CCPA Update: Final Proposed Regulations

On June 1, 2020, the Office of the California Attorney General submitted the final proposed regulations package under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). As described by the California Attorney General in the announcement and accompanying rulemaking factsheet, these final regulations (the CCPA Regs) will now be subject to OAL review for procedural compliance for up to 30 working days, plus an additional 60 calendar days pur-suant to an Executive Order related to the COVID-19 pandemic. The CCPA Regs remain unchanged from the second set of revised proposed regulations that were released in March.

With the CCPA Regs finalized, we can explore key provisions in their settled state.

Service Providers. Section 999.314 of the CCPA Regs provides detailed guidance for service providers. This guidance limits the retention, use, or disclosure of personal information in the course of providing services except under a narrow set of conditions (i) to process or maintain personal information on behalf or at the direction of the business; (ii) to retain and em-ploy another service provider as a subcontractor; (iii) for internal use to improve the quality of services so long as that does not involve the creation of consumer profiles or informing other data sets acquired from other sources; (iv) to protect against security incidents or illegal activity; or (v) to comply with appropriate legal requests, laws, or requirements.

Personal Information. The first set of revised proposed regulations provided further clarification that identifiers such as IP addresses would only constitute “personal information” if they could be reasonably linked to an identifiable consumer or household. This helpful provision was eliminated from the second set of revised proposed regulations, and against the hope of many commenters, this provision was not added back into the final regulation. Therefore, businesses will need to keep close tabs on automatic collection systems for user technical information, and consider carefully whether the information meets the CCPA definition of personal information.

Required Notices and Policies. The CCPA Regs provide guidance for notices and disclosures to be provided to consumers. Each business subject to the CCPA must provide a (i) privacy policy; (ii) notice at collection; (iii) notice of the right to opt-out; (iv) and notice of any “financial incentive,” if offered. As a variation of the notice at collection, the CCPA Regs also reference a “just in time” notice for mobile apps, and oral notice in person or by telephone. 

Privacy policies must follow detailed requirements found in CCPA Regs Section 999.308, notably requiring businesses to meaningfully identify the categories of sources from which personal information is collected, among other requirements. Article 2 of the CCPA Regs provides significant guidance as to the delivery and required content for notices, including no-tices at collection, opt-out notices, and notices of financial incentive. Businesses that do not collect personal information directly from the consumer and do not sell the consumer’s personal information are not required to provide a notice at collection. See CCPA Regs § 999.305(d). The term “financial incentive” is broadly defined to mean a “program, benefit, or other offering, including payments to consumers, related to the collection, retention, or sale of personal information.” See CCPA Regs § 999.301(j). This broad concept of a “benefit” likely includes a variety of non-monetary services and features that many businesses may not have previously thought of as meeting the common-sense meaning of a financial incentive.

Responding to Consumer Requests. The CCPA Regs contain a number of requirements for businesses in the manner and timeline for responding to consumer requests to know and requests to delete. See CCPA Regs §§ 999.312-13. Businesses must reply to a request to know or request to delete with a confirmation of receipt and information about how the business will process the request within 10 business days of the request. A business may take up to 45 calendar days to verify a consumer request, and if the business is unable to verify the request within those 45 days, the business may deny the request. Businesses may also notify a consumer, within the initial 45 day window, that the business needs additional time to respond to the consumer’s request, providing an explanation to the consumer of the reason that the request will take more than 45 days. In total, the business may not take longer than 90 calendar days from the date of the initial consumer request to respond to a consumer request.

Requests to opt out must be complied with as soon as is reasonably possible but not later than 15 business days from the date the business receives the request. See CCPA Regs § 999.315. Different from requests to know and requests to delete, requests to opt out do not need to meet the standards of a “verifiable” request. If a business believes a request to opt out is fraudulent, however, the business may inform the requestor and provide an explanation of why they believe the request is fraudulent.

Accessibility of Notices and Privacy Policy. The CCPA Regs provide guidance for the CCPA’s requirement for making notices and privacy policies “accessible” by reference to “generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.” See CCPA Regs §§ 999.305(a)(2)d and 999.308(a)(1)d.

Businesses subject to CCPA should be aware of these final regulations and how they will guide their particular compliance requirements. The California Attorney General is empowered to begin enforcement of CCPA as of July 1, 2020, and even though these regulations may not be cleared by the OAL for procedural compliance by that date, businesses subject to CCPA should incorporate these regulations’ requirements into their compliance programs as soon as reasonably possible.