The enforcement date for the CCPA began July 1. Is your organization prepared? Morrison & Foerster’s Christine Lyon, Mary Race and Robert Famigletti discuss the risks businesses face and how to mitigate them.
With enforcement of the California Consumer Privacy Act of 2018 (CCPA) looming just over the horizon, covered businesses may be surprised to learn that they must look beyond the text of the law in order to achieve full compliance and avoid liability. This is because California Attorney General (AG) Xavier Becerra’s final proposed implementing regulations under the CCPA (the “regulations”) introduce new obligations that extend beyond the scope of the CCPA itself. Below, we discuss five key areas of heightened risks and requirements that companies will need to tackle if they are subject to the CCPA.
5 Areas of Heightened Risk for Businesses
While the regulations include many new requirements not found in the CCPA itself, five areas may warrant particularly close attention:
1. Insufficient Notices
The CCPA requires businesses to provide notice to individuals when collecting their PI, as well as to post a privacy policy, and the CCPA prescribes many details that must be included. But what happens if a business wants to use or share PI in a manner that is not included in its notice or privacy policy? Under the regulations, a business must obtain a consumer’s explicit consent if it intends to use the consumer’s PI for a materially different purpose than those outlined in the notice provided when PI is collected. In other words, simply notifying a consumer that the business intends to use his or her PI for a new purpose, or even permitting the consumer to opt out of the new use of his or her PI, will not suffice. This makes it particularly important for businesses to exercise care in drafting their privacy notices to ensure that the notices not only accurately reflect their current practices but also their anticipated future activities.
Similarly, the CCPA requires businesses to state whether or not they “sell” PI. (Note that “sale” is not limited to selling PI for money, but can include exchanging PI for non-monetary benefits as well.) If a business engages in the “sale” of PI, the CCPA requires the business to give California consumers the right to opt out of the sale of their PI. If a business has not given the consumer an opportunity to opt out and later wishes to start selling his or her PI, the regulations require that the business obtain the consumer’s affirmative authorization to sell his or her PI that the business has already collected. The regulations clarify that it is more important than ever for businesses to get their privacy policies right and not assume that they can simply fix any deficiency by posting an updated version.
2. More Hurdles for Financial Incentive Programs
The regulations require that a business give a detailed “notice of financial incentive” when offering consumers a financial incentive related to the collection, retention or sale of their PI and obtain each consumer’s opt-in consent. Most notably, the regulations require that the notice provide a “good faith estimate” of the value of the consumer’s PI that forms the basis for the incentive and describe the method that the business used to make that calculation. This relates to the CCPA’s requirement that any such financial incentive must be directly related to the value the business receives from the consumer’s PI. The new requirement pushes beyond that general principle, however, by requiring that businesses determine a method for calculating the monetary value of a consumer’s PI and explaining this to the consumer, including by telling the consumer the estimated value of his or her PI. Moreover, this is just one of many areas of continuing ambiguity for financial incentive programs post-CCPA.
3. Obligations to Respond Even to Deficient Requests
The CCPA includes extensive detail about the types of mechanisms that a business must provide to California consumers to allow them to exercise their rights (e.g., toll-free telephone numbers, email addresses and forms). The regulations layer on even more detailed requirements for these mechanisms and require providing more specifics in privacy notices and privacy policies regarding these mechanisms.
What happens if a California consumer disregards those carefully crafted mechanisms and submits a request to know or request for deletion through another channel? Can the business disregard or decline to respond to the request because it was not properly submitted? Under the regulations, the answer is no. The regulations require that the business treat the request as though it was submitted through one of the proper channels. Further, if the consumer’s request is deficient in another way (such as if the consumer did not provide all of the necessary information to enable the business to respond to the request), the regulations require that the business inform the consumer of the deficiency and explain how to correct it.
The regulations also require that a business that denies a consumer’s CCPA request, whether in whole or in part, inform the consumer and explain the specific basis for that denial.
4. Tougher Timing Requirements
The regulations significantly shorten the time frame within which a business must act on consumer requests under the CCPA. For instance, the CCPA requires that a business respond to a consumer’s request to know or request to delete within 45 days, but the regulations stipulate that the business must confirm receipt of the consumer’s request within 10 business days — requiring the business to act much more quickly upon receiving such requests. The regulations also require that the business provide specific details in that confirmation of receipt, including a general description of the business’s process for verifying that the person making the request to know or request to delete is actually the consumer he or she claims to be (or an authorized agent of that consumer) and when the consumer should expect a response.
With respect to a consumer’s request to opt out of the sale of his or her PI, the regulations require a business to comply within 15 business days of receipt.
5. New Record-Keeping Requirements
The regulations also create new record-keeping requirements. Under the regulations, a business must maintain records of consumer requests made pursuant to the CCPA and how the business responded to these requests for at least 24 months. The regulations further specify that the business may not use the information contained in the records for any other purposes, subject to limited exceptions.
Next Steps and Takeaways
As of the time of this writing, the regulations are under a procedural review by California’s Office of Administrative Law (OAL). The OAL typically has 30 business days to review proposed regulations, but this period has been extended by an additional 60 calendar days, by executive order, due to the COVID-19 pandemic.
Regulations approved by OAL are filed with the California Secretary of State and become effective on whichever one of four quarterly dates (January 1, April 1, July 1 or October 1) follows the filing. However, the AG has asked the OAL to expedite its review and approval of the regulations within the initial 30 business-day period and make the regulations take effect on the date on which they are filed with the Secretary of State.
It is too early to predict when the regulations may be approved and effective, but the AG has made it clear that his office intends to start enforcing the CCPA on July 1, 2020, as scheduled. As a result, businesses subject to the CCPA should ensure that they are ready for the July 1 enforcement date and should take particular note of the new risks and requirements that will arise under the regulations.
Broadly speaking, the CCPA gives California consumers (defined as California residents) landmark new rights with respect to their personal information (PI), including:
- Right to Deletion – The right to request that a business delete any PI that it has collected from the consumer.
- Right to Know – The right to request that a business provide certain details about its collection, use, sale or other disclosure of personal information about the consumer, as well as the right to receive a copy of the specific pieces of PI that it collected about the consumer.
- Right to Opt Out – The right to opt out of the sale of PI. (Note that the requirements are even stricter for the sale of PI of minors under the age of 16.)
- Right to Non-Discrimination – The right to be free from unlawful discrimination for exercising these CCPA rights.
CCPA violations can be costly. Under the law, a consumer may sue a business directly if the business’s failure to implement and maintain reasonable security procedures and practices results in a breach of the consumer’s non-encrypted or non-redacted PI, in which case the business may incur damages of $100 to $750 per consumer per violation or actual damages, whichever is greater.
The California AG will enforce all other CCPA violations and may impose civil penalties of $2,500 to $7,500 per violation. The CCPA took effect on January 1, 2020, but the law specifies that the AG may not bring an enforcement action until six months after the publication of the regulations or July 1, 2020, whichever is sooner. AG Becerra has consistently reaffirmed his intention to begin enforcing the CCPA on July 1, 2020, despite the fact that the regulations have not yet been approved or published.
Christine Lyon is a partner in 
Mary Race is an associate in Morrison & Foerster’s Privacy + Data Security Group. Mary assists clients with a wide range of challenging privacy compliance and data security matters. Her practice focuses on managing privacy risks and helping clients across a variety of industries develop and implement comprehensive privacy programs.
Robert Famigletti is a privacy analyst in Morrison & Foerster’s Privacy + Data Security Group. Robert assists cross-industry clients with multijurisdictional compliance projects related to the collection and use of personal data.
