[author: Mackenzie Frerich]
On August 14th, 2020, the California Attorney General announced that the Office of Administrative Law (OAL) approved the final regulations of the California Consumer Privacy Act (CCPA) following a two-month review from the initial submission on June 1st. During this time, the OAL made additional minor changes to the regulations, but there were no major updates. The final regulations were filed with the California Secretary of State on August 14th and went into effect immediately.
The CCPA provides consumers with transparency and control over their personal information. Organizations still in the process of updating business practices to comply with the CCPA should first assess their personal information processing activities to understand which requirements under the CCPA are applicable. Typically, this is achieved through a data inventory or similar exercise that provides insight into a business’s sharing activities with their vendors and, ultimately, whether they are selling personal information as defined under the CCPA.
Businesses who conduct a formal review of their personal information sharing activities will also be better equipped to perform the following necessary steps required to comply with the CCPA:
- Update contracts with service providers processing personal information on the business’s behalf;
- Update privacy policies with the CCPA notice requirements;
- Develop procedures to receive, review, and honor privacy rights;
- The Right to Know;
- The Right to Delete;
- The Right to Opt-Out of the Sale of Personal Information; and
- The Right to Non-Discrimination/Equal Service.
- Develop escalation procedures for breach notices received from consumers; and
- Develop a governance program that includes frequent reviews of new CCPA policies and procedures to ensure they remain accurate and up-to-date.
Violations of the CCPA can result in penalties of up to $2,500 per violation or up to $7,500 per intentional violation. The CCPA also provides consumers with the ability to bring a private right of action against a business following a breach of their personal information that occurred as a result of the business’s failure to implement reasonable security procedures to protect the information it processes.