On August 14, 2020, Xavier Becerra, the Attorney General for California (“the AG”), announced that the final package of regulations for the California Consumer Privacy Act (“CCPA”) was approved by the California Office of Administrative Law (“OAL”).
The regulations that were approved by OAL come after the conclusion of an extensive rulemaking process that included seven (7) public forums, the receipt of over three hundred (300) letters by OAL, an initial forty-five (45) day comment period, and two (2) additional fifteen (15) day comment periods.
Notably, the Attorney General submitted an Addendum to the Final Statement Of Reasons (“the Addendum”) on July 29, 2020, as part of the final rules package, which withdrew certain provisions and made minor changes that clarified the language in the final rules package to make it more consistent with the statute.
As a reminder, the CCPA was signed into law in June 2018 to provide additional protections for consumers and their rights to know, delete, and opt-out of storing their data. The law also gives greater legal recourse to consumers if their data is improperly stored by, and/or stolen from, companies subject to the law.
A consumer that finds a business to be in violation of the CCPA has recourse to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty dollars ($750) per incident or actual damage, whichever is greater; injunctive or declaratory relief; and/or any other relief the court deems to be appropriate.
The Final Approved Regulations and Final Addendum
The final approved regulations retain most of the text that was submitted as part of the final rules package on June 1, 2020; however, as noted above, the AG did make some changes which were outlined in the July 29 Addendum including:
- The words “or ‘Do Not Sell My Info’” have been removed throughout the final regulations and instead leave the “Do Not Sell My Personal Information” language intact in order to remain consistent with the language of the statute;
- Text stating that “A business shall not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection. If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.” has been removed and may be revisited by the AG at a later date;
- The requirement to provide notice to the consumer by an offline method in instances where the business interacts with the client substantially offline has been removed; however, businesses subject to CCPA are still required to direct consumers to the opt-out options on their website and those who do not operate a website are still required to provide consumers with physical privacy notices and provide instructions on how to opt-out; and,
- The rule allowing a business to deny a request from an agent that does not submit proof that they have been authorized by the consumer to act on their behalf has been removed because steps for verification of an authorized agent have already been outlined.
As stated in our previous blog on the CCPA proposed final regulations, the CCPA exempts certain information that is collected, processed, sold, or disclosed pursuant to the requirements set forth in the Gramm-Leach-Bliley Act (“GLBA”) and the California Financial Information Privacy Act (“CA SB-1”).
However, what is more than likely not exempt is information such as prospects or lead lists and business contacts, internet usage data, CRM/marketing data, “cookies” data, employee data and deal sourcing data.
Firms should review the final regulations with counsel and if they have not already done so, determine if any of their data collection activities fall under the CCPA.
Additionally, they should (1) review and map the types of consumer data that are captured; (2) take steps to review their policies and procedures for consumer requests to know and delete data; (3) review their procedures for verification of the identities of the consumers making those requests; (4) provide training to employees on how to respond to those requests; (5) review their service providers and how they comply with CCPA; and, (6) review their cybersecurity, privacy, and incident response policies and procedures to ensure that data protection controls are up-to-date.
Jacko Law Group can help your firm analyze the final CCPA regulations and review your firm’s privacy policies to ascertain if your data collection activities are subject to the CCPA. We can also assist you with reviewing your advisory and service agreements to determine if any updates need to be made to acknowledge the CCPA’s requirements.
Our team of attorneys will use our extensive experience to ask detailed questions designed to assist your firm with understanding the CCPA’s requirements and ensure that adequate controls continue to remain in place in order to remain compliant.