The California Attorney General will soon begin to fully implement the California Consumer Privacy Act of 2018 (“CCPA”), the most comprehensive privacy law in the United States. The CCPA grants California residents new privacy rights and regulates businesses that obtain or process the personal data of California residents. It also gives consumers a private right of action for a data breach and grants new enforcement power to the Attorney General. We previously summarized key provisions in the CCPA in our advisory Preparing for the Inevitable: It’s Time to Begin Planning for the CCPA.
Enforcement to Commence on July 1
In January, the CCPA went into effect but enforcement was delayed until California’s Attorney General Xavier Becerra finalized the underlying regulations, or July 1, 2020, whichever came first. With about a month to go, the regulations are still not final. Nevertheless, Attorney General Becerra has announced that his office will move forward with enforcement of the CCPA starting on July 1. Though some businesses had argued that a delay in enforcement would be appropriate because of the coronavirus pandemic, the Attorney General rejected that idea. Instead, in a recent press release, he asserted that the impact of the pandemic has made it more important than ever to focus on privacy rights given consumers increased “dependency on online connectivity.”
The reality is that COVID-19 is forcing families to adjust to a new way of living and connecting remotely. Whether it’s our children’s schooling, socializing with family and friends, or working remotely – we are turning to mobile phones and computers as a lifeline. With such dependency on online connectivity, it is more important than ever for Californians to know their privacy rights.
What You Need to Do to Comply With the CCPA
By all indicators, the CCPA’s reach is broad. Since it became effective at the beginning of the year, private litigants from across the country have already started asserting claims under the act. At least one private litigant has argued that the CCPA creates a new standard of law. All of this underscores the need to regularly monitor and assess the impact of the CCPA on your business’s privacy practices, even if you are not located in California.
The steps necessary to comply with the CCPA is very much a function of how a particular business operates and communicates with its customers. If the CCPA applies to you (which is probably does if you regularly interact with California consumers online), the proposed regulations mandate in detail how and when businesses should prepare consumer notices, the content required in privacy policies, and the methods companies should use in responding to and verifying consumer requests. The proposed regulations also provide guidance on the obligations of service providers, use of authorized agents, training of individuals handling personal information, and recordkeeping.
Key issues addressed in the proposed regulations include:
Consumer Notices. The regulations describe in detail where, when, and how notices should be presented and designed, and describe the content they must include. These requirements differ depending on the specific business and data collection practices. For example, an online company that collects information has different obligations than a business that collects information only offline. In addition, there are different requirements for notice based on the reasonable expectations of consumers. Thus, a more prominent and “just-in-time” notification might be required if a business is collecting information in a way that might surprise the consumer, such as a flashlight application that collects geolocation information.
- Responding to Consumer Requests. The proposed regulations provide a framework describing how companies are supposed to respond to consumer requests to exercise their CCPA rights to know, delete, or opt-out of the sale of personal information, including what methods a business should provide for consumers to make requests, what steps a business needs to take in identifying personal information, and how a business should verify the consumer who makes the request has the right to access the relevant personal information.
- Maintaining Metrics. The proposed regulations also require certain recordkeeping, including statistics regarding compliance with the CCPA. These requirements differ according to the size of the company. For example, companies that buy, receive, sell, or share personal information of 10 million or more consumers in a calendar year must compile metrics that they are required to disclose by July 1 of every calendar year.
- Justifying Financial Incentives. The proposed regulations also provide clarity on the use of financial incentives to consumers to encourage them to allow for the use and sale of their personal data. Specifically, the CCPA requires that there needs to be a good-faith estimate of the value of the consumer’s data in determining the propriety of such a program. As an example, the proposed regulations mention a grocery store whose loyalty program requires a consumer to provide their phone number in order to receive discounts and coupons, must allow the consumer to opt-out of the sale of their personal information without removing them from the loyalty programs unless the grocery store can demonstrate that the value of the discounts and coupons are reasonably related to the value of the consumer’s data to the business.
Though there remain many open questions about the CCPA and how exactly it will be enforced, companies need to take immediate steps to comply now. Nutter will continue to monitor CCPA developments and is ready to assist clients with their compliance obligations.