The Inner Circle

CCPA: California Attorney General Announces Final Implementing Regulations Effective Immediately

  • 1.  CCPA: California Attorney General Announces Final Implementing Regulations Effective Immediately

    Posted 28 days ago
      |   view attached
    Hi All,

    On August 14, 2020, California Attorney General Xavier Becerra (the "California AG") announced that the regulations implementing the California Consumer Privacy Act (the "Act" or the "CCPA") had been approved by the state's Office of Administrative Law ("OAL"), with the regulations going into effect immediately. While the CCPA itself has been in effect for some time, the regulations are what effectively provide businesses with a blueprint on how to be deemed CCPA compliant.

    The long-awaited announcement comes more than 10 months after the initial implementing regulations were proposed on October 10, 2019, seven months after the CCPA first went into effect on January 1, 2020, and six weeks after the California AG's office began enforcing the CCPA on July 1, 2020. After three rounds of draft regulations and public comment over the past year, businesses can finally refine their CCPA compliance programs based on more definitive regulatory guidance from the California AG.  Businesses should ensure familiarity with the regulations and their myriad technical requirements, since, as the California AG's recent flurry of enforcement makes clear – even minor infractions may not go unnoticed by the state as it embarks on its first season of CCPA enforcement.

    In a nutshell: the CCPA and the final regulations

    The CCPA, as discussed in prior publications,[1] is often compared to the comprehensive General Data Protection Regulation ("GDPR"), in that it applies extraterritorially and gives consumers both the right to know what type of consumer personal information businesses collect about them and the right to request that such data be deleted. But while the CCPA guarantees consumers protective rights, the Act's accompanying implementing regulations are what establish the specific procedures businesses must comply with in order to be CCPA compliant. Under the regulations, businesses must, among other things:

    • Provide notice of collection of personal information. Under Section 999.305, the regulations require businesses to provide "timely notice" of collection, and to disclose to consumers the purposes for which personal information will be used. This notice must be provided online, in-store and on mobile applications, and it must be updated as the business's collection practices change.
    • Publish detailed privacy policy disclosures. Section 999.308 requires businesses to provide consumers with a comprehensive description of their online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information, in a way that is easy to read and understandable.
    • Provide notice of right to opt-out of sale of personal information. Section 999.306 requires businesses to provide easy to read and understandable notice of consumers' right to opt-out of a business's sale of their personal information. Where the relevant business activities are conducted via a website or mobile application, the regulations require that the notice be posted on the website homepage or the download or landing page of the mobile app, and that it conspicuously reads "Do Not Sell My Personal Information." 
    • Adjust methods for accepting and responding to consumer requests. Under Section 999.313, businesses are required to implement specific processes and mechanisms for accepting and responding to consumer requests to know what information is collected about them or to delete information that is collected about them. These processes are intended to prevent the disclosure of sensitive personal information (such as account logins and passwords, government ID numbers and/or biometric information).

    Michael Roza CPA, CISA, CIA