Search Our Website:
After this Alert was released, California updated its website to extend the time for the regulations to be finalized.  The website states in pertinent part:  "The complete package, including the Final Text of Proposed Regulations and the Final Statement of Reasons, is posted below. OAL has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the package for procedural compliance with the Administrative Procedure Act. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law."

The Attorney General for the State of California (AG) has submitted the final draft of California Consumer Privacy Act (CCPA) regulations to the California Office of Administrative Law (OAL). The OAL will now determine whether the AG’s rulemaking process has complied with the relevant notice and comment rulemaking procedures under the California Administrative Procedures Act. If so, the regulations will be finalized and published into law.  The AG has requested that the OAL expedite its review of the regulations so that they may be finalized by the July 1, 2020 statutory deadline and enforcement may begin.

Substantively, the final regulations are identical to the draft published in March 2020.  The companies that were finalizing their CCPA compliance efforts based on the March 2020 draft are well-positioned to continue such efforts. The proposed version of the regulations that are now being finalized provide some much needed clarification of the November 2019 version of the draft regulations. What has remained constant throughout this process is the extraordinary number and scope of the prescribed measures a business must follow to meet each of its compliance obligations under these Regulations and, therefore, the CCPA.

Here are some highlights of both the changes and the level of detail in the Regulations:

Businesses that purchase personal information from third parties only need to provide a notice at collection to the consumer if they sell the consumer’s personal information.  Previously, it was unclear whether a business that purchased personal information from a third party would need to proactively disclose the purchase and provide a notice at collection to each consumer whose information was purchased. Section 999.305(d). 

Employees in California are entitled to notice of the information collected about them, including the categories of and purposes for collecting the employee’s (or prospective employee’s) information.  Until January 1, 2021, the employer is not, however, required to provide a link to the “Do Not Sell My Personal Information” opt-out or the company’s Privacy Policy. Section 999.305(f).

  • Practice Point: Businesses should be aware that this exception regarding alerting employees about collection practices is based on a carve-out of employee data from the CCPA generally. That employee-focused carve-out provision expires in January 2021. After that point (without further action by the CA Legislature), employees will be provided with the full suite of rights under the CCPA. Also note that with respect to any non-employment-related data collected about them (e.g., purchasing habits), employees who are acting in their capacity as consumers, would still have the full suite of CCPA rights (such as deletion requests), regardless of their status as employees.

Service providers:

  • May use personal information for their own limited internal and compliance purposes in addition to performing services on behalf of the business that engaged its services. Section 999.314(c), and
  • May respond to consumer requests to exercise the Right to Know or the Right to Delete by either:  (1) acting on behalf of the business in responding to the request; OR (2) informing a consumer that the request cannot be acted on because it is a service provider. Section 999.314(e). 
    • Practice Point: Consider including a clear procedure in the service agreement for the service provider to follow for notifying the business when it receives a Request to Know or Request to Delete and/or processing the response.

When processing a consumer Request to Know or Request to Delete, a business has 45 calendar days to respond to a request, but 10 business days to confirm receipt of the request. The updated proposed regulations added “business days” to the time that a company must provide initial acknowledgement of receipt. 

Verification of household requests has added requirements when the “household,” does not have a password-protected account with the business. For example, for household-related inquiries, the company must verify the request with all members of the household (or the individual’s parent or guardian, if under the age of 13). Section 999.318.

Verification must be free of charge to the consumer or otherwise the costs must be borne by the business. For example, a notarized statement from the consumer attesting to his/her identity may not be mandated due to the costs associated with notary authorization, unless the company would reimburse the consumer for those costs. Section 999.323(d).

A business must deny any Request to Know specific pieces of personal information if it cannot appropriately verify the identity of the requestor, per Section 999.325(f)-(g). If there is no reasonable method by which a business can verify the identity of the consumer to the degree of certainty required by the regulations, the business must explain why when responding to the request. If the business has no reasonable method by which it can verify consumer(s), the business must explain why in its privacy policy and evaluate and document on a yearly basis whether a reasonable method can be established.

  • Practice Point: For companies that don’t have much experience with identity verification, here are some alternatives to consider:
    • Send a one-time-use access code
    • Confirm known user info
    • Use existing login, security questions
    • Engage third-party commercial ID verification services
    • Request an upload of an invoice or identification document (then be sure to auto-delete after use). 

Searching in response to a Right to Know request has practical limitations. A business does not need to undertake an extensive search of their systems in response to a Request to Know if: 

  • the information is not maintained in a searchable format,
  • the information is maintained solely for legal or compliance purposes,
  • the business does not sell the information, and
  • the business describes to the consumer the categories of information that it did not search due to the above limitations and that their information may be contained in such categories. Section 999.313(c)(3).

The final CCPA regulations are available here.

The California Attorney General’s press release is available here.

The California Attorney General’s supporting materials are available here.