On June 1, 2020, the Office of the California Attorney General submitted the final proposed regulations package under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). As described by the California Attorney General in the announcement and accompanying rulemaking factsheet, these final regulations (the CCPA Regs) will now be subject to OAL review for procedural compliance for up to 30 working days, plus an additional 60 calendar days pur-suant to an Executive Order related to the COVID-19 pandemic. The CCPA Regs remain unchanged from the second set of revised proposed regulations that were released in March.
With the CCPA Regs finalized, we can explore key provisions in their settled state.
Service Providers. Section 999.314 of the CCPA Regs provides detailed guidance for service providers. This guidance limits the retention, use, or disclosure of personal information in the course of providing services except under a narrow set of conditions (i) to process or maintain personal information on behalf or at the direction of the business; (ii) to retain and em-ploy another service provider as a subcontractor; (iii) for internal use to improve the quality of services so long as that does not involve the creation of consumer profiles or informing other data sets acquired from other sources; (iv) to protect against security incidents or illegal activity; or (v) to comply with appropriate legal requests, laws, or requirements.
Personal Information. The first set of revised proposed regulations provided further clarification that identifiers such as IP addresses would only constitute “personal information” if they could be reasonably linked to an identifiable consumer or household. This helpful provision was eliminated from the second set of revised proposed regulations, and against the hope of many commenters, this provision was not added back into the final regulation. Therefore, businesses will need to keep close tabs on automatic collection systems for user technical information, and consider carefully whether the information meets the CCPA definition of personal information.
Privacy policies must follow detailed requirements found in CCPA Regs Section 999.308, notably requiring businesses to meaningfully identify the categories of sources from which personal information is collected, among other requirements. Article 2 of the CCPA Regs provides significant guidance as to the delivery and required content for notices, including no-tices at collection, opt-out notices, and notices of financial incentive. Businesses that do not collect personal information directly from the consumer and do not sell the consumer’s personal information are not required to provide a notice at collection. See CCPA Regs § 999.305(d). The term “financial incentive” is broadly defined to mean a “program, benefit, or other offering, including payments to consumers, related to the collection, retention, or sale of personal information.” See CCPA Regs § 999.301(j). This broad concept of a “benefit” likely includes a variety of non-monetary services and features that many businesses may not have previously thought of as meeting the common-sense meaning of a financial incentive.
Responding to Consumer Requests. The CCPA Regs contain a number of requirements for businesses in the manner and timeline for responding to consumer requests to know and requests to delete. See CCPA Regs §§ 999.312-13. Businesses must reply to a request to know or request to delete with a confirmation of receipt and information about how the business will process the request within 10 business days of the request. A business may take up to 45 calendar days to verify a consumer request, and if the business is unable to verify the request within those 45 days, the business may deny the request. Businesses may also notify a consumer, within the initial 45 day window, that the business needs additional time to respond to the consumer’s request, providing an explanation to the consumer of the reason that the request will take more than 45 days. In total, the business may not take longer than 90 calendar days from the date of the initial consumer request to respond to a consumer request.
Requests to opt out must be complied with as soon as is reasonably possible but not later than 15 business days from the date the business receives the request. See CCPA Regs § 999.315. Different from requests to know and requests to delete, requests to opt out do not need to meet the standards of a “verifiable” request. If a business believes a request to opt out is fraudulent, however, the business may inform the requestor and provide an explanation of why they believe the request is fraudulent.
Businesses subject to CCPA should be aware of these final regulations and how they will guide their particular compliance requirements. The California Attorney General is empowered to begin enforcement of CCPA as of July 1, 2020, and even though these regulations may not be cleared by the OAL for procedural compliance by that date, businesses subject to CCPA should incorporate these regulations’ requirements into their compliance programs as soon as reasonably possible.