California recently approved the final regulations to the California Consumer Privacy Act (CCPA), which took effect August 14, 2020. This article highlights some of the most notable changes to the final regulations and identifies broadened areas of enforcement by the California attorney general.
The California attorney general announced on August 14 that the state’s Office of Administrative Law (OAL) approved the final regulations under the CCPA. The attorney general stated that the CCPA regulations go into effect immediately. As we previously reported, the attorney general requested this immediate effective date when the proposed final regulations were submitted to the OAL on June 1, 2020. Businesses operating within the scope of the CCPA must now comply with both the statute and the final regulations.
The final regulations are similar to the proposed regulations submitted on June 1. While the attorney general made several changes that his office characterized as “non-substantive changes for accuracy, consistency, and clarity,” several were substantive although not likely controversial. The attorney general also withdrew certain provisions “for additional consideration.” The key changes made during the OAL review process are outlined below.
The attorney general deleted four provisions that were previously included in the prior proposed regulations.
In addition, the severability clause of the regulations in Section 999.341 was also deleted in its entirety.
No commentary or explanation was provided by the attorney general explaining why these provisions were withdrawn. The attorney general did, however, reserve the right to resubmit each of these four withdrawn provisions “after further review and possible revision.”
It is also worth highlighting that other sections of the CCPA, the final CCPA regulations, and/or California consumer protection laws may impose obligations that are similar to those required by the provisions withdrawn by the attorney general. As a result, these withdrawn revisions do not drastically alter a business’s compliance obligations under California law.
Under the proposed final regulations, businesses could name their notice of the right to opt out as either “Do Not Sell My Personal Information” or “Do Not Sell My Info,” even though the CCPA at Civil Code Section 1798.135 only allowed for the first of these two names. The final regulations deleted the alternative language “Do Not Sell My Info,” bringing it in line with the statute, meaning that businesses must now use only “Do Not Sell My Personal Information” for the required opt-out hyperlink. This change will require businesses to change their websites if they currently use the former “Do Not Sell My Info” phrase.
The final regulations also added the requirement in Section 999.325(g) that a business evaluate and document at least every 12 months “in connection with the requirement to update the privacy policy set forth in the Civil Code section 1798.130, subdivision (a)(5)” whether a reasonable method for verification of the identity of non-accountholders can be established in connection with requests to delete or requests to know. The proposed final regulations had not tied this evaluation and documentation requirement to the privacy policy update requirement.
Before these final regulations were approved, the attorney general’s enforcement of the CCPA was limited to the statute itself. We previously addressed the scope of the attorney general’s CCPA enforcement activity in this article. Although the final regulations do not present significant changes to prior proposed regulations, they do impose obligations with which businesses subject to the CCPA must nonetheless comply, in addition to the statute.
With the final CCPA regulations now approved and in effect, we anticipate broadened attorney general enforcement activity to remedy not just alleged violations of the statute, but also alleged violations of the final regulations.
The Morgan Lewis privacy team is providing practical privacy advice to more than 200 businesses on compliance with the CCPA and proposed regulations. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:
San Francisco
Carla Oakley
Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis