The fine points of the groundbreaking California Consumer Privacy Act, California Civil Code §§ 11798.100-1798.199 (“CCPA”) are coming into view now that the California Attorney General has released the draft regulations required by the CCPA. Companies doing business with California residents should consider their compliance in 2020.
We have known for some time that, as of January 1, 2020, the CCPA establishes consumer rights and business obligations with respect to the collection and sale of consumers’ personal data. Generally, for qualifying businesses, the CCPA establishes:
- The consumers’ right to know what data a business collects, how it is used, whether it is sold, and, if sold, information about the third-party purchaser.
- The consumers’ right to forbid a business from selling their data or charging consumers more who opt-out of having their data sold.
- The consumer’s right to be forgotten by having their data deleted.
These rights, along with the existing EU General Data Protection Regulation, explain some of the new “features” we see on major web platforms. For example, in May 2019, Google Search and Maps Production Managers announced Google was introducing auto-deletion controls for consumers’ location history and activity data.
We have also known for some time that the CCPA will impact many businesses not previously subjected to privacy regulations whether or not they are based in California. It applies to all entities “doing business” in California that either:
- Have a gross annual revenue in excess of $25 million;
- Annually buy, receive for commercial purposes, sell, or share for commercial purposes personal information of 50,000 or more California consumers, households, or devices; or
- Derive 50% or more of their annual revenue from selling California consumers’ personal information.
In addition to those entities qualifying pursuant to any of the above requirements, the CCPA also applies to any entity that: (1) controls, or is controlled by, a business that meets the criteria; and (2) shares common branding with that business.
The CCPA carries with it substantial penalties enforceable by either the Attorney General or private citizens. Maximum statutory penalties reach $7,500 per incident.
The CCPA left many details for the California Attorney General to clarify with implementing regulations. The Attorney General recently released draft regulations that provide some, but not all, of the expected and necessary guidance.
The draft regulations generally describe how businesses should procedurally handle consumer data requests, including requests to opt out of the sale of information, processes to verify consumer identity, and obligations to retain records regarding requests. They also provide guidance on the language permitted for providing notices of rights to consumers and emphasize the need for that language to be “plain [and] straightforward.”
The Attorney General’s draft regulations do not address all that was expected. We will stay tuned for additional or revised regulations in December.
The draft regulations are now open for public comment. Changes and additions are expected before they are finalized in December. Every company that qualifies as one to which the CCPA applies should monitor the development of these regulations and prepare to implement compliance procedures as January 1, 2020 approaches.