There has been no lack of drama with the California Consumer Privacy Act (CCPA) - from its introduction and swift passage by the state legislature in 2018 to the California Privacy Rights Act, a new ballot initiative that would expand the provisions of the CCPA. One of the highly anticipated plot lines in this ongoing drama has been whether final regulations would be in place as of the July 1, 2020 enforcement date of the CCPA. The Office of the California AG (OAG) has consistently indicated that this enforcement date would not be extended, but the rule-making process seemed to have stalled. This plot line is finally taking shape, but not without more drama.
On June 1, 2020, the OAG finally submitted the proposed final version of the CCPA regulations to the California Office of Administrative Law (OAL). OAL has 30 working days, plus an additional 60 calendar days under the state's new Executive Order N-40-20 related to the COVID-19 pandemic, to review the regulations for procedural compliance with the state's Administrative Procedure Act. Since the statute mandates that regulations be in place as of July 1, 2020, the OAG petitioned the OAL for an expedited review of the regulations to permit the regulations to be submitted to the California Secretary of State (CSS) prior to July 1. The regulations would become effective upon submission to the CSS.
The proposed final CCPA regulations include a number of requirements not in the statute so these requirements will need to be reviewed by OAL. The OAL currently has a backlog of over 60 regulations under review. If a fast track review by OAL is not possible and the CCPA regulations are not finalized by July 1, but are finalized August by 31, the regulations would take effect on October 1.
The "as yet to be determined" effective date of the CCPA regulations does not change the over-arching story line. Enforcement of the statutory requirements under the CCPA will begin on July 1, 2020, even if the regulations are not in place as of that date, unless the governor or state legislature makes a special cameo appearance to delay the July 1 enforcement date.
As in the movies, we now have bonus footage, formal commentary from the OAG. The OAG also published a Statement of Reasons (SOR) on July 1, which addresses the comments received by the OAG during the formal rule-making process and provides insight on certain positions taken by the OAG in the final regulations.
The final regulations provide guidance on certain key requirements under the CCPA, including the following:
The regulations do not answer all of the questions raised by the industry. They do not include guidance on the design of a standard "do not sell" opt-out button, determining whether certain data transfers are considered "sales" under the CCPA's broad definition of this term, or how to treat third-party cookies.
The 29 pages of final regulations and 59 pages of SOR are required reading for those charged with implementing and maintaining compliance with the requirements of the CCPA in their businesses. Some of the guidance outlined in the proposed final regulations is highlighted below:
Section 999.304 of the proposed final regulations provides a "roadmap" for businesses subject to the CCPA that outlines the number and type of and conditions under which certain notices are required to be provided to consumers:
Section 999.313 of the proposed final regulations provides guidance on how to respond to requests to know or requests to delete data submitted by consumers. Businesses should begin reviewing their existing template consumer response forms to determine whether revisions will be needed to add the specific disclosures required under the proposed final regulations. For example, if the proposed final regulations are approved, businesses will need to ensure that when they comply with a consumer's request to delete data, the business informs the consumer that it will maintain a record of the consumer's request as required by the CCPA.
For businesses that are subject to the CCPA but have not yet rolled out the CCPA red carpet, it is time to refocus on the script and begin implementing a CCPA compliance program. For those businesses with Oscar-worthy programs, it is time to review the final regulations and SOR to determine if any changes to your current program will be needed to comply with this new guidance.
The statutory requirements have been in place for some time and were effective as of January 1, 2020. The July 1 enforcement date is only a few weeks away. A notice of noncompliance received from the OAG on or after that date is not an invitation to audition your CCPA compliance program. A notice of noncompliance is a demand that you prove to the OAG that your business has a formal, robust, responsive, and adequately resourced CCPA compliance program in place - and has had that program in place since January 1. There is no easy "exit stage left" option once you receive a notice of noncompliance. Is your CCPA compliance program ready for that regulatory spotlight or still in dress rehearsals?