Beginning with the European Union’s General Data Protection Regulation (GDPR), we have entered the brave new world of stricter government regulation of consumer data. Absent a federal privacy rule that matches the GDPR in its breadth, some states have begun the process of creating their own state consumer data privacy and security laws. The California Consumer Privacy Act (CCPA) is California’s most recent attempt to address its residents’ privacy and the privacy practices of organizations that do business in the state. Governor Jerry Brown signed the CCPA into law on June 28, 2018, and several amendments were signed into law on October 11, 2019 by Governor Gavin Newsom. Almost at the same moment, on October 10, 2019, the California Attorney General introduced proposed regulations to implement the CCPA.
Generally, the CCPA became operational on January 1, 2020. Businesses conducting business in California are asking what the CCPA means for them – some for the first time considering whether they are subject to the CCPA. Threshold questions clients must assess in order to determine whether or not the CCPA applies to an entity that conducts business in California include (1) does the entity have gross revenue of $25 million; (2) does the entity annually share or disclose the personal information of at least 50,000 consumers; or (3) does the entity derive at least 50% of its annual revenues from selling consumers’ personal information. There are multiple other issues to review, and counsel can assist clients with this review.
For a company that has already begun working on its CCPA compliance processes prior to the October amendments and draft attorney general regulations, this alert highlights five of the new issues created by the amendments and the draft regulations that have largely flown under the radar.
2. Identity Verification
3. Contents of Financial Incentive Notice
Where a business provides financial incentives to consumers, the draft regulations also impose additional requirements for those businesses to provide specific notices to the consumers. Specifically, a business must explain in the notice as to why the financial incentive is legitimate under the CCPA, as well as the value of the consumer data involved. This likely will involve significant legal analysis, even for a business that was wholly compliant with the CCPA before the amendments and draft regulations were published.
4. Methods for Submitting a Consumer Request
There has been uncertainty under the CCPA regarding the methods that must be available to consumers for them to submit a request. The draft regulations attempt to provide specificity, but may have created more confusion. Currently, the number of methods a business must provide for consumer to make requests will depend on the type of request being made – in some circumstances, a business is required to provide a toll-free number, and in other circumstances an interactive web form may be required. Businesses will need to consider in depth what must be done to comply with the draft regulations and amendments, and to operationalize the various phases of consumer requests.
5. Responding to Consumer Requests
Finally, the draft regulations highlight specific issues a business must consider in developing its internal processes to respond to consumer requests. The draft regulations contain new guidance on how to treat a situation where a business cannot verify a consumer’s identity, as well as the information that must (or must not) be included in response to a consumer request. Businesses should revisit internal policies and procedures to ensure the draft regulations are addressed.
The CCPA has created uncertainty for countless clients over the past year, not the least of which are fueled by new or different requirements for which there was no notice before October 2019. The CCPA will continue to create new issues as it evolves – both with finalization of the attorney general regulation, and potentially with the recent introduction of the proposed ballot measure, the California Privacy Rights and Enforcement Act of 2020. Whether a business is just starting to evaluate whether and to what extent it is impacted by the CCPA, or whether it has already done substantial work to become compliant, we stand ready to assist in the process.