Despite requests for delay due to COVID-19, California Attorney General Xavier Becerra has affirmed that enforcement of the California Consumer Privacy Act (CCPA) has started, effective July 1, 2020. The CCPA is a huge step forward in data privacy law, granting California consumers robust data privacy rights and increased control over their personal information. Previous PilieroMazza coverage of the CCPA can be viewed here and here. While the CCPA has been in effect since January 1, 2020, companies that do business with California consumers will now risk penalties for noncompliance. Below is key information for companies seeking to ensure CCPA compliance and to avoid enforcement action.
Approval of Final Regulations
The Office of the California Attorney General submitted the final proposed CCPA regulations package to the California Office of Administrative Law (OAL) on June 1, 2020, for review. OAL has 30 working days, plus an additional 60 calendar days to review the package. Once approved, the final regulation text will be filed with the Secretary of State and become enforceable by law. OAL is not expected to make significant changes to the regulations, so a full analysis of the rule will likely be necessary for the creation and implementation of a robust CCPA compliance program.
To understand whether or not you are subject to potential enforcement,, first determine if you fall within CCPA’s compliance criteria. Critically, the statutorily defined terms “consumer” and “personal information” are far broader than comparable statutes and regulations found in other jurisdictions, though that itself is currently the subject of debate in many state legislatures. The enlargement of these terms causes CCPA’s jurisdiction to be larger than it appears on the face of the statute. Below are certain high-level questions that can help a business determine if it meets certain threshold standards:
- Do you, or any of your subsidiaries or affiliates, engage in business in California?
- Do you do business with contacts or employees who reside in California?
- Does your business have over $25 million in annual gross revenues?
- Does your business buy, sell, or receive personal information?
If you fit certain initial criteria, we recommend identifying the type of personal information your business collects. As briefly mentioned above, CCPA broadly defines personal information as any information that directly or indirectly identifies, describes, or can be reasonably linked to a particular consumer. CCPA grants consumers significant rights to the use of their personal information, including general notice rights. It is here that companies can take proactive steps to prepare for CCPA’s implementation. More specifically, CCPA grants consumers the right to know what personal information a business collects, sells, or discloses about them. Additionally, several sections of CCPA require businesses to make affirmative disclosures to consumers by way of privacy policies and other notices.
With the expiration of CCPA’s safe harbor and subsequent July 1, 2020 enforcement, steps that can be immediately taken may include, but are not limited to, the following:
- updating notices and privacy policies;
- reviewing data flows including data mapping and classification;
- segregating data and IT systems between regulated and non-regulated data repositories;
- implementing cookie banners and web beacons in accordance with CCPA-compliant privacy policies;
- implementing individual request processes (including opt-out and deletion); and
- implementing training to meet CCPA’s new requirements.
What to Watch
The California Secretary of State recently announced that the California Privacy Rights Act (CPRA) will be on California’s November 3, 2020, ballot. If approved by voters, the CPRA would significantly update and amend the CCPA, allowing California consumers to block businesses from using a new category of information known as “sensitive personal” information and establishing a new enforcement authority to protect data privacy rights.
PilieroMazza’s attorneys will continue to monitor the CCPA, along with legal developments for data privacy in other states. For assistance with CCPA implementation in your business, please contact the authors of this client alert, Dave Shafer and Emily Rouleau, or a member of the Firm’s Cybersecurity & Data Privacy Group.