skip to main content

July 15, 2020

Stroock Special Bulletin

By: Christopher R. Fredrich, Quyen T. Truong, Stephen J. Newman

The California Attorney General’s Office (AG) Frequently Asked Questions (FAQs) on the California Consumer Privacy Act (CCPA), available here, aim to educate consumers on their rights, but also will benefit businesses.  While the AG will aggressively exercise its CCPA enforcement authority, which became effective on July 1, 2020, the FAQs’ explanation of the limitations on consumers’ rights, the steps consumers must take to exercise those rights, and the responses from businesses to such requests could reduce businesses’ compliance burden and exposure significantly.  We discuss below three top take-aways from the FAQs. 

First, the FAQs explain that consumers’ private right of action under the CCPA is narrow.  The CCPA, by its plain language, provides a limited private right of action based on the unauthorized access or disclosure of nonencrypted and nonredacted Personal Information resulting from a business’s failure to implement and maintain reasonable security procedures and practices.  See Cal. Civ. Code § 1798.150.  The FAQs not only remind consumers that they “cannot sue businesses for most CCPA violations,” but go further to state that consumers “can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances.”   (See FAQs, General Information, No. 7.)  The FAQs’ focus on “data breach” is  a major gain for businesses, in the face of plaintiffs’ attempts to sue for alleged violations of other CCPA provisions or use those alleged violations as a basis for other statutory claims, e.g., under California’s Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq.  The FAQs instead encourage consumers to file complaints with the AG if they believe a business has violated the CCPA, which the AG may investigate and prosecute on behalf of all Californians.

Second, the FAQs’ explanation of the process for consumers to submit CCPA requests and for businesses to respond has the potential to reduce disputes and processing burdens significantly.  The FAQs outline the types of CCPA requests consumers can make—i.e., requests to know what Personal Information has been collected, to opt-out of the sale of Personal Information and to delete Personal Information—and what they should do to submit such requests and respond if a business requests more information.  In addition, the FAQs identify grounds upon which businesses may deny each type of request.  For example, a business may deny a consumer’s request to know what Personal Information the business has collected if, among other reasons, the business cannot verify the consumer’s identity to process the request, the business has already provided Personal Information to that consumer more than twice in the last 12 months, disclosure would restrict the business’s ability to comply with its legal obligations, or the information is exempt from the CCPA (e.g., certain medical or consumer credit reporting information). 

Third, the FAQs provide some helpful compliance reminders for businesses.  These go beyond outlining the CCPA disclosures that a business must make and the common locations for placement of privacy policies and notices of data collection.  For instance, the FAQs note that “service providers” are treated differently under the CCPA than the businesses they serve.  With regard to consumer requests, it is the business that is responsible for responding and, if a consumer submits a request to opt-out, to know or to delete to a service provider instead of the business itself, the service provider may deny the request.  (See FAQs, Requests Not to Sell Personal Information, No. 6; Requests to Know Personal Information, No. 6; Requests to Delete Personal Information, No. 6; see also Cal. Civ. Code § 1798.140(v), defining “service provider.”)  Like our June 30, 2020 Special Bulletin on top compliance readiness steps before the July 1, 2020 CCPA enforcement date, the FAQs highlight the importance of personnel training.  Under the AG’s final proposed regulations (which we expect the California Office of Administrative Law to approve shortly), all individuals responsible for handling consumer inquiries about the business’s privacy practices or CCPA compliance must be trained on the requirements of the CCPA and implementing regulations and how to direct consumers to exercise their rights.  Throughout the FAQs, the AG encourages consumers to contact businesses for clarification on various issues, including the status of consumer requests and the businesses’ explanations of the reasons for any denials of such requests.  Businesses should promptly confirm their personnel’s readiness to field these questions. 

The AG plans to periodically update the FAQs, which it notes are “not legal advice, regulatory guidance, or an opinion” of the AG.  The FAQs provide welcome clarification not only for consumers but also for businesses confronting an aggressive AG and plaintiffs’ bar, even as California’s privacy framework is poised to undergo another sea change with the likely adoption of the California Privacy Rights Act on the November 2020 general election ballot. 

Stroock’s Privacy/CCPA Team will continue to report on the latest developments. Our Team has closely monitored California’s evolving privacy framework since the introduction of the first ballot initiative preceding the CCPA. Our work ranges from building pragmatic compliance systems for small businesses to defending global industry leaders against government and private actions. Click here to learn more about Stroock’s Privacy/CCPA capabilities.

For more information:

Christopher R. Fredrich

Quyen T. Truong

Stephen J. Newman

This Stroock publication offers general information and should not be taken or used as legal advice for specific situations, which depend on the evaluation of precise factual circumstances. Please note that Stroock does not undertake to update its publications after their publication date to reflect subsequent developments. This Stroock publication may contain attorney advertising. Prior results do not guarantee a similar outcome.