• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

McCarter & English Logo

  • People
  • Services
  • Insights
  • Our Firm
    • Leadership Team
    • Social Justice
    • Diversity & Inclusion
    • Pro Bono
    • Client Service Values
  • Join Us
    • Lawyers
    • Summer Associates
    • Patent Professionals
    • Professional Staff
    • Job Openings
  • Locations
    • Boston
    • Philadelphia
    • East Brunswick
    • Stamford
    • Hartford
    • Trenton
    • Newark
    • Washington, DC
    • New York
    • Wilmington
  • Share

Share

Browse Alphabetically:

  • A
  • B
  • C
  • D
  • E
  • F
  • G
  • H
  • I
  • J
  • K
  • L
  • M
  • N
  • O
  • P
  • Q
  • R
  • S
  • T
  • U
  • V
  • W
  • X
  • Y
  • Z
  • All
Bankruptcy, Restructuring & Litigation
Blockchain, Smart Contracts & Digital Currencies
Business Litigation
Cannabis
Coronavirus Resource Center
Corporate
Crisis Management
Cybersecurity & Data Privacy
Delaware Corporate, LLC & Partnership Law
Design, Fashion & Luxury
E-Discovery & Records Management
Energy & Utilities
Environment & Energy
Financial Institutions
Government Affairs
Government Contracts & Global Trade
Government Investigations & White Collar Defense
Healthcare
Immigration
Impact Investing
Insurance Recovery, Litigation & Counseling
Intellectual Property
Labor & Employment Law
Life Sciences
Manufacturing
Products Liability, Mass Torts & Consumer Class Actions
Proptech
Public Finance 
Real Estate
Renewable Energy
Sports & Entertainment
Tax & Employee Benefits 
Technology Transactions
Transportation, Logistics & Supply Chain Management
Trusts, Estates & Private Clients 
Venture Capital & Emerging Growth Companies
  • Broadcasts
  • Events
  • News
  • Publications
  • View All Insights
Search By:
Media item displaying CCPA Enforcement — Ready, Set, Sue!
Main image for CCPA Enforcement — Ready, Set, Sue!
Publications|Alert

CCPA Enforcement — Ready, Set, Sue!

Data Privacy Alert

6.19.2020

At long last, after several drafts, the Office of the Attorney General of California submitted the final draft of its regulations regarding the California Consumer Privacy Act (“CCPA”) to the California Office of Administrative Law (“OAL”) on June 1, 2020. While individual “Consumers” have been able to bring claims for CCPA violations since it went into effect on January 1, 2020, the Attorney General will begin enforcing the CCPA only on July 1, with no postponement due to COVID-19 complications. Some important updates/clarifications came in the areas pertaining to notice, consumer requests/rights service providers, and minors.

One of the principal requirements of the CCPA is that consumers are provided a notice of a “Business” data processing activities and the consumer’s rights at or before the point of collecting the data. These regulations have shed some light on the particulars with respect to the notice. First and foremost, it can be the same as the privacy policy, if the policy has the required disclosures in it. Next, the notice/privacy policy must meet the requirements of the Web Content Accessibility Guidelines (v. 2.1) so that consumers with disabilities are able to fully comprehend and appreciate the substance of the notice provided.

“Service Providers” will also receive some much-needed clarification and relief under these new regulations. Previously, this role was primarily defined by a small group of restrictions and a certification. The regulations now show that Service Providers have a bit more flexibility in terms of what they can use, retain and disclose the personal information for, namely: to bring on a subcontractor; to improve its services and/or their quality; to detect security incidents; and to comply with applicable laws and regulations.

Another clarification was that if a Service Provider meets one or more of the threshold CCPA criteria, it can also be a Business outside of its Service Provider status with other Businesses. In addition, the regulations indicate that a Service Provider is not obligated to provide a substantive response to any consumer request. A Service Provider can either respond substantively or deny the request because it is simply a Service Provider, referring the consumer to the Business instead.

On the topic of Consumer requests, many Businesses will receive requests from consumers exercising their rights that they will have to verify and respond to in the time frames set by the CCPA. Attorney General Becerra and his team, through this final draft of regulations, have indicated, against the hope of many, that the ability to use “only email” to make and respond to these requests shall be limited to only “requests for access/to know” what knowledge a Business holds about a consumer when the Business operates “exclusively online” and has a direct relationship with the consumer. All other consumer requests will have to have at least two methods of submission, including a toll-free number for requests for deletion and a “form” for requests to opt out of sale of their information.

Also, with respect to a request to the right to opt out, Businesses that collect personal data from consumers online must treat consumer-enabled privacy controls or plugins (such as for disabling cookies) as a valid request to opt out of the sale of their information. Unlike a Business’ obligation to respond within 45 days to other consumer requests, which  can be extended up to 90 days, the Business must fulfill a request to opt out of sale within 15 days of receipt of such request.

Finally, if a Business is knowingly selling the information of minors under the age of 13, it will have to create a reasonable, documented procedure/policy to confirm the identity of the person authorizing the sale of the minor’s information is the parent/guardian. This will be in addition to any obligations the Business has under the Children’s Online Privacy Protection Act (“COPPA”).

It is unclear whether the OAL’s review of the final regulations will be complete by the July 1 enforcement date, but it is clear Businesses should update their notices, policies, websites and practices now. McCarter is happy to help with these updates. Contact us as soon as possible, as we anticipate a surge in requests and want to make sure your needs are met.

sidebar

pdfemail

Related People

Media item: Morgan Jones
Morgan Jones

Associate

Media item: Scott M. Smedresman
Scott M. Smedresman

Partner

Related Services

Cybersecurity & Data Privacy
Venture Capital & Emerging Growth Companies
Corporate
Subscribe to our Insights
McCarter & English, LLP
Copyright © 2021 McCarter & English, LLP. All Rights Reserved.
  • Login
  • Attorney Advertising
  • Privacy
  • Awards Methodology
  • Contact
  • Subscribe
  • Sitemap

The McCarter & English, LLP website is for informational purposes only. We do not provide legal advice on this website. We can provide legal advice only to our clients in specific inquiries that they address to us. If you are interested in becoming a client, please contact us, but do not send any information about your specific legal question. We cannot serve as your lawyers until we establish an attorney-client relationship, which can occur only after we follow procedures within our firm and after we agree to the terms of the representation.

Accept Cancel