The deadline for compliance with the California Consumer Privacy Act (CCPA) is rapidly approaching. RJO’s Cybersecurity and Privacy Group can provide customized assistance with CCPA preparation, compliance, and responses to requests from California’s Attorney General and California citizens. The Attorney General released draft implementing regulations on October 10, 2019, and is currently reviewing public comments before final regulations can be released. The Attorney General can begin enforcement six months after final regulations are released, or July 1, 2020, whichever is sooner.
The CCPA will potentially affect a wide variety of businesses in California:
Businesses operating in California should immediately:
The CCPA applies to all entities doing business in California that meet one of the following conditions:
Despite the name, the California “Consumer” Privacy Act applies to all California residents AND households, and will affect businesses that collect personal information of California residents and households. A household is defined as any group of individuals occupying a single dwelling. This provides an even broader basis for considering what information is covered by the CCPA.
The CCPA covers all personal identifiers, protected classifications, commercial information, biometric information, internet activity and history, geolocation data, audio/video/sensory data, professional and employment data, educational information, and inferences made about individuals using any of that data.
While GDPR compliance will provide businesses with some protection, the CCPA contains different requirements and compliance mechanisms, and will require an enhanced compliance infrastructure.
A variety of entities submitted public comments on the draft regulations including industry representatives, privacy advocates, and attorneys. Common themes in the submissions included the need for more practical guidance regarding the implementation of the CCPA, particularly from an operations standpoint. Industry members and attorneys alike spoke about detailed and complicated compliance challenges, such as new technical measures required to recognize signals transmitted by plugins and other consumer tools that are meant to signal consumers’ privacy preferences. Furthermore, many commenters sought clearer, practical guidance, including samples for a “Do Not Sell” button and frameworks for the requisite alternative notices. Written comments are available for public review here.
The CCPA and the Attorney General’s draft regulations leave a number of questions as to how to implement and comply with CCPA requirements. A number of industry groups and other entities have attempted to lay out general guidelines, but the vast majority of companies will need customized implementation plans and assistance with specific requests and potential Attorney General requests for information and investigations. Future enforcement and litigation will help define precise compliance obligations and exemptions under the CCPA.
Federal privacy legislation could preempt some or all of the CCPA, but California has shown a remarkable resiliency in finding areas for state-level legislation that is not preempted by similar federal legislation.
Rogers Joseph O’Donnell specializes in working with corporate and business clients on compliance with complex laws and regulations that impact their business. RJO’s Cybersecurity and Privacy Group is comprised of experienced attorneys from each of its other practice areas, allowing us to understand and tailor our work to our clients’ business needs. For compliance advice or defense of claims, contact any of the Practice Group Chairs or the authors of this article at www.rjo.com.