California AG Announces CCPA Regulations are Final – And Effective Immediately

Mintz - Privacy & Cybersecurity Viewpoints

Mintz - Privacy & Cybersecurity Viewpoints

California Attorney General Becerra announced Friday afternoon that the Office of Administrative Law (OAL) had approved the final CCPA regulations his office submitted to the OAL in June, and that the review process is complete.   This means that the CCPA Regulations go into effect immediately

According to AG Becerra’s announcement, “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”

If you have been sitting on the sidelines “waiting for the final regulations,” now is the time to move CCPA compliance to the front burner.   Enforcement of the CCPA itself by the AG’s office began on July 1 (looking back to the January 1 effective date of the statute), but Friday’s announcement means that the regulations are in full force and effect as of now, with all the operational requirements.

Here are some things that you should be doing in light of the regulations:

  • Privacy Notice:   Review your website and data policies to ensure that they conform with the requirements set out in the CCPA regulations.  You must include the following notices:
    • Website privacy notice (prominently featured) with a comprehensive description of your business’ online and offline data collection, sale, and use purpose – including a full description of the rights of a California resident under the CCPA and how to exercise those rights
    • Point of collection notice:  You must have some notice at the point of collection of information that describes why the information is being collected.   A static link to your privacy policy at the bottom of the website page is not sufficient under the CCPA regulations.
    • Notice of Right to Opt-Out of Sale:   If your business “sells” personal information in the context of CCPA, you must provide a notice of the right to opt-out in accordance with the regulations.
    • Notice of Financial Incentives:  If you offer financial incentives in exchange for personal information (and the regulations have examples), you must provide very specific notice regarding this financial incentive
  • Respond to Consumer Rights Requests:  Your business should already have an operational method in place to respond to consumer rights requests under the CCPA.  It’s essential that your process be in strict compliance with all the CCPA requirements because failures to implement an intake process and act promptly on such requests can lead to consumer complaints and AG investigations.   Your record of consumer requests and responses must be maintained and made available (on request) for 24 months.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.