CCPA: California Attorney General Releases Final Proposed Regulations
On June 1, 2020, the California Attorney General’s office released the third and final set of CCPA proposed regulations (available here). Below, we provide information about the final proposed regulations and enforcement actions.
The CCPA, or the California Consumer Privacy Act of 2018, gives California consumers certain rights to learn about and control how businesses within the CCPA’s scope handle the “personal information” collected by those businesses. A business is subject to the CCPA if it (i) is a for-profit business that collects and controls California residents’ personal information, (ii) does business in the State of California, and (iii) satisfies one of the following:
(a) has annual gross revenues in excess of $25 million; or
(b) receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis; or
(c) derives 50 percent or more of their annual revenues from selling California residents’ personal information.
The regulations consist of forty-two sections, divided into seven articles, that provide detailed guidance on what businesses must do to comply with the CCPA. Relevant articles are: Notice to Consumers; Business Practices for Handling Consumer Requests; Verification of Requests; Special Rules Regarding Minors; and Non-Discrimination.
Of the many regulatory sections, we provide below an overview of a few regulations that appear to expand on what the text of the CCPA requires:
Notice: Covered businesses are required to provide notices when they collect information from consumers. Additionally, the regulations require businesses to provide a “just-in-time notice” when it “collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect.” § 999.305(a)(4).
Requests to Opt-In After Opting Out: All businesses under the CCPA must give consumers the right to opt-out of the sale of their personal information. Consumers may later choose to opt-in to the sale of their information. For those consumers—those who have opted-out and later want to opt-in—the regulations require businesses to use a two-step process “whereby the consumer shall first, clearly request to opt-in and then, separately confirm their choice to opt-in.” § 999.316.
Calculating The Value of Consumer Data: The CCPA allows businesses to provide consumers who have not opted out of the sale of their information, the benefit of the value that information gives the business. For example, if Anna has not opted-out of the sale of her information and her information is worth $1, the business may give Anna a $1 “financial incentive.” The financial incentive can include compensation, or “a different price, rate, level, or quality of goods or services” so long as the difference is “related to the value provided to the business by the consumer’s data.”The regulations include factors relevant to the value of the consumer data, one or more of which a business must take into consideration when determining the financial incentive. Factors include: “(1) The marginal value to the business of the sale, collection, or deletion of a consumer’s data; . . . (4) Revenue generated by the business from sale, collection, or retention of consumers’ personal information; . . . (7) Profit generated by the business from sale, collection, or retention of consumers’ personal information; and (8) Any other practical and reasonably reliable method of calculation used in good faith. § 999.337.
Businesses that violate the CCPA will be subject to civil enforcement actions by the AG. Violating businesses will be given a notice of non-compliance and a 30-day opportunity to cure the non-compliance. Businesses who fail to comply within the 30-days will be subject to an injunction and a civil penalty: $2,500 for each unintentional violation and $7,500 for each intentional violation.
The CCPA also gives consumers the right to bring an action for statutory damages, if the consumer’s nonencrypted and nonredacted personal information is subject to a qualifying data breach. A more in-depth discussion on the data breach provision is available here.
Enforcement Date: July 1, 2020
In the months leading up to the release of the final proposed regulations, and in the midst of the COVID-19 pandemic, businesses have been growing increasingly concerned about their abilities to comply with the CCPA—especially given that it was unclear when the CA AG would release the final proposed regulations. Various businesses and trade groups submitted letters and comments, imploring the AG to delay enforcement of the CCPA.
The AG, however, has declined to delay the enforcement date. He reasons that “businesses have been aware of the requirements that could be imposed as part of the OAG’s regulations,” given that the “proposed rules were released on October 11, 2019, with modifications made public on February 10, 2020 and March 11 2020.” Respite from enforcement actions, however, may be available in the form of prosecutorial discretion. The AG stated: “To the extent that the regulations require incremental compliance, the OAG may exercise prosecutorial discretion if warranted, depending on the particular facts at issue.”
The AG’s regulations were sent to the California Office of Administrative Law (“OAL”) on June 1, 2020. They will become enforceable once the regulations are reviewed by the OAL for procedural compliance with the Administrative Procedure Act, and they are filed with the Secretary of State. Due to the COVID-19 pandemic, the OAL has the usual 30 working days, plus an additional 60 calendar days to review the regulations.