The California Attorney General ("AG") proposed draft regulations to the California Consumer Privacy Act ("CCPA"), which was enacted in 2018 and will go into effect on January 1, 2020 (see prior coverage). They arrived one day before the California Governor signed into law various amendments that make minor revisions, but generally keep the law intact in advance of its effective date.
According to the "Initial Statement of Reasons" released by the AG, the proposed regulations would provide clarity to several provisions of the CCPA dealing with the collection and use of personal data by businesses and organizations. Specifically, the draft regulation clarifies that certain businesses would be required to, among other things:
- notify consumers, at or before the collection of their personal information, concerning (i) what information will be collected and (ii) how the information will be used;
- inform consumers that they may direct the business to stop selling their personal information;
- explain the financial incentives involved with the retention or sale of consumers' personal data;
- provide a comprehensive description of a business's online and offline data collection practices;
- delete a consumer's personal information at their request; and
- not discriminate against a consumer who exercises their rights under the CCPA.
A business is subject to the CCPA if it:
has over $25 million gross annual revenues;
- transacts in the personal information of over 50,000 consumers, households or devices; or
- earns 50 percent or more of its annual revenue from the sale of consumers' personal information.
A business that maintains personal information from over four million consumers is subject to additional requirements under the law.
The AG also reminded businesses that the CCPA and the European Union's General Data Protection Regulation (or GDPR) are distinct legal frameworks, and that certain companies may be subject to data privacy obligations across multiple jurisdictions.
The AG will hold four public hearings on the proposed regulations between December 2, 2019 and December 5, 2019. Written comments must be submitted by December 6, 2019.
Between the proposed regulations and the statutory amendments, this has been a busy week for firms preparing for CCPA compliance as the law approaches its go-live date. But aside from a one-year stay of the CCPA's applicability to certain employee and business-to-business (B2B) contact information, the changes make clear the CCPA will soon be in effect largely as it was conceived of since its passage last year - hopes for a significant reprieve have been dashed. And while open questions remain, and there is no certainty the proposed regulations will be finalized by January 1, 2020, there is also no avoiding that the CCPA will soon require significant changes in how companies store, sell, and otherwise utilize consumers' personal information. For those companies impacted by the CCPA, time is truly of the essence to ensure compliance before that time comes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.