December 10, 2022

Volume XII, Number 344

Advertisement

December 09, 2022

Subscribe to Latest Legal News and Analysis

December 08, 2022

Subscribe to Latest Legal News and Analysis

December 07, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

California AG Announces CCPA Regulations are Final – And Effective Immediately

California Attorney General Becerra announced Friday afternoon that the Office of Administrative Law (OAL) had approved the final CCPA regulations his office submitted to the OAL in June, and that the review process is complete.  This means that the CCPA Regulations go into effect immediately

According to AG Becerra’s announcement, “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”

If you have been sitting on the sidelines “waiting for the final regulations,” now is the time to move CCPA compliance to the front burner.   Enforcement of the CCPA itself by the AG’s office began on July 1 (looking back to the January 1 effective date of the statute), but Friday’s announcement means that the regulations are in full force and effect as of now, with all the operational requirements.

Here are some things that you should be doing in light of the regulations:

  • Privacy Notice:   Review your website and data policies to ensure that they conform with the requirements set out in the CCPA regulations.  You must include the following notices:

    • Website privacy notice (prominently featured) with a comprehensive description of your business’ online and offline data collection, sale, and use purpose – including a full description of the rights of a California resident under the CCPA and how to exercise those rights

    • Point of collection notice:  You must have some notice at the point of collectionof information that describes why the information is being collected.   A static link to your privacy policy at the bottom of the website page is not sufficient under the CCPA regulations.

    • Notice of Right to Opt-Out of Sale:   If your business “sells” personal information in the context of CCPA, you must provide a notice of the right to opt-out in accordance with the regulations.

    • Notice of Financial Incentives:  If you offer financial incentives in exchange for personal information (and the regulations have examples), you must provide very specific notice regarding this financial incentive

  • Respond to Consumer Rights Requests:  Your business should already have an operational method in place to respond to consumer rights requests under the CCPA.  It’s essential that your process be in strict compliance with all the CCPA requirements because failures to implement an intake process and act promptly on such requests can lead to consumer complaints and AG investigations.   Your record of consumer requests and responses must be maintained and made available (on request) for 24 months. 

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume X, Number 230
Advertisement
Advertisement
Advertisement

About this Author

Cynthia Larose Privacy Attorney Mintz Levin
Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Advertisement
Advertisement
Advertisement