With Less Than One Month Until Enforcement Begins, CCPA Regulations Give Businesses a To-Do List
Less than one month remains until the July 1 date when California’s attorney general may begin enforcing the California Consumer Privacy Act (CCPA) which went into effect at the beginning of this year. Against this backdrop, California Attorney General Xavier Becerra filed the final proposed regulation for administrative review on Monday. Despite the statutory timetable, questions remain about the timing for administrative review and implementation of the regulations.
OAL's Timetable for Review Unclear
The regulations are substantially the same as the third draft that was released in March. California law requires that regulations be reviewed by the state’s Office of Administrative Law (OAL) to confirm that all requirements of the rulemaking process (such as notice and opportunity for the public to comment) were met. The OAL typically would be required to complete its review within 30 days, but an Executive Order related to COVID-19 has provided OAL with 60 additional days to complete any reviews—which could extend the review process until August.
Attorney General Becerra's submission to the OAL included a request that review be expedited in light of the statutory mandate that rulemaking be complete by July 1. If the OAL does not do so, the effective date of the regulations is unclear.
California law specifies quarterly dates for the implementation of regulations—submissions prior to June 1 would go into effect on July 1, and those submitted during the three months after that would become effective on October 1. However, the law does not specify what happens when the regulation is submitted on time but review is delayed.
Regulations Add New Compliance Tasks
Spanning 29 pages, the regulations contained within the submission include several hundred unique sub-requirements. Even where covered businesses have taken substantial steps to comply with the statutory text of the CCPA, the regulations will likely require additional actions. For instance, the regulations require that organizations:
- Post their privacy notices in accessible format - This may be particularly complicated for ecommerce businesses that may not previously have taken steps to comply with Web Accessibility Guidelines due to the lack of clarity over whether an organization without a brick-and-mortar store is a "public accommodation."
- Consider how to respond to "Do Not Track" Signals - Organizations must honor “user-enabled global privacy controls,” such as browser plugins or privacy settings, as requests to opt out of the sale of personal information. This likely includes the "Do Not Track" settings on browsers or devices—which many organizations currently do not honor due to the lack of standards around implementation.
- Offer a global opt-out option - Organizations must offer consumers the opportunity to take a single action to opt out of all sales of their personal information by the company. Offering granular options is permitted, but the global option must be more prominently presented than the other choices.
- Offer a "Notice at Collection" - In addition to the “Privacy Policy,” an organization must provide a notice to consumers at or before collecting their personal information about the categories of information collected and the purposes for which it will be used. Websites must include a “conspicuous” link to the notice on the introductory page.
If personal information is collected from a mobile device for a purpose that an individual would not reasonably expect, the organization must provide a "just-in-time notice." Because the substantive requirements for this notice are duplicative of the substantive requirements for privacy policies, it is unclear how the two are supposed to interact or whether separate links in a website footer are required. - Implement a system to maintain records regarding actions taken in response to individual requests while protecting personal information contained in those records - Organizations must maintain logs of consumer requests for access to personal information and their responses (but not necessarily the data provided in response to access requests) for at least 24 months and must not use this information for any other purpose.
- Provide transparency regarding the annual volume of requests received and average response times if the organization processes the personal information of more than 10 million individuals annually - This disclosure must be in the organization’s privacy policy or accessible from a link in the privacy policy and must be updated by July 1 of each calendar year for the prior year.
Another notable change is that businesses registered as data brokers under California's new data broker registration law are not required to contact consumers directly to provide an opportunity to opt out of the sale if they include in their registration a link to their online privacy policy containing instructions explaining how to opt out.
Despite the length of the regulations, some interpretative questions remain unanswered. For instance, a provision in the second version of the regulations stated that an IP address that could not "reasonably" be linked with a particular consumer or household was not personal information. This was deleted in the final version, leaving questions about the application of the CCPA to IP addresses such as how an organization should respond to an individual rights request when it only tracks information by IP address.
Next Steps for Organizations Subject to the CCPA
The OAL's review is not intended to address substantive issues. Organizations must be prepared to comply with the Regulations by October 1 if not sooner—and they may face actions for violations of the CCPA as soon as July 1 if the California Attorney General's office can make the case without reference to the regulations.