Insight

CCPA Final Regulations Approved and Immediately Enforceable by California Attorney General

Morgan Lewis Practical Advice on Privacy: Guide to the CCPA

August 31, 2020

California recently approved the final regulations to the California Consumer Privacy Act (CCPA), which took effect August 14, 2020. This article highlights some of the most notable changes to the final regulations and identifies broadened areas of enforcement by the California attorney general.

The California attorney general announced on August 14 that the state’s Office of Administrative Law (OAL) approved the final regulations under the CCPA. The attorney general stated that the CCPA regulations go into effect immediately. As we previously reported, the attorney general requested this immediate effective date when the proposed final regulations were submitted to the OAL on June 1, 2020. Businesses operating within the scope of the CCPA must now comply with both the statute and the final regulations.

The final regulations are similar to the proposed regulations submitted on June 1. While the attorney general made several changes that his office characterized as “non-substantive changes for accuracy, consistency, and clarity,” several were substantive although not likely controversial. The attorney general also withdrew certain provisions “for additional consideration.” The key changes made during the OAL review process are outlined below.

Withdrawn Provisions

The attorney general deleted four provisions that were previously included in the prior proposed regulations.

  • Requiring express consent from a consumer before using previously collected information for a materially different purpose. The deleted text of former Section 999.305(a)(5) read: “A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.”
  • Requiring opt-out right notices through an offline method. The deleted text of former Section 999.306(b)(2) read: “A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, and posting signage directing consumers to where the notice can be found online.”
  • Simple methods and minimal steps for consumers to submit opt-out requests. The deleted text of former Section 999.315(c) read: “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”
  • Denial of requests from authorized agents that fail to submit proof of their authorization. The deleted text of former Section 999.326(c) read: “A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.” Similar language was also deleted from Section 999.315(g). The final regulations include new language in Section 999.315(g) stating that requests may be denied if the agent cannot provide the business with the consumer’s signed permission.

In addition, the severability clause of the regulations in Section 999.341 was also deleted in its entirety.

No commentary or explanation was provided by the attorney general explaining why these provisions were withdrawn. The attorney general did, however, reserve the right to resubmit each of these four withdrawn provisions “after further review and possible revision.”

It is also worth highlighting that other sections of the CCPA, the final CCPA regulations, and/or California consumer protection laws may impose obligations that are similar to those required by the provisions withdrawn by the attorney general. As a result, these withdrawn revisions do not drastically alter a business’s compliance obligations under California law.

Additional Revisions

Under the proposed final regulations, businesses could name their notice of the right to opt out as either “Do Not Sell My Personal Information” or “Do Not Sell My Info,” even though the CCPA at Civil Code Section 1798.135 only allowed for the first of these two names. The final regulations deleted the alternative language “Do Not Sell My Info,” bringing it in line with the statute, meaning that businesses must now use only “Do Not Sell My Personal Information” for the required opt-out hyperlink. This change will require businesses to change their websites if they currently use the former “Do Not Sell My Info” phrase.

The final regulations also added the requirement in Section 999.325(g) that a business evaluate and document at least every 12 months “in connection with the requirement to update the privacy policy set forth in the Civil Code section 1798.130, subdivision (a)(5)” whether a reasonable method for verification of the identity of non-accountholders can be established in connection with requests to delete or requests to know. The proposed final regulations had not tied this evaluation and documentation requirement to the privacy policy update requirement.

Conclusion

Before these final regulations were approved, the attorney general’s enforcement of the CCPA was limited to the statute itself. We previously addressed the scope of the attorney general’s CCPA enforcement activity in this article. Although the final regulations do not present significant changes to prior proposed regulations, they do impose obligations with which businesses subject to the CCPA must nonetheless comply, in addition to the statute.

With the final CCPA regulations now approved and in effect, we anticipate broadened attorney general enforcement activity to remedy not just alleged violations of the statute, but also alleged violations of the final regulations.

Contacts

The Morgan Lewis privacy team is providing practical privacy advice to more than 200 businesses on compliance with the CCPA and proposed regulations. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:

San Francisco
Reece Hirsch
Carla Oakley

Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis