Last week was a busy week for the California Consumer Privacy Act (CCPA), as Attorney General Xavier Becerra released draft regulations on October 10 and Governor Newsom signed several pending CCPA amendments into law on October 11. The CCPA amendments clarified several important issues, including:
- employee information and business-to-business (B2B) communications are exempt from the CCPA until January 1, 2021;
- the definition of personal information includes information that is “reasonably” capable of being associated with a particular consumer or household, as opposed to “capable” of being associated with a consumer or household; and
- the elimination of the requirement of a toll-free number for customer contact if a business operates exclusively online and has a direct relationship with a consumer.
The draft regulations focus on consumer notices, business processes, verification requests and financial incentives. Specifically, the regulations address four notices required under the CCPA: (1) notice to consumers at or before the collection of personal information; (2) notice of the right to opt-out of sale of personal information; (3) notice relating to financial incentives; and (4) notice through a website privacy policy.
One theme regarding consumer notices that is obvious throughout the draft regulations is that consumer notices must be designed and presented to consumers so they are easy to read and understand by an average consumer. The draft regulations require the use of plain, straightforward language, a format that draws the consumer’s attention to the notice, and that the notice be in the language(s) in which the business provides consumer contracts. They also require businesses to create a button on their website or apps for California users to be able to opt-out of the collection of their personal information.
With respect to business processes, the draft regulations establish the following:
- Details regarding the content of a website privacy policy
- Methods for businesses to provide for consumers to submit requests
- Require businesses to develop a process to respond to consumer requests
- Rules regarding how businesses can seek additional time to respond to consumer requests, including deletion requests
- Training requirements
- Record-keeping guidance so businesses can demonstrate compliance with the CCPA
- Procedures regarding verifiable consumer requests and deletion requests
- Rules regarding password-protected accounts so consumers may use their existing password authentication processes if the business implements reasonable security measures to detect fraud
- Businesses to comply with the opt-in requirements regarding the sale of the personal information of minors under 13 years of age, and minors between the ages of 13 and 16
- Discriminatory practices and financial incentive offerings
- Guidance regarding how to calculate the value of consumers’ data in designing financial incentives and the requirement that the business publicly disclose the estimated value of the consumer’s data and the method by which the amount was calculated.
The Attorney General stated that the law is designed to protect more than $12 billion worth of personal information used for advertising every year. The total all-in projected cost of compliance with the regulations over the next decade ranges from $467 million to $16.4 billion, including legal, operational, technical and business costs as well as special contingencies such as potential fines or penalties. He has indicated that he’ll be amending the draft regulations to conform with the recent amendments to the law. The deadline for the public to submit comments on the draft regulations is December 6 at 5 p.m. Four public hearings are scheduled in Sacramento, Los Angeles, San Francisco, and Fresno, California between December 2 and December 5. Final Regulations will be issued after the comment period.
Enforcement of the Regulations by the Attorney General will begin on July 1, 2020, and include civil penalties of up to $7,500 per violation.
The CCPA also provides California residents with the right to sue companies for data breaches of their personal information if the company fails to use reasonable security measures to protect that information. Residents can seek damages of between $100 and $750 per consumer per incident under the law. This limited private right of action for a data breach is the first of its kind in the nation. The law allows consumers to sue following a data breach without having to prove they suffered actual harm or damages.