The California Attorney General has posted the final proposed CCPA Regulations, which were submitted to the California Office of Administrative Law (OAL) on June 1, 2020. The final proposed regulations are virtually unchanged from the prior version, posted on March 11. (You can review our analysis of the prior version here.) Along with the final proposed CCPA regulations, the AG also posted its Final Statement of Reasons (FSOR). The FSOR provides some interesting insights into the AG’s views and potential positions on certain issues.
No pop-up notice requirement. The AG provided a helpful clarification regarding the at/before notice requirement: “A pop-up notice is not required but businesses have discretion to determine how to provide notice in compliance with § 999.305, which requires that the notice be readily available where consumers will encounter it at or before the point of collection.”
Opt-out of sale. A practical challenge for businesses that “sell” personal information via cookies and other means is that when a consumer submits a webform request, that same action should also opt them out “sales” via third-party tags and cookies (eg, certain targeting cookies): “To allow a business to continue to sell the personal information of consumers who have submitted an opt-out request but before they have utilized their user-enabled control would be inconsistent with the CCPA and regulations.”
Narrow unstructured data exception. Under § 999.313(c)(3). Responding to Requests to Know and Requests to Delete, the FSOR states that new section 3(c) was “added to set forth the conditions under which a business is not required to search for personal information in response to a request to know (emphasis added). This subsection was added in response to comments that were concerned about a business’s burden or inability to search unstructured data for a consumer’s personal information (ie, when a consumer’s personal information is not maintained in a searchable format, such as the return address on a payer’s check).” However, the final rules limit this exception to situations where “the business maintain[s] the personal information solely for legal or compliance purposes, ensur[ing] that the exception is only available when the business cannot avoid the burden by opting to not maintain the personal information.” The FSOR explains that the aim is to impose a data minimization incentive.
Do Not Sell signal requirement on the horizon? The Final Statement of Reasons states that Section 999.315(d)(2) of the final rules requires businesses to accept Do Not Sell signals, when those signals are eventually developed. This requirement is not clear from the text of the regulations and differs from a provision on the same topic in the CPRA Initiative, which is a choice between honoring Do Not Sell signals and posting a Do Not Sell icon. The FSOR contains several arguments defending the Attorney General’s authority to require accepting Do Not Sell signals. If the CPRA is approved in November and the AG’s Office attempts to enforce the requirement before the CPRA’s rulemakings on this issue have occurred, the AG’s authority to impose this requirement ahead of the CPRA regime will likely be contested vigorously.
All in all, the commentary around Do Not Sell, targeted advertising and global privacy controls raises a number of issues and practical challenges.
Enforcement of Regulations. The FSOR states “To the extent that the regulations require incremental compliance, the OAG may exercise prosecutorial discretion if warranted, depending on the particular facts at issue. Prosecutorial discretion permits the OAG to choose which entities to prosecute, whether to prosecute, and when to prosecute.”
Review process. The CCPA Regulations must go through the OAL review process, before they come into force. From June 1, 2020, the OAL has 30 working days, plus an additional 60 calendar days (pursuant to Governor Gavin Newsom’s COVID-19-related Executive Order N-40-20), to review the CCPA Regulations and associated materials for procedural compliance with California’s Administrative Procedure Act. Once approved by the OAL, the final CCPA Regulations will be filed with the California Secretary of State and come into force. Notably, the AG has asked for expedited review of the final proposed CCPA Regulations within 30 business days. The draft regulations contain quite a few requirements that are not in the text of the statute and that require substantive review. The OAL has a significant backlog of regulations to review. Its website currently lists more than 60 proposed regulations in line for review, so a July 1 effective date appears unlikely at this point, although the proposed regulations could take effect on an emergency basis after OAL’s review is complete.
Regardless of the date the regulations take effect, the AG’s Office has now made a final statement on what it intends the regulations to require. This means that companies can proceed to finalize their CCPA compliance programs without worrying about further changes to their CCPA regulation requirements.
Please note that the CPRA Initiative remains on track to appear on the November 2020 ballot and may add more California privacy requirements that would take effect in 2023.
Contact the DLA Piper Privacy team at PrivacyGroup@dlapiper.com for additional information on the implications of the final CCPA Regulations, including any updates that may be needed to your company’s privacy notices, procedures and contracts, and other steps your business may need to take for CCPA compliance.