One Month Countdown to CCPA Enforcement

With only a month remaining before the July 1, 2020 enforcement date for the California Consumer Privacy Act (CCPA), California’s Attorney General has just submitted final regulations to California’s Office of Administrative Law for review and approval.  The review process may take up to three months.  As businesses continue to grapple with data privacy compliance efforts amidst the COVID-19 pandemic, the final regulations will provide more detailed guidance for thorny compliance questions that the CCPA left open.  However, businesses should also be aware that California’s data privacy regulations might soon be subject to further change if California votes in favor of the California Privacy Rights Act ballot initiative in November.

RJO’s Cybersecurity and Privacy Group is tackling these challenges and can provide our clients with customized and practical assistance with data privacy preparation and compliance efforts.

CCPA Regulations Will Provide Additional Guidance for Covered Businesses

The Attorney General submitted the final version of the regulations for review on June 1, 2020.  The Attorney General has requested an expedited review of the regulations with the goal that they will be approved within 30 days.  However, OAL procedures currently provide approximately three months to review and approve the regulations before they take final effect when considering the OAL’s normal 30 day review period and Governor Newsom’s recent executive order, which provided the office with 60 additional days to review pending regulations.

The final regulations include clarifications on placement and format of collection notices (online and in-person), updates on the application to minors and households, accessibility standards for webpages, methods for submitting and responding to requests to know and delete, training and record-keeping requirements, and a wide variety of other aspects of the law.  RJO’s Cybersecurity and Privacy Group will release additional information on the final regulations after a full review.

In announcing the regulations, the Attorney General indicated that the July 1, 2020 enforcement date will stand.

Privacy Legislation on the Horizon – The California Privacy Rights Act

While CCPA enforcement has yet to commence, the privacy advocates behind the CCPA are forging ahead with their “CCPA 2.0” measure, and recently announced that they have secured enough signatures to place their measure on California’s November ballot.

On May 4, 2020, Californians for Consumer Privacy, a non-profit founded to push for the original CCPA, announced that it had gathered enough signatures to put its California Privacy Rights Act (CPRA) in front of California voters in November.  While county officials are currently verifying the signatures, initial reports to the Secretary of State show a high validity rate.  The verification process must be completed by June 25, 2020, which is the Secretary of State’s deadline to certify the requisite number of signatures for the ballot initiatives.

The CPRA would make significant changes to the CCPA, but would not take effect until January 1, 2023 (though certain provisions would take effect on January 1, 2021).  Among these changes, the CPRA would push back the current CCPA exemptions for employee and business-to-business communications until January 1, 2023.  Those exemptions are currently scheduled to expire at the end of this year, pending further legislation.

The CPRA would amend the CCPA in the following ways:

• Establish a New Enforcement Agency – The CPRA would establish a new California Privacy Protection Agency to oversee CCPA administration and enforcement. The Agency would be responsible for issuing and amending CCPA regulations, administering compliance programs, investigating and bringing enforcement actions for violations, providing guidance to consumers and businesses, among other general responsibilities in the area of consumer privacy.
• Establish a New Category of Personal Information – The CPRA creates a new category of personal information, which requires additional protections. “Sensitive Personal Information,” is a broad category, including social security numbers, driver’s licenses, identification cards, and passports, account log-in and password information for financial accounts and credit and debit card, precise geolocation information, information on racial/ethnic origin and/or religious/philosophical beliefs or union membership, contents of mail/email/text messages, genetic data, identifying biometric information, health information, and information on sexual orientation and lifestyle.  The CPRA creates additional rights for consumers in controlling that information and places additional restrictions on businesses that collect or share that information.  This would require an additional layer of data identification and processing for businesses that collect/receive/store/process sensitive personal information.
• Restrictions on Legislative Amendments – The CPRA includes a provision restricting the California Legislature’s ability to amend the CCPA. Any amendment would be required to be “consistent with and [to] further the purpose and intent” of the CCPA, which is stated to be the protection of “consumer’s rights, including the constitutional right of privacy.”
• Restrictions on Precise Geolocation – The CPRA targets “precise geolocation,” defined as data used to identify a consumer within an area of 1,850 feet (approximately five city blocks), and allows consumers to opt-out of this kind of tracking.
• Expands Data Breach Liability – The CPRA expands the consumer right of action to sue for data breaches to include liability for breach of the combination of emails and passwords, without the consumer having to demonstrate a financial loss. The CRPA also provides that implementing reasonable security procedures following a breach does not constitute a “cure” of that breach for purposes of the consumer right of action.
• Increased Fines for Violations of Personal Information Pertaining to Minors – The CPRA would increase fines for unintentional violations of personal information pertaining to minors from $2500 to $7500.

As described above, The CPRA would introduce another layer of complexity to CCPA compliance, likely leading to additional rounds of clarifying legislation and new regulations.

How We Can Help Your Company

Rogers Joseph O’Donnell specializes in working with corporate and business clients on compliance with complex laws and regulations that impact their business.  RJO’s Cybersecurity and Privacy Group is comprised of experienced attorneys from each of its other practice areas, allowing us to understand and tailor our work to our clients’ business needs.  For compliance advice or defense of claims, contact any of the Practice Group Chairs or the authors of this article at www.rjo.com.

Disclaimer

The materials provided at this site are offered for informational and educational purposes only, and are not offered as and do not constitute legal advice or legal opinions.  The transmission or receipt of information through this website, or communication with Rogers Joseph O’Donnell via email through this website, does not constitute or create an attorney-client relationship between us and any recipient.