantly shorten the time frame within which a business must act on consumer requests under the CCPA. For instance, whereas the law requires a business to respond to a consumer’s request to know or request to delete within 45 days, the regulations further require a business to confirm receipt of the consumer’s request within 10 business days, requiring the business to act much quicker upon such requests.
In its confirmation of receipt, the business is also obligated to provide information about how it will process the request, including a description of the business’s verification process and when the consumer should expect a response. With respect to consumer requests to opt out of sale, the regulations require a business to comply within 15 business days of receipt.
The regulations also require a business that denies a request to access specific pieces of PI or a deletion request to provide additional information in its response to the requester. Specifically, if the denial is based on a conflict with applicable law or an exception to the CCPA, the regulations require the business to: (i) explain the basis for the denial, unless prohibited by law; and (ii) if applicable, partially grant the request, to the extent that it does not conflict with the law or fall within an exception to the CCPA.
Further, the regulations provide that if a business denies a consumer’s request to delete but sells that consumer’s PI, and the consumer has not already made a request to opt out of sale, the business must ask the consumer if he or she would like to opt out of sale and include the contents of, or a link to, the opt-out notice.
Finally, the regulations specify that a consumer’s request to opt out of the sale of his or her PI need not be a verifiable request. Accordingly, unless a business has a ‘good-faith, reasonable and documented belief that a request to opt out is fraudulent’, it must honor the request.
- Service providers’ obligations
The regulations state that if an entity’s functions and obligations are consistent with those of a service provider, but the business for which the entity performs services does not qualify as a covered business under the CCPA, the entity is nonetheless deemed a CCPA service provider. This suggests that service providers have CCPA duties, even if the businesses for which they perform services are not covered by the law.
The regulations also stipulate that a service provider in receipt of a consumer’s CCPA request to know or request to delete must either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because it is merely a service provider. It may not ignore a consumer request simply on account of its role as a service provider.
- Record keeping
Unlike the CCPA, the regulations require a business to maintain records of consumer requests made pursuant to the law, and how the business responded to these requests, for at least 24 months.
NEXT STEPS AND TAKEAWAYS
The regulations are currently under review by California’s Office of Administrative Law (OAL), which is tasked with ensuring that proposed regulations comply with California’s Administrative Procedures Act. OAL typically has 30 business days to review proposed regulations, but this period has been extended by an additional 60 calendar days, by executive order, due to the Covid-19 pandemic.
If regulations are approved, they are filed with the California secretary of state and typically become effective on the following January 1, April 1, July 1 or October 1. In light of his statutory duty to promulgate regulations under the CCPA by July 1, however, Becerra has requested that OAL complete its review within the initial 30 business-day period and that the regulations take effect on the date on which they are filed with the secretary of state, not the next designated quarterly effective date.
Given the multiple variables at play, it is impossible to predict when the regulations will take effect. But given that the regulations could become effective at any time without forewarning, companies should take note of the new compliance requirements that the regulations present and modify their compliance programs accordingly.
Robert Famigletti is a privacy analyst and Kristen Mathews is a partner with Morrison & Foerster