August 5, 2020

Volume X, Number 218

August 05, 2020

Subscribe to Latest Legal News and Analysis

August 04, 2020

Subscribe to Latest Legal News and Analysis

August 03, 2020

Subscribe to Latest Legal News and Analysis

CCPA News: Amendments Signed into Law by the Governor and Draft Regulations Released by the Attorney General

Last week was a busy week for the California Consumer Privacy Act (CCPA), as Attorney General Xavier Becerra released draft regulations on October 10 and Governor Newsom signed several pending CCPA amendments into law on October 11. The CCPA amendments clarified several important issues, including:

  • employee information and business-to-business (B2B) communications are exempt from the CCPA until January 1, 2021

  • the definition of personal information includes information that is “reasonably” capable of being associated with a particular consumer or household, as opposed to “capable” of being associated with a consumer or household

  • elimination of the requirement of a toll-free number for customer contact if a business operates exclusively online and has a direct relationship with a consumer.

The draft regulations focus on consumer notices, business processes, verification requests and financial incentives. Specifically, the regulations address four notices required under the CCPA: (1) notice to consumers at or before the collection of personal information; (2) notice of the right to opt-out of sale of personal information; (3) notice relating to financial incentives; and (4) notice through a website privacy policy.

One theme regarding consumer notices that is obvious throughout the draft regulations is that consumer notices must be designed and presented to consumers so that they are easy to read and understandable to an average consumer. The draft regulations require the use of plain, straightforward language, a format that draws the consumer’s attention to the notice, and requires that the notice be in the languages in which the business provides consumer contracts. It requires businesses to create a button on their website or apps for California users to be able to opt out of the collection of their personal information.

With respect to business processes, the draft regulations establish processes for the following:

  • details regarding the content of a website privacy policy

  • methods for businesses to provide for consumers to submit requests

  • the process for businesses to respond to consumer requests

  • rules regarding how businesses can seek additional time to respond to consumer requests, including deletion requests

  • training requirements

  • record-keeping guidance so businesses can demonstrate compliance with the CCPA

  • procedures regarding verifiable consumer requests and deletion requests

  • rules regarding password-protected accounts so consumers may use their existing password authentication processes if the business implements reasonable security measures to detect fraud

  • processes for businesses to comply with the opt-in requirements regarding the sale of the personal information of minors under 13 years of age, and minors between the ages of 13 and 16

  • processes regarding discriminatory practices and financial incentive offerings

  • guidance regarding how to calculate the value of consumers’ data in designing financial incentives and to require the business to publicly disclose the estimated value of the consumer’s data and the method by which the amount was calculated.

The Attorney General stated that the law is designed to protect over $12 billion worth of personal information used for advertising every year and that the projected cost of compliance with the regulations will range from $467 million to $16.4 million over the next decade, including legal, operational, technical and business costs. He has indicated that he’ll be amending the draft regulations to conform with the recent amendments to the law. The deadline for the public to submit comments on the draft regulations is December 6 at 5 p.m. Four public hearings are scheduled in Sacramento, Los Angeles, San Francisco, and Fresno, California between December 2 and December 5. Final Regulations will be issued after the comment period.

Enforcement of the Regulations by the Attorney General will begin on July 1, 2020, which includes civil penalties of up to $7,500 per violation.

The CCPA also provides California residents the right to sue companies for data breaches of their personal information if the company fails to use reasonable security measures to protect it. Residents can seek damages of between $100 and $750 per consumer per incident under the law. This limited private right of action for a data breach is the first of its kind in the nation. The law allows consumers to sue following a data breach without having to prove they suffered actual harm or damages.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume IX, Number 287


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...

Deborah A. George, Robinson Cole, Cybersecurity lawyer

Deborah George is a member of the firm’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team.

Deb advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters.  She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as  drafting and reviewing contracts, business associate agreements, and data use agreements. 

Prior to joining Robinson+Cole, she served as the Executive Legal Counsel to the State of Rhode Island’s Executive Office of Health & Human Services, where she supervised the legal department, reviewed and drafted legislation, agency policies and regulations, and represented the agency in court and before administrative tribunals. Deb also served as Acting Chief Legal Counsel and Senior Legal Counsel to the Rhode Island Department of Administration, representing the State in contract negotiations, preparing written proposals for contract negotiation, and providing legal representation to various State departments.