MORGAN LEWIS PRACTICAL ADVICE ON PRIVACY: GUIDE TO THE CCPA
Despite the coronavirus (COVID-19) pandemic, the California attorney general intends to enforce the California Consumer Privacy Act (CCPA) beginning July 1, 2020, pending the anticipated approval from the California Office of Administrative Law (OAL) on the final text of the proposed CCPA regulations. This article discusses the scope of the new regulations and identifies practical steps that companies can take to ensure compliance before July 1.
Under the CCPA, July 1, 2020, is the earliest date that the Office of the California Attorney General may file an enforcement action. The COVID-19 pandemic has sparked discussion about potentially postponing the July 1 enforcement date of the CCPA by the attorney general to January 2021. A group of trade associations, in two letters addressed to the attorney general, emphasized the effects of operational disruptions created by COVID-19 on businesses’ CCPA compliance efforts, such as the lack of onsite staff to help develop necessary compliance programs. Despite these concerns, the attorney general’s office has reaffirmed that July 1 remains its target enforcement date, stating in a recent press release that “[b]usinesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”
The CCPA went into effect on January 1, 2020, but the new proposed regulations were submitted to the OAL for review on June 1, 2020, to ensure procedural compliance with the Administrative Procedure Act. The OAL has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic to approve the regulations. However, despite the extended review period, the attorney general has requested that the OAL complete the review within 30 days to ensure that the regulations are enforceable by July 1, as mandated by the CCPA. While it remains unclear whether the final regulations will be in force by July 1, the final text of the proposed regulations provides greater clarity for businesses finalizing their CCPA compliance efforts.
OVERVIEW OF THE CCPA
While not exhaustive, this overview highlights some of the most important elements of the proposed regulations. For a more detailed overview of the regulations, please see our February 18, 2020 alert.
Most notably, the new final proposed regulations submitted by the attorney general’s office:
- Establish the notice at collection requirements;
- Establish the rules for collecting personal information through a mobile application or device, including providing just-in-time notice to consumers;
- Require affirmative authorization from the consumer before a business can sell that consumer’s personal information;
- Require notice of the right to opt out on the business’s website to which the consumer is directed after clicking on the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the website homepage;
- Require notice of financial incentive to explain the material terms of a financial incentive the business decision is offering so the consumer may make an informed decision on whether to participate;
- Establish guidelines for businesses’ private policies;
- Provide guidelines for consumer requests to know or to delete;
- Require that notices be reasonably accessible to persons with disabilities; and
- Establish recordkeeping requirements for consumer requests made pursuant to the CCPA.
Although the above summary does not include all of the proposed changes to the regulations, they are representative of the tone and scope of the attorney general’s approach to this update. The impact of the modifications will vary depending on how a business collects, uses, and discloses personal information, and how far along a business is in its CCPA compliance efforts.
ATTORNEY GENERAL’S OFFICE HAS SAID IT MAY BRING ENFORCEMENT ACTIONS FOR VIOLATIONS THAT OCCURRED ON OR AFTER JANUARY 1, 2020
The attorney general has the authority to enforce any violation of the CCPA against a “business, service provider, or other person.” The attorney general has indicated that after July 1, it intends to bring enforcement actions against companies for CCPA violations occurring as early as January 1, 2020, when the CCPA first went into effect. However, retroactive enforcement of CCPA violations is not expressly provided for in the statute. To the contrary, the CCPA merely states that enforcement actions cannot be filed before “six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” Attempts by the attorney general to pursue violations occurring before the July 1, 2020, enforcement may be problematic and inconsistent with the statute.
ENFORCEMENT OF THE CCPA
As highlighted in previous alerts, the attorney general may pursue injunctive relief or civil enforcement penalties, which could be substantial and accumulate quickly if violations are not cured within 30 days after receiving notice from the attorney general. While enforcement procedures are not spelled out in the statute or the final proposed regulations, enforcement of the CCPA by the attorney general will likely typically begin with letters, subpoenas, or requests for information issued to companies that the attorney general believes to be out of compliance. Similar to other statutory mechanisms, enforcement may culminate in a pre-litigation consent decree involving monetary and injunctive terms mandating that the company comply with new regulations. The attorney general may also impose a penalty of up to $2,500 for each violation and up to $7,500 “for each intentional violation.” Companies that are unsure about their CCPA compliance may seek an advisory opinion by the attorney general for guidance on how best to comply with the new regulations.
Considering the attorney general’s recent statement that it intends to begin enforcing the CCPA starting July 1, 2020, now is the time to take concrete steps to implement compliance with the statute’s requirements, including the following:
- Revise their website homepage to include a “Do Not Sell My Personal Information” link
- Increase their data mapping efforts and form a compliance team
- Create a mechanism to receive, verify, and respond to consumer requests to know and to delete
- Amend service provider agreements to limit the service provider’s use of personal information as prescribed in the CCPA
- Provide CCPA training, including remotely if necessary
- Update document retention policies to ensure that all records of consumer requests and the company’s response are maintained for at least 24 months
- Provide notices to employees, job applicants, contractors, officers, and directors regarding the personal information that is collected and how that information may be used.
For a more robust description of these practical steps, please see our June 4, 2020 alert.
Though the above steps are aimed at ensuring companies’ compliance with the CCPA, companies should be aware that the finalized proposed regulations do contain certain ambiguities that the attorney general has failed to clarify, such as how the CCPA applies to behavioral advertising and what constitutes a “sale” of personal information. In light of these ambiguities, and without clarification from the attorney general on these issues before the enforcement period begins, it is likely that these ambiguities will be resolved in the course of CCPA enforcement through enforcement actions and attorney general opinions. As such, companies are encouraged to stay abreast of CCPA developments to ensure their continued compliance with the regulations.
 Cal. Civ. Code § 1798.185(c).
 Press Release, State of Cal. Dep’t of Justice, Office of the Attorney Gen., Attorney General Becerra Submits Proposed Regulations for Approval Under the California Consumer Privacy Act (Jun. 2, 2020) (on file with author).
 Cal. Civ. Code § 1798.155(b).