While the United States largely hit the brakes as of March in the wake of the COVID-19 crisis, California Attorney General Xavier Becerra made clear his intentions to begin enforcement of the Act on July 1, 2020, as originally planned.  This announcement came despite many organizations’ pleas to defer enforcement in order to relieve the additional stress imposed on organizations as they respond to the COVID-19 crisis, and continue to work towards ensuring their compliance with the CCPA.  While Becerra has not yet published his final regulations on the Act, there are aspects of the regulations that we expect to be largely intact in their current form once the final regulations are out as a result of reviewing the three drafts General Becerra has already produced.

Multiple Notice Requirements

The CCPA introduces a number of requirements with regards to consumer notice.  The CCPA expressly introduces the concept of “layered notices”. This means passive notice requirements in the form of a privacy policy are not all that is required. There are also affirmative notice requirements at different points of a business-consumer relationship – not the least of which is at the point the business collects consumer data.

The CCPA Regulation imposes requirements for notice under sections 999.304, 999.305, and 999.308.  Section 304 lays out a roadmap for the types of notices required under the CCPA.   It states that a business required to comply with the CCPA must have a privacy policy.  It imposes the requirement of a notice at the point a business collects personal information from a consumer.  It also requires that a business provide a notice of a California consumer’s right to opt out if a business is selling the consumer’s personal data.  Finally, under section 999.304, a business must also notify a consumer if it is offering a financial incentive or price differential for the disclosure of personal information.  What isn’t clear around all of these notices is “where do they go?”

The CCPA makes abundantly clear that regardless of the type of notice a business is providing, it needs to be easily understandable, noticeable, interpretable, and accessible.

Specific Content Requirements

Throughout the multiple rounds of revisions, certain aspects of the Attorney General Regulations have remained largely untouched.  It is for that reason it is reasonable to rely on the following provisions being consistently incorporated into the final version of the Regulations. Accordingly, those preparing for CCPA enforcement beginning July 1, might start by ensuring the following:

  • Any notice or privacy policy provided to consumers:
    • avoids legal jargon and technical language, and is instead prepared in plain, easy-to understand language (don’t just reproduce the statutory language for categories of data collected);
    • is prepared in a format that readable, taking into account the types of devices from which a reader may access (think mobile v. laptop or tablet);
    • is available in the languages consistent with the contracts, disclaimers, announcements, etc. that the company provides in the ordinary course of business;
    • is accessible to those with disabilities.
  • The business’ privacy policy should also generally outline the consumer’s right to know about information collected, disclosed, or sold; their right to request deletion, right to opt out of the sale of personal information, and right to non-discrimination; it should include contact information for questions or concerns, and the date last modified.

Specific Process Requirements

With all the notice requirements come requirements to have processes and procedures in place to actually fulfill the obligations set out in the notices. To that end, the CCPA regulations have been consistent across all three drafts with the need for the following:

  • The business’ privacy policy is conspicuously posted on its website, or otherwise obviously available to consumers;
  • California consumer personal information is not utilized beyond the means initially disclosed at collection;
  • Collection does not happen unless a consumer has been notified;
  • No additional consumer information is collected or used beyond the disclosures at collection, without first notifying the consumer (and the notice has to include all those other notice provisions noted above);
  • Mechanisms for handling consumer requests are in place:
    • Consumers are provided with two or more methods for submitting requests to delete and opt out;
    • Businesses should consider their usual forms of contact with consumers to determine the appropriate mechanism for submitting such requests;
    • Businesses should develop a workflow to ensure requests are acknowledged within 10 business days, and responded to within 45 calendar days;
    • Businesses should ensure that they’re able to verify consumer identity open receipt of a request to know or delete;
    • Development of a two step-process for requests to opt into the sale of personal information.
  • Appropriate training is performed so employees or contractors handling consumer personal information understand the requirements of the CCPA and Regulations.
  • Record retention schedules and policies are updated to account for consumer records requests;
  • The business has reasonable security measures in place to transmit personal information;

What we Aren’t Sure About

While we do have some insight as to the content of the final regulations, we still have to note a number of important elements are not yet stable. The components of notice at collection seem to be slightly influx. Where each notice might be presented (can you combine notices?) is also unclear. The Opt-Out Right also seems to be changing. This is mostly a function of what defines a “sale” and whether there will be exceptions to the currently absolute Opt-Out Right. The same is the case with notice requirement around financial incentives (but components of this notice haven’t changed too much). Finally, the handling of requests to know/delete seem to be changing as well.

Conclusion

Following two rounds of revisions, we more than ever have an understanding of what will be required of businesses under the CCPA Regulations.  Various requirements and components of notice and the handling of consumer requests have remained largely unchanged, thus making those elements a reliable place to start in terms of CCPA compliance.  Attorney General Becerra has no intention at this time to defer the July 1, 2020 enforcement date, so time is of the essence for currently non-compliant businesses.