skip to main content

June 30, 2020

Stroock Special Bulletin

By: Quyen T. Truong, Christopher R. Fredrich, Stephen J. Newman

Tomorrow, July 1, 2020, the California Attorney General’s Office (AG) will begin exercising its enforcement authority under the California Consumer Privacy Act (CCPA).  Although an even stricter framework of regulation and enforcement has been approved for California’s November ballot and is likely to be adopted, businesses should confirm their CCPA enforcement readiness now, with a close eye to compliance with the AG’s recently finalized implementing rules.  The CCPA, which went into effect on January 1, 2020, grants consumers extensive rights relating to access to, deletion of, and “sale” of non-public “personal information” (NPI) collected by businesses.  The CCPA’s broad definitions of personal information and sale reach virtually any sharing of non-public information relating to an individual, household or device.

Enforcement readiness should include the following areas of focus:

  • Confirm your online privacy policy is CCPA-compliant.  The CCPA requires businesses to revise their privacy policies and post them online.  The AG’s first order of enforcement is to visit businesses’ websites to assess compliance.  Businesses should take particular care to disclose the categories of NPI collected, entities with which it is shared, and the purposes of such sharing.
     
  • Confirm your website has an opt-out link if required. If your business “sells” NPI, your website must include a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link.  Like online privacy policies, non-compliance will be easy for the AG to identify.  Although the AG has dropped a mandated format for the opt-out link, the models included in its earlier proposal and related discussions provide useful insights for compliance
     
  • Confirm your processes to verify and respond to consumer requests.  In addition to do-not-sell, the CCPA gives consumers the right to request that a business disclose the categories and specific pieces of NPI collected as well as the right to request deletion of that NPI. Businesses must designate two or more methods for consumers to make these requests, which must include, at a minimum, a toll-free number and a website (if the business operates online).  Businesses should establish and test their processes for the handling of consumer requests within the statutory timeframes, not just internally but also in regard to NPI shared with third parties.
     
  • Confirm your training and record-keeping practices.  Businesses should not overlook requirements for personnel training and maintenance of records of consumer requests and how the business responded for a period of 24 months.  Personnel responsible for handling consumer requests should be well trained on the business’s privacy and compliance practices to explain how consumers may exercise their CCPA rights and the business’s response to particular requests.
     
  • Confirm your valuations for financial incentive programs.  Under the CCPA, a business may offer a price or service difference in exchange for the collection, retention and use of NPI if that difference is reasonably related to the value to the business of the consumer’s data.  Businesses should confirm close adherence to the AG’s specific requirements for the calculation and disclosure of this value.  The AG’s regulations direct businesses to consider one or more of the following: the marginal value, average value and/or aggregate value of the sale, collection or deletion of consumers’ data; revenue, expenses and/or net profits related to the sale, collection or retention of NPI; and expenses related to offering or providing for the financial incentive.  Documenting the calculation is key, regardless of the chosen considerations.

Businesses should anticipate that AG enforcement efforts may cover business activities going back to the CCPA’s January 1, 2020, effective date.  We expect the AG to press ahead with aggressive enforcement, following its rejection of requests from a coalition of California businesses to delay enforcement six months due to various compliance challenges, including those related to the COVID-19 pandemic.  Under the CCPA, the AG may recover civil penalties of up to $2,500 for each violation or $7,500 for each intentional violation from non-compliant businesses.

On June 1, 2020, the AG submitted a package of final proposed regulations under the CCPA to the California Office of Administrative Law (OAL) for approval.  The timeframe for the OAL to review the package – normally 30 working days – has been extended 60 calendar days under Governor Newsom’s Executive Order N-40-20 related to the pandemic.  However, the AG has requested that the OAL complete the review on an expedited basis.  Upon approval, the regulations will be filed with the Secretary of State and become enforceable.  We previously issued bulletins concerning earlier iterations of the proposed regulations, available here, here and here.  The AG’s final proposed regulations are largely identical to the last version and leave certain ambiguities, including, among other things, the circumstances constituting a “sale” of NPI.  Along with the final text of the proposed regulations, the package submitted to the OAL contains a Final Statement of Reasons, which summarizes all modifications from the AG’s initial proposed regulations.  Businesses may refer to this Final Statement of Reasons, available here, for additional guidance in assessing their CCPA compliance programs.

As businesses brace for AG enforcement, California’s privacy law framework remains in flux. On June 24, 2020, the Secretary of State confirmed that a new privacy initiative, the California Privacy Rights Act (CPRA), has officially obtained enough signatures in support and will be on the November 2020 ballot.  If approved by California voters, the CPRA will significantly expand the requirements of the CCPA (effective January 1, 2023) and create a new California Privacy Protection Agency to pursue enforcement.

Stroock’s Privacy/CCPA Team will continue to report on the latest developments. Our Team has closely monitored California’s evolving privacy framework since the introduction of the first ballot initiative preceding the CCPA. Our work ranges from building pragmatic compliance systems for small businesses to defending global industry leaders against government and private actions. Click here to learn more about Stroock’s Privacy/CCPA capabilities.

_______________________________________________

For more information:

Quyen T. Truong

Christopher R. Fredrich

Stephen J. Newman

This Stroock publication offers general information and should not be taken or used as legal advice for specific situations, which depend on the evaluation of precise factual circumstances. Please note that Stroock does not undertake to update its publications after their publication date to reflect subsequent developments. This Stroock publication may contain attorney advertising. Prior results do not guarantee a similar outcome.