At long last, after several drafts, the Office of the Attorney General of California submitted the final draft of its regulations regarding the California Consumer Privacy Act (“CCPA”) to the California Office of Administrative Law (“OAL”) on June 1, 2020. While individual “Consumers” have been able to bring claims for CCPA violations since it went into effect on January 1, 2020, the Attorney General will begin enforcing the CCPA only on July 1, with no postponement due to COVID-19 complications. Some important updates/clarifications came in the areas pertaining to notice, consumer requests/rights service providers, and minors.
“Service Providers” will also receive some much-needed clarification and relief under these new regulations. Previously, this role was primarily defined by a small group of restrictions and a certification. The regulations now show that Service Providers have a bit more flexibility in terms of what they can use, retain and disclose the personal information for, namely: to bring on a subcontractor; to improve its services and/or their quality; to detect security incidents; and to comply with applicable laws and regulations.
Another clarification was that if a Service Provider meets one or more of the threshold CCPA criteria, it can also be a Business outside of its Service Provider status with other Businesses. In addition, the regulations indicate that a Service Provider is not obligated to provide a substantive response to any consumer request. A Service Provider can either respond substantively or deny the request because it is simply a Service Provider, referring the consumer to the Business instead.
On the topic of Consumer requests, many Businesses will receive requests from consumers exercising their rights that they will have to verify and respond to in the time frames set by the CCPA. Attorney General Becerra and his team, through this final draft of regulations, have indicated, against the hope of many, that the ability to use “only email” to make and respond to these requests shall be limited to only “requests for access/to know” what knowledge a Business holds about a consumer when the Business operates “exclusively online” and has a direct relationship with the consumer. All other consumer requests will have to have at least two methods of submission, including a toll-free number for requests for deletion and a “form” for requests to opt out of sale of their information.
Also, with respect to a request to the right to opt out, Businesses that collect personal data from consumers online must treat consumer-enabled privacy controls or plugins (such as for disabling cookies) as a valid request to opt out of the sale of their information. Unlike a Business’ obligation to respond within 45 days to other consumer requests, which can be extended up to 90 days, the Business must fulfill a request to opt out of sale within 15 days of receipt of such request.
Finally, if a Business is knowingly selling the information of minors under the age of 13, it will have to create a reasonable, documented procedure/policy to confirm the identity of the person authorizing the sale of the minor’s information is the parent/guardian. This will be in addition to any obligations the Business has under the Children’s Online Privacy Protection Act (“COPPA”).
It is unclear whether the OAL’s review of the final regulations will be complete by the July 1 enforcement date, but it is clear Businesses should update their notices, policies, websites and practices now. McCarter is happy to help with these updates. Contact us as soon as possible, as we anticipate a surge in requests and want to make sure your needs are met.