California’s landmark privacy regulation now has teeth
ANALYSIS Regulations to apply the game-changing California Consumer Privacy Act of 2018 (CCPA) have come into effect, granting consumers an extensive set of new privacy rights in the process.
The regulations fundamentally alter the privacy landscape in the US by giving consumers an extensive set of new privacy rights.
The CCPA went into effect on January 1, 2020, and enforcement of the law commenced on July 1, 2020.
Recently, the finalized version of the CCPA regulations were approved by the California Office of Administrative Law.
These regulations, which came into immediate effect, solidify the obligation of covered organizations to ensure strict compliance with the CCPA’s statutory text and its corresponding rules.
Overall, the final CCPA regulations parallel the original version issued by the California Attorney General (AG) in early 2020, with several notable modifications:
Opt-Out Link Language: The finalized regulations eliminate the option to use abbreviated “Do Not Sell My Info” language in CCPA-mandated opt-out website links. Instead, businesses will need to use the lengthier “Do Not Sell My Personal Information” language in providing consumers with a link to opt-out of the sale of their personal information.
Additional Notice and Consent Before Using Data for a “Materially Different Purpose”: The finalized regulations eliminate the requirement that companies provide notice and obtain explicit consent before using a consumer’s personal data for a “materially different purpose” than those stated in the entity’s “Notice at Collection”.
Offline “Do Not Sell” Notices: The finalized regulations eliminate the requirement that entities which “substantially interact with consumers offline” provide consumers with a notice of their right to opt-out via an offline method.
Standards for Opt-Out Methods: The finalized regulations eliminate the requirement that covered entities provide an easy opt-out method for consumers that requires minimal steps to complete, as well as the corresponding prohibition on using methods that would impair a consumer’s ability to opt-out.
Denials of Certain Requests From Authorized Agents:The finalized regulations eliminate the ability of covered entities to deny requests from authorized agents where the agent is unable to provide proof of his or her authorization to act on the consumer’s behalf.
Enforcement of the CCPA by the California AG commenced on July 1, with a retrospective period extending to the statute’s January 1, 2020, effective date.
Now, the CCPA regulations are also fully in effect at this time – meaning that the AG has the ability to pursue enforcement actions under both the CCPA’s statutory language itself, as well as under the regulations.
Approval of the regulations means they are now an active obligation that must be strictly satisfied by all companies that fall under the scope of California’s consumer privacy law.
In particular, companies should consider the following:
- “Do Not Sell” Links: The California AG’s office has indicated that enforcement notices have already been issued as of July 9, 2020. These are believed to relate to the CCPA’s “Do Not Sell” requirements. As such, companies that sell the data of California consumers must ensure they have active “Do Not Sell My Personal Information” links on their sites.
- Opt-Out Notices: Companies that sell California consumers’ data should also ensure they have operational Opt-Out Notices that satisfy the requirements of the finalized Regulations.
- Privacy Policies: In conjunction with its early enforcement actions, the California AG’s office has also been examining covered entities’ privacy policies to ensure compliance with all notice and disclosure requirements mandated by the law. Consequently, companies should review their privacy policies to ensure they satisfy the criteria set forth in the CCPA Regulations.
- Notices at Collection: At the same time, covered entities should ensure they have operational Notices at Collection in place to provide consumers with the mandatory information specified by the finalized Regulations at all points where consumer personal information is collected.
With the final regulations in place, it is expected that the California AG’s office will focus its efforts on enforcement of both violations of the statutory text, as well as the finalized regulations.
Therefore, full and ongoing compliance with the CCPA is critical.