As we move into the fall, businesses across the country finally have clarity on their compliance obligations under the California Consumer Privacy Act (CCPA). On August 14, 2020, the California Attorney General’s implementing regulations were finalized, with a few small changes worth noting, and enforcement has begun. In addition, the California legislature and the Governor recently enacted amendments ensuring that the employee and business-to-business exemptions upon which many businesses have relied will continue at least through 2021, and clarifying the handling of consumer health and medical data under the CCPA in light of HIPAA. But looming on the horizon is the California Privacy Rights and Enforcement Act (CPRA), a statewide ballot initiative that will be voted on by Californians in November and which would modify and build onto the CCPA. Crucially, however, the CPRA would not go into effect until 2023 — giving businesses considerably more time to prepare than they had for the CCPA.
CCPA Regulations Finalized — With a Few Last Tweaks
On August 14, the California Attorney General announced that the state’s Office of Administrative Law (OAL) had approved the CCPA implementing regulations, which became effective immediately. Most of the changes were revisions for grammar and consistency, but there are five minor updates worth noting:
- “Do Not Sell My Info” Language No Longer permitted, and the “Button” Disappears. Earlier versions of the regulations allowed a business to use two different phrases for the link to make an opt-out request: “Do Not Sell My Personal Information” and “Do Not Sell My Info.” The final regulations removed the latter option, so companies using “Do Not Sell My Info” need to revise the link to “Do Not Sell My Personal Information.” In addition, while the text of the CCPA required the Attorney General to develop a “recognizable and uniform opt-out logo or button” for the opt-out link — and a confusing “slider” switch appeared in one version of the regulations for that purpose — the final version contains no button or logo a business may use in lieu of the “Do Not Sell My Personal Information” text link.
- Removal of “Materially Different” Consent. The OAL removed a provision that required a business to obtain the consumer’s consent if the business would be using the consumer’s personal information for a purpose materially different from those previously disclosed to the consumer. This provision was likely removed as superfluous rather than to alter a business’s compliance obligations. The text of the CCPA itself requires notice to consumers of all purposes for which their personal information will be used, and Federal Trade Commission (FTC) guidance and enforcement requires consumer consent for material changes in the use of personal information.
- Removal of Primarily “Offline” Companies’ Obligation to Provide Offline Notice. The OAL also removed a provision that required businesses that substantially interact with consumers offline to provide notice to consumers of their opt-out right. This does not have a significant impact on compliance, however, because (i) the business must still provide the required opt-out notice on its website, and (ii) the business must still provide the notice at collection, which must include information about opting out if the business sells personal information.
- Removal of Explicit Requirement to Make Opt-Out Requests “Easy.” An earlier version of the regulations required companies to make the opt-out process “easy for consumers to execute” and take “minimal steps.” The OAL removed this provision, but any difficult or complicated opt-out procedures would risk running afoul of state and federal consumer protection laws against unfairness or deceit.
- Removal of Provision Allowing Denial of “Unproven” Request from Authorized Agent. The penultimate version of the regulations explicitly permitted a business to deny a request from an authorized agent on a consumer’s behalf if the agent did not submit “proof.” Although this provision has been removed, the text of the CCPA itself allows denial of a request for information if the request cannot be adequately verified, and regulations elsewhere allow denial of an opt-out request from an agent if the agent cannot provide the business with the consumer’s signed authorization.
CCPA Amendments Pass, Key Exemptions Extended
The legislature passed — and the Governor recently signed — two amendments that will affect the CCPA:
- AB 1281 will extend the CCPA’s exemptions for personal information collected and shared in the employment and business-to-business contexts through 2021, if the CPRA — which contains the same extensions, but through 2022 — does not pass. The two exemptions would otherwise sunset at the end of 2020. Businesses now have certainty that those two exemptions will continue for at least another year.
- AB 713 exempts from the CCPA de-identified consumer health or medical data that has been handled in accordance with the federal Health Insurance Portability and Accountability Act (HIPAA), alleviating industry concerns that businesses would have to comply with conflicting privacy regimes. It provides additional exemptions regarding the use of personal information (i) in medical research and (ii) by “business associates” of health care entities already covered by federal privacy, security, and data breach notification laws. Finally, it sets forth certain requirements regarding the sale of de-identified information — disclosures to consumers and certain contract language to be included in the transaction — and a prohibition on re-identification of de-identified information (with certain exceptions).
CPRA on the Horizon
As most businesses are surely aware, now that they finally have their CCPA ducks in a row, they are just in time for the next iteration of California privacy law. Californians will vote on the CPRA in the November 3rd election, and there are two key points to know now. First, the vast majority of the CPRA’s provisions would not go into effect until January 1, 2023, giving covered businesses much more time to ramp-up than they had for the CCPA. Second, as noted above, passage of the CPRA ensures the continuation of the employee and B2B exemptions through 2022.
Highlights of the CPRA — which will be discussed in greater detail assuming that it passes — include:
- Creates a new category of “sensitive personal information,” the disclosure and use of which consumers can restrict
- Allows consumers to limit geolocation tracking
- Allows consumers to request that businesses correct inaccurate information
- Allows consumers to bring suit if a data breach includes their email and password
- Provides enhanced protections for the personal information of minors
- Removes the CCPA’s 30-day “cure period” for violations
- Restricts “cross-context behavioral advertising,” which is using a consumer’s personal information to target that consumer with certain advertising
- Establishes and funds a new state governmental agency, the California Privacy Protection Agency, to enforce California’s privacy laws and regulations
- Contains language preventing the law from being amended in ways contrary to the law’s stated intent of enhancing consumer privacy
As with the CCPA, if the CPRA passes, a covered business’s more specific compliance obligations will be set forth in implementing regulations that will be issued by the Attorney General’s office. Like the CCPA regulations, the CPRA regulations will be extensive, and will go through an iterative process over a period of months allowing for stakeholder comment. However, businesses should not wait to begin reviewing the text of the CPRA — if voters approve it on November 3 — and alerting their tired IT departments that they now must gear up for round two.