With only a month remaining before the July 1, 2020 enforcement date for the California Consumer Privacy Act (CCPA), California’s Attorney General has just submitted final regulations to California’s Office of Administrative Law for review and approval. The review process may take up to three months. As businesses continue to grapple with data privacy compliance efforts amidst the COVID-19 pandemic, the final regulations will provide more detailed guidance for thorny compliance questions that the CCPA left open. However, businesses should also be aware that California’s data privacy regulations might soon be subject to further change if California votes in favor of the California Privacy Rights Act ballot initiative in November.
RJO’s Cybersecurity and Privacy Group is tackling these challenges and can provide our clients with customized and practical assistance with data privacy preparation and compliance efforts.
The Attorney General submitted the final version of the regulations for review on June 1, 2020. The Attorney General has requested an expedited review of the regulations with the goal that they will be approved within 30 days. However, OAL procedures currently provide approximately three months to review and approve the regulations before they take final effect when considering the OAL’s normal 30 day review period and Governor Newsom’s recent executive order, which provided the office with 60 additional days to review pending regulations.
The final regulations include clarifications on placement and format of collection notices (online and in-person), updates on the application to minors and households, accessibility standards for webpages, methods for submitting and responding to requests to know and delete, training and record-keeping requirements, and a wide variety of other aspects of the law. RJO’s Cybersecurity and Privacy Group will release additional information on the final regulations after a full review.
In announcing the regulations, the Attorney General indicated that the July 1, 2020 enforcement date will stand.
While CCPA enforcement has yet to commence, the privacy advocates behind the CCPA are forging ahead with their “CCPA 2.0” measure, and recently announced that they have secured enough signatures to place their measure on California’s November ballot.
On May 4, 2020, Californians for Consumer Privacy, a non-profit founded to push for the original CCPA, announced that it had gathered enough signatures to put its California Privacy Rights Act (CPRA) in front of California voters in November. While county officials are currently verifying the signatures, initial reports to the Secretary of State show a high validity rate. The verification process must be completed by June 25, 2020, which is the Secretary of State’s deadline to certify the requisite number of signatures for the ballot initiatives.
The CPRA would make significant changes to the CCPA, but would not take effect until January 1, 2023 (though certain provisions would take effect on January 1, 2021). Among these changes, the CPRA would push back the current CCPA exemptions for employee and business-to-business communications until January 1, 2023. Those exemptions are currently scheduled to expire at the end of this year, pending further legislation.
The CPRA would amend the CCPA in the following ways:
As described above, The CPRA would introduce another layer of complexity to CCPA compliance, likely leading to additional rounds of clarifying legislation and new regulations.
Rogers Joseph O’Donnell specializes in working with corporate and business clients on compliance with complex laws and regulations that impact their business. RJO’s Cybersecurity and Privacy Group is comprised of experienced attorneys from each of its other practice areas, allowing us to understand and tailor our work to our clients’ business needs. For compliance advice or defense of claims, contact any of the Practice Group Chairs or the authors of this article at www.rjo.com.
Disclaimer
The materials provided at this site are offered for informational and educational purposes only, and are not offered as and do not constitute legal advice or legal opinions. The transmission or receipt of information through this website, or communication with Rogers Joseph O’Donnell via email through this website, does not constitute or create an attorney-client relationship between us and any recipient.