Overview
On Friday, August 14, 2020, California Attorney General Xavier Becerra announced that the regulations implementing the California Consumer Privacy Act (CCPA) have been approved by the California Office of Administrative Law (OAL) and are effective immediately. The attorney general had already begun enforcing the CCPA itself on July 1. But now that the regulations have taken effect, the attorney general can begin enforcing their requirements, too, which in some cases go beyond what the statute expressly requires. And the attorney general has signaled that non-compliance can lead to heavy penalties.
The attorney general first released draft regulations in October 2019 and made subsequent modifications in February and March 2020 before submitting the draft "final" regulations to OAL for its review and approval in June 2020. The final regulations that took effect on August 14 are largely the same as the June draft, with mostly technical and grammatical edits having been made. But there are a few material changes in the final version:
- The final regulations no longer require businesses that substantially interact with consumers offline to provide an offline notice of the right to opt-out of the sale of their personal information. The earlier draft regulations had suggested that businesses with brick-and-mortar stores would have to provide some form of offline notice such as prominent in-store signage, or printed versions of the notice. Now, the regulations require only that a business post the notice on its website or, if it doesn't have a website, that it use "another method," chosen by the business, to inform consumers of their opt-out right. Note, however, that the CCPA and the regulations still require businesses to notify consumers "at or before the point of collection" of the "categories of personal information to be collected and the purposes" for which the information will be used. So even if an opt-out notice does not need to be provided offline, a "notice-at-collection" does, if personal information is collected offline.
- The final regulations removed a prohibition against using "a consumer's personal information for a purpose materially different than those disclosed in the notice at collection." The regulations also no longer require a business seeking "to use a consumer's previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in a notice at collection…to directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose." Despite these changes, companies that use a consumer's personal information for a purpose different from what was disclosed at the time of collection, without obtaining the consumer's consent to the new use, run the risk of running afoul of California consumer protection laws (as well as the Federal Trade Commission Act's ban on "deceptive acts or practices"). In addition, the CCPA itself still expressly states "[a] business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section."
- The final regulations remove references to the short version of the opt-out link language, suggesting that businesses must use the full "Do Not Sell My Personal Information" language in the links (on their home pages and in their privacy policies) to the online form for requesting to opt out of the sale of personal information.
- The revised regulations make it clear that a business may deny requests to know, requests to delete, and requests to opt out that are received from agents that fail to provide a signed, written permission from the consumer authorizing the agent to act on the consumer's behalf. Language suggesting that it might be sufficient for an agent to provide some other form of proof of its authority has been deleted.
Notably, the final regulations retain requirements that have confounded businesses that offer loyalty programs, sweepstakes, discount offers, and other services or programs that might constitute "financial incentives" that are offered to induce consumers to provide their personal information (or allow their information to be sold). Specifically, the final regulations still require that businesses include in their "notice of financial incentive," "[a]n explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer's data," "[a] good faith estimate of the value of the consumer's data that forms the basis for offering the financial incentive or price or service difference," and "[a] description of the method the business used to calculate the value of the consumer's data." Many businesses have waited to address these requirements, unsure of exactly how to achieve compliance and hoping that the requirements would disappear from the final regulations. Businesses that have waited therefore must scramble quickly to address these requirements, as the regulations are now already in effect.
The attorney general began enforcing the CCPA itself on July 1, 2020, sending "Notices of Violation" to businesses that were deemed not to be in compliance with the statute. The CCPA prescribes penalties of between $2,500 and $7,500 "for each violation." While this may seem like a small amount, the attorney general has signaled in the Notices of Violation that he takes a broad view of what constitutes "each violation," quoting case law stating that "what qualifies as a single violation depends on the type of violation involved, the number of victims and the repetition of the conduct constituting the violation—in brief, the circumstances of the case." It is likely, then, that the attorney general would seek to multiply the statutory penalty by, for example, the number of California residents whose personal information was collected during the period in which a business was not in compliance (such as by having an incomplete privacy policy), and by the number of technical violations. The potential costs of non-compliance are therefore more significant than they might appear at first glance.
More information about the CCPA regulations can be found in our client alerts discussing the initial draft of the attorney general’s regulations in October 2019 and the subsequent modifications in February and March 2020.