CCPAThe California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Despite requests made by multiple trade associations for delay in the enforcement of CCPA due to COVID-19, the California Attorney General’s office has declined to delay enforcement, which is set to begin July 1, despite the AG’s failure to release final regulations.

The AG’s office first released proposed regulations in October 2019, our summary of the draft regulations can be found here. After the new year, the AG released two sets of modifications to the draft regulations on February 10 and March 11. At a privacy and data security conference last week, a staff member from the California state legislature commented that, due to the pressures and working circumstances created by COVID-19, the most recent version of the regulations, published March 11, are likely to be the version used for enforcement beginning in July. Significantly, the office rejected suggestions that the regulations be delayed because corporations are experiencing these same COVID-19 pressures.

In a recent comment to the press, the AG emphasized “the heightened value of protecting consumers’ privacy online” during the pandemic and “encourage[d] businesses to be particularly mindful of data security in this time of emergency.” The AG’s office also released an alert on April 25, 2020 reminding Californian consumers of their data privacy rights under the CCPA. Given the AG’s recent focus on data privacy, businesses should be prepared for enforcement to begin on July 1, which means paying attention to the most recent revisions to the draft regulations.

The revised regulations clarify several of the notice obligations.

  • Businesses that collect personal information through apps for purposes consumers would not reasonably expect must give consumers a “just-in-time” notice at the point of collection, summarizing the categories of personal information collected and linking to the full privacy notice.
  • Businesses cannot use consumers’ personal information for purposes materially different than what was disclosed at collection, unless the business provides notice of this new purpose and consumers explicitly consent.
  • When businesses do not collect personal information directly from consumers, they do not need to provide notice at collection if they do not sell consumers’ personal information.
  • Businesses’ privacy policy requirements would expand to include the following: (a) categories of sources from which businesses collect personal information, (b) details of business purposes for collecting or selling personal information, and (c) special rules for how minors under sixteen years old may opt into personal information sales, if the business has “actual knowledge” it sells personal information of minors under sixteen.
  • Businesses do not need to provide an opt out button for sales if they do not (1) sell personal information or (2) the privacy policy provides notice of its business practice in selling personal information. If businesses collected personal information during a time they did not have an opt-out notice on the website, they cannot sell that information without obtaining affirmative consent from consumers.

The revised regulations provide some guidance for businesses handling consumer requests.

  • Businesses are no longer required to have an interactive webform for consumer requests. Instead, online-only businesses may provide an e-mail address for requests. All other businesses must provide at least two methods, one of which must be a toll-fee number. This modification does not change businesses’ obligation to provide notice of opt-out rights, including the obligation to provide an interactive form for consumers to opt out of personal information sales.
  • Businesses may deny a consumer’s deletion request if they cannot verify the consumer within 45 calendar days. The business must provide information on the particular type of information it has collected on the consumer, without disclosing the specific personal information itself. For example, businesses may respond that they collect identifiers, including social security numbers, without providing the actual number.
  • The size threshold for businesses required to provide CCPA reporting was raised so that now businesses that buy, sell, or share the personal information of 10,000,000 or more consumers in a calendar year must comply. The previous threshold was 4,000,000. Still, no statutory source for this reporting was cited.

The revised regulations provide some guidance for service providers.

  • Service providers may use personal information obtained in the course of providing services to businesses for certain enumerated purposes including improving the quality of the service provider’s services, as long as they do not use the information to build or modify household or consumer profiles, or to refine data from another source.
  • Service providers must stop selling personal information when a consumer opts out of personal information sales with the business. If a service provider receives a customer inquiry, it must either act on behalf of the business or inform the consumer that it cannot do so.