California Attorney General Becerra announced Friday afternoon that the Office of Administrative Law (OAL) had approved the final CCPA regulations his office submitted to the OAL in June, and that the review process is complete. This means that the CCPA Regulations go into effect immediately.
According to AG Becerra’s announcement, “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”
If you have been sitting on the sidelines “waiting for the final regulations,” now is the time to move CCPA compliance to the front burner. Enforcement of the CCPA itself by the AG’s office began on July 1 (looking back to the January 1 effective date of the statute), but Friday’s announcement means that the regulations are in full force and effect as of now, with all the operational requirements.
Here are some things that you should be doing in light of the regulations:
- Privacy Notice: Review your website and data policies to ensure that they conform with the requirements set out in the CCPA regulations. You must include the following notices:
- Website privacy notice (prominently featured) with a comprehensive description of your business’ online and offline data collection, sale, and use purpose – including a full description of the rights of a California resident under the CCPA and how to exercise those rights
- Notice of Right to Opt-Out of Sale: If your business “sells” personal information in the context of CCPA, you must provide a notice of the right to opt-out in accordance with the regulations.
- Notice of Financial Incentives: If you offer financial incentives in exchange for personal information (and the regulations have examples), you must provide very specific notice regarding this financial incentive
- Respond to Consumer Rights Requests: Your business should already have an operational method in place to respond to consumer rights requests under the CCPA. It’s essential that your process be in strict compliance with all the CCPA requirements because failures to implement an intake process and act promptly on such requests can lead to consumer complaints and AG investigations. Your record of consumer requests and responses must be maintained and made available (on request) for 24 months.