After much anticipation, the California Attorney General (AG) announced in early June 2020 that the final California Consumer Protection Act (CCPA) regulations were being submitted to the Office of Administrative Law (OAL) for review. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.
Because enforcement of the CCPA began on July 1, 2020, now is the time for covered businesses and service providers to size-up their compliance efforts. Although there are many issues that remain unclear, the regulations may provide a road map to the AG’s enforcement priorities. Among the issues addressed by the final regulations—as well as the AG’s “Final Statement of Reasons” which accompanied those regulations— are the following:
- Service Providers: The regulations require that service providers use the personal information they receive from businesses “to process or maintain personal information on behalf of the business … and in compliance with the written contract for services required by the CCPA,” except in certain narrowly-defined circumstances, such as building or improving the quality of their services. If an entity qualifies as a service provider, the transfer of information from a business to them is not deemed a sale. Moreover, the Final Statement of Reasons clarifies that service providers do not lose their status as service providers merely because they collect consumers’ personal information directly, if that collection is performed at the business’s direction and on behalf of that business.
- Subcontractors: The regulations provide that service providers may hire subcontractors, as long as the subcontractors meet all the requirements for a “service provider” set forth in the CCPA and the regulations.
- User-Enabled Privacy Controls: Businesses must honor privacy controls that clearly communicate or signal that the consumer intends to opt out of the sale of personal information.
- Training and Recordkeeping: The regulations require training for all individuals responsible for handling consumer inquiries. Businesses must also retain records of consumer requests and how the business responded to such request for 24 months.
- No Discrimination: A business cannot discriminate against a consumer for exercising his or her rights under the CCPA.
We realize there is a lot to digest in the legislation and the regulations. So now is the time for businesses to take a close look at the regulations, evaluate whether changes need to be made, and develop a compliance checklist and action plan.