Monday, California Attorney General Xavier Becerra submitted of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).  Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA.  This final submission comes after various public forums, hearings, commentary, and revisions to the regulations.

Back in April, we discussed our expectations for the Final Regulations, which remain largely unchanged from the March 11, 2020 draft.  In that post, we assessed certain elements of the Regulations that seemed to be in flux, such as notice at collection, financial incentives, consumer opt-out rights, and the handling of requests to know and delete.

An important note is that the AG has requested an expedited timeline for OAL review in order to make the July 1 date for enforcement applicable.  Specifically, Attorney General Becerra points to his particularly early submission of his rulemaking package in advance of his October deadline. This is in support of his request for the OAL to expedite their review consistent with the standard 30 business day requirement, which would bring the Regulations’ effective date close to in line with the CCPA’s specified July 1, 2020 enforcement date.

While some of the aspects of compliance are not crystal clear, such as whether notices may be combined, we do have clarity regarding a majority of the compliance landscape for CCPA, including:

  • a business’ obligations to provide notice of financial incentive;
  • notice at collection on mobile devices, as well as notice requirements for data brokers, and employers;
  • a two tiered notice and policy process for consumers, including language and accessibility requirements;
  • the 4 necessary components required for any notice, also discussed in our last post;
  • the requirement for CCPA training for appropriate employees; and
  • the sunset provision for employee and contractor notice to collection.

The March 11th revisions’ removal of the “opt out” button held firm, as did the addition that a business may not sell personal information gathered prior to the consumer’s notice of the right to opt out, without affirmative consent of the consumer. Consequently, businesses can also be more confident in their implementation of processes for handling requests to know and delete, and should move forward with doing so.

In any event, businesses need to review their notice and data handling practices, as well as their vendor agreements to make sure that the CCPA requirements are addressed.  While there are still some questions, at least now there are concrete actions businesses can take around compliance.

Tags: California Privacy, CCPA
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John Tomaszewski John Tomaszewski

John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the “Information Age”, management needs to have good advice and counsel on how…

John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the “Information Age”, management needs to have good advice and counsel on how to protect the capital asset which heretofore has been left to the IT specialists – its data.

John’s expertise in the understanding of a company’s data protection and management needs provide a specialized point of view which allows for holistic solutions. A good answer should always solve at least three problems.

John has been a co-author of several information security and privacy publications, including the PKI Assessment Guidelines and Privacy, Security and Information Management: An Overview; as well as publishing scholarly works of his own on the topic. He has also provided input to the drafting of various security and privacy laws around the world; including the APEC Cross-Border Privacy Rules system. He is a frequent speaker globally on the topics of cloud computing, Self Regulatory Organizations (“SROs”), cross-border privacy schemes, and secure e-commerce.

Read more about John Tomaszewski
Show more Show less
Related Posts
California Prop 24 - Is the New Privacy Law Really New (Or Is the Sky Falling)
November 5, 2020
Europe's Privacy Law is Coming - Just Not Via California
April 17, 2020
What We Can Expect from the CCPA Regulations
April 17, 2020