California Consumer Privacy Act Regulations Enforced Now: What Businesses with CA Customers Need to do to Comply

After much anticipation, the California Attorney General (AG) announced in early June 2020 that the final California Consumer Protection Act (CCPA) regulations were being submitted to the Office of Administrative Law (OAL) for review. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law. 

Because enforcement of the CCPA began on July 1, 2020, now is the time for covered businesses and service providers to size-up their compliance efforts. Although there are many issues that remain unclear, the regulations may provide a road map to the AG’s enforcement priorities. Among the issues addressed by the final regulations—as well as the AG’s “Final Statement of Reasons” which accompanied those regulations— are the following:

• Privacy Policy: A business’ privacy policy must inform consumers of their rights under the CCPA and how they can submit requests to know or delete personal information. In addition, the privacy policy should disclose the categories of personal information collected, the categories of personal information disclosed for a business purpose or sold to a third party and provide on a per category basis the categories of third parties to whom the information was disclosed or sold.
• Required Notices: The final regulations detail the information that should be included in the various notices. They also require business to use “plain, straightforward language” and a format that draws the consumer’s attention to the notice. In addition, the AG clarified that the regulations do “not require a cookie banner, but rather leave it to businesses to determine the formats that will best achieve the result in particular environments. In other words, it appears that the use and nature of tracking technologies can be disclosed in the privacy policy assuming that policy is readily available to the public.
• Service Providers: The regulations require that service providers use the personal information they receive from businesses “to process or maintain personal information on behalf of the business … and in compliance with the written contract for services required by the CCPA,” except in certain narrowly-defined circumstances, such as building or improving the quality of their services. If an entity qualifies as a service provider, the transfer of information from a business to them is not deemed a sale. Moreover, the Final Statement of Reasons clarifies that service providers do not lose their status as service providers merely because they collect consumers’ personal information directly, if that collection is performed at the business’s direction and on behalf of that business.
• Subcontractors: The regulations provide that service providers may hire subcontractors, as long as the subcontractors meet all the requirements for a “service provider” set forth in the CCPA and the regulations.
• User-Enabled Privacy Controls: Businesses must honor privacy controls that clearly communicate or signal that the consumer intends to opt out of the sale of personal information.
• Training and Recordkeeping: The regulations require training for all individuals responsible for handling consumer inquiries. Businesses must also retain records of consumer requests and how the business responded to such request for 24 months.
• No Discrimination: A business cannot discriminate against a consumer for exercising his or her rights under the CCPA.

We realize there is a lot to digest in the legislation and the regulations. So now is the time for businesses to take a close look at the regulations, evaluate whether changes need to be made, and develop a compliance checklist and action plan. Contact Michelle Merola (518.736.2917), Gary Schober (716.848.1289), or Patrick Fitzsimmons (716.848.1710) to discuss how Hodgson Russ can help you navigate these issues.