California Releases Final CCPA Regulations Ahead of July 1 Enforcement Deadline
Privacy & Cybersecurity Update
Date: June 16, 2020
On June 1, California’s Attorney General submitted the final text of the California Consumer Privacy Act (CCPA) regulations to the California Office of Administrative Law (OAL) for approval. The AG also posted the rulemaking record, including the Final Statement of Reasons and its accompanying appendices, which outlines changes made from the initial version to the final version of the regulations and documents the AG’s response to public comments.
Timing of Enforcement
The effective date of the regulations remains somewhat unclear. Procedurally, OAL’s typical 30-day review and approval period was extended to 90 days under Governor Gavin Newsom’s COVID-19 Executive Order, which could allow the OAL to take until October 1 to approve the final regulations. The AG has requested that the OAL expedite its review and adhere to the statutory timeline of 30 business days so the regulations can be effective when enforcement begins on July 1.
Regulations and Interpretive Guidance
The final regulations contain no material substantive changes from the modified regulations the AG released on March 11. The AG also submitted to the OAL the rulemaking record, which consists of supporting information to justify the proposed final regulations, such as a detailed articulation of the AG’s interpretation of the CCPA and rationale for changes made to the regulations during the notice and comment process, the AG’s responses to written comments received during the notice and comment period, and the regulatory impact assessment the AG prepared in 2019.
The materials provide clarification and insight into the AG’s views on several issues regarding the interpretation of, and approach to, the CCPA, including:
- The $25 million annual gross revenue threshold used in calculating whether an organization falls within the CCPA’s definition of a “business” is not limited to revenue generated in California or from California residents.
- When determining a consumer’s residency for purposes of facilitating a data subject request, a business does not have to collect personal information it would not otherwise collect in the ordinary course of business, but “if a consumer demonstrates that they are a resident of California,” the business should comply with the request.
- The indirect collection exemption, i.e., a business that does not collect personal information directly from a consumer does not need to provide the consumer a notice at collection if the business does not sell the consumer’s personal information, also applies in the employment context.
In addition, the supporting materials provide insight into the right to opt out, which has been one of the more complex issues within the CCPA and its regulations. The right to opt out enables California consumers to request that businesses refrain from selling their personal information to third parties for profit or other valuable consideration. The CCPA requires the AG develop a uniform opt-out logo or button to promote consumer awareness of the opportunity to opt out of the sale of personal information. Although the requirement for a logo or button was incorporated in an earlier draft of the CCPA regulations, it was excluded from the final version. According to the supporting materials, the requirement was “deleted in response to the various comments received during the public comment period” so the AG can “further develop and evaluate” this requirement.
Lastly, the supporting materials provide useful guidance on the use of third-party service providers to assist in furnishing online advertisements on behalf of a business, which is particularly important when a service provider relies on pixel or other online data to present an advertisement to a consumer. According to the supporting materials, “[t]he CCPA allows a service provider to furnish advertising services to the business that collected personal information from the consumer, and such ads may be shown to the same consumer on behalf of the same business on any website.” Moreover, prohibiting a service provider from placing such ads on the business’s website or a third-party website is “unnecessary because the CCPA would not prohibit the business’s own marketing department from placing the same ads itself.” However, the supporting materials note that although this type of advertising is permissible under the CCPA, it “does not relieve the service provider from its obligation to not share the personal information of the consumer with third parties and does not allow the service provider to use the personal information to provide advertising services to other businesses.”
With the July 1 CCPA enforcement date looming, organizations that fall within the CCPA’s scope should ensure that they finalize their compliance efforts by closely examining the CCPA regulations, evaluating what changes they need to make, and mapping out a compliance strategy and timeline for completion. They should also be mindful about approaching some of the requirements that offer discretion in implementation and determining whether certain options may pose greater exposure to business risks than others.
It is important to note that the California Privacy Rights Act initiative remains on track to appear on the November 2020 ballot and may add more California privacy requirements and impact the CCPA.
FOR MORE INFORMATION
For more information, please contact:
Steven G. Stransky
Thomas F. Zych
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2020 THOMPSON HINE LLP. ALL RIGHTS RESERVED.