Insight

CCPA: What Companies Need to Do Ahead of July 1 Enforcement

Morgan Lewis Practical Advice on Privacy: Guide to the CCPA

04 juin 2020

With the July 1 enforcement of the California Consumer Privacy Act (CCPA) less than a month away, the state attorney general has finally submitted the final text of the proposed CCPA regulations to the California Office of Administrative Law. This article discusses the current landscape and provides practical steps that companies can take before enforcement begins.

AS JULY 1 ENFORCEMENT DATE APPROACHES, CA ATTORNEY GENERAL TAKES ACTION TO FINALIZE CCPA REGULATIONS

There has been much discussion about when the attorney general would take steps to finalize the proposed regulations by submitting them to the California Office of Administrative Law (OAL) for review. The attorney general has now taken that crucial step, submitting the final text of the proposed regulations to OAL on June 1 and requesting expedited review in the hopes that the regulations will be adopted on or before July 1. As discussed in an earlier alert the attorney general followed the expected path and finalized the text of the proposed regulations without making any further changes to the text of the last modified regulations released on March 11, 2020 (Second Set of Modifications).

The next step is for the OAL to review and approve the final proposed regulations. Once approved by the OAL, the final proposed regulations will be filed with the secretary of state and become enforceable. The OAL normally has 30 working days to review and approve regulations. Governor Gavin Newsom extended this review period for an additional 60 calendar days due to the coronavirus (COVID-19) crisis with an executive order he issued on March 30, 2020. Although the attorney general recognized the extension in the submission to the OAL, the attorney general requested the review to be complete within 30 days so that the regulations are enforceable by July 1, 2020, as mandated by the CCPA.

While it remains unclear whether the final regulations will be in force by July 1, the final text of the proposed regulations provide greater clarity for businesses finalizing their CCPA compliance efforts. Nevertheless, many ambiguities remain, such as the acceptable form for an opt-out button and how the CCPA applies to behavioral advertising.

IT IS CLEAR THAT COVID-19 WILL NOT DELAY CCPA ENFORCEMENT

In addition to questions around when the regulations would be final, there has also been discussion about a possible pushback of the enforcement date to January 2021 in light of the COVID-19 outbreak. A group of trade associations, in two letters addressed to the attorney general, emphasized the effects of operational disruptions created by COVID-19 on businesses’ CCPA compliance efforts such as unavailability of onsite staff to build necessary systems for CCPA compliance. It is now clear that these attempts have not succeeded. In a press release on June 2, 2020, the attorney general emphasized that that the enforcement will begin on July 1, stating “Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”

PRACTICAL STEPS FOR COMPLIANCE BEFORE JULY 1

Despite the lack of an effective date for the final CCPA regulations, it is important for companies to take the necessary steps to comply with the CCPA before July 1. As highlighted in a previous alert, the attorney general may pursue civil enforcement penalties, which could be substantial, if violations are not cured within 30 days after the attorney general provides notice of the alleged noncompliance. A civil penalty under the CCPA may result in up to a $2,500 fine for each violation and up to a $7,500 fine “for each intentional violation.”[1] The penalties can also accumulate quickly. For example, if a CCPA violation involves 100 consumers, the civil penalty could be up to $250,000 or up to $750,000 for intentional violations. Given the deadline and potential penalties, it is important that companies subject to the CCPA comply with the law. The following are some practical steps for companies to consider before July 1:

  • Amend your website privacy policy: It is possible that the Attorney General’s Office may look at company websites to gauge compliance with CCPA, and companies with websites that lack a CCPA-compliant privacy policy may receive increased scrutiny. Companies must revise their privacy policies to ensure that they address the CCPA requirements, including all of the consumer rights, and post the amended policies on their websites. If companies have mobile applications, the application must also include a CCPA notice and a link to the company privacy policy. (Read our prior LawFlash, Privacy Policy Requirements.)
  • Revise your website home page: Companies that sell personal information must provide a “Do Not Sell My Personal Information” link on their websites. Another easy way to determine noncompliance is identifying the absence of an opt-out link on company websites where a privacy policy indicates that personal information is being sold. Companies that do not sell personal information should clearly state that fact in their privacy policies.
  • Increase your data mapping efforts and form a compliance team: Data mapping is crucial to track the type of personal information that is collected from California consumers, understanding what CCPA requirements apply, and responding to rights requests from California consumers. For example, data mapping helps determine whether companies are engaged in the sale of personal information that triggers the consumer opt-out right, whether companies are providing financial incentives to consumers that trigger a notice requirement, and what types of sensitive data companies are collecting from consumers as such information must be provided to consumers with sufficient particularity as required by the current version of the regulations. In order to track the data mapping process and translate that information into CCPA-compliant processes, businesses must have a compliance team in place.
  • Create a mechanism to receive, verify, and respond to consumer requests: Companies must provide two methods (e.g., a toll-free number or email address) for consumers to submit requests to know and to delete. Also, businesses must have a reasonable method in place to verify that the person making a request to know or a request to delete is the consumer about whom the business has collected information, and must respond in a timely manner to all requests. The proposed regulations require that such verification process must be free of charge.
  • Amend service provider agreements: Businesses must ensure that their existing agreements with third-party vendors or service providers limit the service provider’s use of personal information as prescribed in the CCPA. Without a CCPA-compliant service provider agreement, the disclosure of personal information to a vendor may constitute a sale of personal information that triggers the consumer’s opt-out right.
  • Training, including remotely if necessary: The CCPA also requires training of individuals responsible for handling consumer inquiries, ensuring that they understand the requirements of CCPA and how to respond to consumer rights requests. To comply with the training requirement during the COVID-19 pandemic, companies may need to provide remote CCPA training.
  • Update document retention policies: Companies must update their document retention policies to ensure that all records of consumer requests and the company’s response are maintained for at least 24 months. Companies must also have reasonable security procedures and practices in place to maintain these records as any deficiency in security procedures makes companies vulnerable to security breaches and increases their risk of facing consumer class actions.
  • Notices to employees, job applicants, contractors, officers, and directors; Companies must provide notice to all of these individuals regarding the personal information that is collected and how that information may be used. To the extent that companies are or will be collecting new types of personal information due to COVID-19 and compliance with Centers for Disease Control and Prevention (CDC) and other guidances, it is important to ensure that any notices already provided also cover these new types of information. For companies that accept job applications online, failure to include such a notice on the website is another way that the attorney general would be able to identify lack of compliance with the CCPA. (Read our prior LawFlash, Employee and Other Notices by January 1, 2020, and Related Issues for Employers.)

Coronavirus COVID-19 Task Force

For our clients, we have formed a multidisciplinary Coronavirus COVID-19 Task Force to help guide you through the broad scope of legal issues brought on by this public health challenge. Find resources on how to cope with the post-pandemic reality on our NOW. NORMAL. NEXT. page and our COVID-19 page to help keep you on top of developments as they unfold. If you would like to receive a daily digest of all new updates to the page, please subscribe now to receive our COVID-19 alerts, and download our biweekly COVID-19 Legal Issue Compendium.

HOW CAN WE HELP

The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the proposed regulations, and how to ensure compliance before July 1. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:

San Francisco
Carla Oakley
Michelle Park Chiu

Los Angeles
Joseph Duffy

Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis
Julian Williams

New York
Martin Hirschprung

Washington, DC
Dr. Axel Spies



[1] CCPA, Cal. Civil Code § 1798.155(b).