On August 14, 2020, California Attorney General Xavier Becerra announced that the final implementing regulations (the “Approved Regulations”) for the California Consumer Privacy Act (the “CCPA”) have been approved by California’s Office of Administrative Law (the “OAL”).1 The Approved Regulations were adopted on the heels of initial enforcement actions taken by Becerra’s office (the “OAG”) to enforce the inalienable right to privacy afforded by California’s constitution. The Approved Regulations also arrive against the backdrop of a looming California Privacy Rights Act (the “CPRA”) — a proposed amendment to the CCPA that will expand California consumers’ privacy rights (and, as a result, businesses’ compliance obligations) and is slated to appear on the November 2020 ballot for Californians. This note discusses differences between the Approved Regulations and the previous release of proposed regulations as well as an overview of lessons learned from the OAG’s initial enforcement actions.
Changes in the Regulations
The adoption of the Approved Regulations is the end result of California’s formal public review and comment process that began with the initial release of proposed regulations in October of 2019. By and large, the Approved Regulations track the final draft proposed by the OAG on June 1, 2020. That said, the Approved Regulations include several changes to the draft proposed on June 1, 2020, including both non-substantive changes as well as the following substantive changes:
Do Not Sell My Info
The Approved Regulations removed the option for businesses to use the abbreviated “Do Not Sell My Info” link to opt out of sales of personal information. As a result, under the Approved Regulations, businesses will be required to use the more formal “Do Not Sell My Personal Information” language originally contemplated in the CCPA when displaying a hyperlink that enables consumer to opt out of sales of personal information.2 As discussed below, this change is particularly noteworthy in light of comments from OAG attorneys regarding the focus of the OAG’s initial enforcement actions under the CCPA.
The Approved Regulations withdrew the following provisions of the proposed regulations:3
- A provision that would have required businesses to obtain a consumer’s explicit consent before using personal information for purposes that are “materially different” than those disclosed to the consumer when the business originally collected the relevant personal information;4
- A provision that would have required businesses that “substantially interact with consumers offline” to provide Do Not Sell notices via offline methods and included several examples of how such notices could be provided;5
- A provision that required the Do Not Sell request mechanism to be “easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” Note: notwithstanding the deletion of this requirement, other sections of the Approved Regulations obligate businesses to consider “ease of use” when incorporating the opt-out functionality;6 and
- A provision that expressly enabled businesses to deny requests from authorized agents that do not provide proof that they are authorized to act on behalf of the applicable consumer.7 Note: notwithstanding the deletion of this express right, CCPA contains other provisions that enable businesses to verify the legitimacy of requests from agents on behalf of consumers.8
Additional Revisions to the Final Regulations
Despite the involved rulemaking process so far, the Approved Resolutions are not “final” in all respects. With respect to the four withdrawn sections, the OAG may resubmit those sections following additional review, at which point there would be a 15 day period for public review and comment. Any resubmission of the withdrawn sections would be required before October 11, 2020 unless the timeline is extended by the Governor. Note that any change to the Approved Regulations will be limited to the reinstatement of the withdrawn sections — the remainder of the Approved Regulations (including the changes to the requirements of the Do Not Sell My Personal Information link) will remain in effect without amendment.
The CCPA, through an amendment passed on August 31, 2018, restricted the OAG from bringing an enforcement action “until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” As a result, the OAG became able to bring enforcement actions under the CCPA beginning on July 1, 2020 despite that fact that the implementing regulations had not yet been finalized.
During a webinar hosted by the International Association of Privacy Professionals on July 9, 2020, a Deputy Attorney General from the OAG confirmed that the OAG had already sent an “initial swath” of enforcement notices to companies across sectors. While she did not expressly outline the alleged infractions, the Deputy Attorney General indicated that these may have related to the “do not sell” requirements of the CCPA and added that any business that sells consumer information but does not include a “do not sell” link on its website “should make sure to cure that as quickly as possible.”9 In addition, the OAG has revealed that, in connection with its enforcement actions, it has been reviewing the privacy policies of various businesses to ensure that all legally required notices and disclosures are being provided. Now that the Approved Regulations have been adopted, businesses that are subject to CCPA can expect that the OAG will rely on the text of the Approved Regulations, in addition to the statutory text, when reviewing privacy policies and bringing enforcement actions.
What this Means for You
Although the OAG began enforcing the CCPA prior to the adoption of the Approved Regulations, it now has the right to bring enforcement claims based on the text of the Approved Regulations in addition to the text of the CCPA. In addition, given the passage of time and the OAG’s past refusal to further delay enforcement of the CCPA, we expect the OAG to increase its enforcement efforts with respect to the CCPA.
The “Do Not Sell” requirement of the CCPA is emerging as a focal point for the OAG, and the importance of this provision is highlighted by the withdrawal of the abbreviated “Do Not Sell My Info” button option that had been proposed under the draft regulations. Ensuring the proper implementation of this button on a business’s website, as well as the inclusion of all legally required disclosures and notices, should be a priority for all businesses looking to avoid enforcement actions by the OAG.
While the dust has mostly settled on the implementation of the CCPA, a new storm is brewing on the horizon with enforcement actions and the potential passage of CPRA in November. For more details on the contents of the CPRA.
1 See Announcement and Full Text of Approved Regulations
2 See Addendum to Final Statement of Reasons
3 See Notice of Approval in Part and Withdrawal in Part of Regulatory Action
4 See Section 999.305(a)(5) of June 1, 2020 Proposed Regulations
5 See Section 999.306(b)(2) of June 1, 2020 Proposed Regulations
6 See Sections 999.315(b) and 999.315(c) of June 1, 2020 Proposed Regulations
7 See Section 999.326(c) of June 1, 2020 Proposed Regulations
8 See Section 1798.140(y) of CCPA
9 See CCPA Enforcement: Enter the AG