Privacy Law Alert: California AG Submits Final CCPA Regulations
On June 1, 2020, the final text of the California Consumer Privacy Act (“CCPA”) regulations were submitted by the California Attorney General to the California Office of Administrative Law (“OAL”) for approval. Once approved, the final regulations will be filed with the Secretary of State and be legally enforceable.
Important takeaways from the final CCPA regulations:
Covered businesses must provide notice about the categories and purpose of personal information being collected from consumers prior to or at the time of collection. The regulations have added a “just-in-time” notice requirement when a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect. The just-in-time notice must contain a summary of the categories of personal information being collected and a link to the full notice at collection.
For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application. This requirement suggests that the AG’s office has been following FTC judicial enforcement actions involving consumer surprise when apps unexpectedly capture user location.
The regulations have a pre-collection notice exemption for businesses that do not directly collect personal information from consumers and do not sell that information, or if the business is a registered data broker.
Additionally, covered businesses that “sell” personal information – as defined under the CCPA – are required to provide consumers with a link on homepage with the words “Do Not Sell My Personal Information” or “Do Not Sell My Info.,” and an opt-out notice that contains a description of the consumer’s right to opt-out of the sale of their personal information. Consumers must also be provided with an interactive form to submit an opt-out request and instructions for other opt-out submission methods.
While covered businesses are required to treat privacy controls such as plugins as opt-outs, it remains unclear how web browser do-not-track features treatment remains controversial.
Covered businesses that do not provide opt-out notice are not permitted to sell personal information unless they obtain “affirmative authorization” of the consumer. Affirmative authorization is defined as an “action that demonstrates the intentional decision by the consumer to opt in to the sale of personal information.”
Unless there exists a reasonable and documented belief that a request is not legitimate, opt-out requests must be complied with in fifteen (15) days, or less.
Covered businesses that do not sell personal information – and state so in their privacy policies – are not required to provide the opt-out notice.
Privacy policies must clearly set forth and disclose consumers’ rights, including disclosures regarding the collection and use of personal information. For example, the categories and source of personal information the business collected from consumers in the prior twelve (12) months, and the purpose for collecting or selling personal information. Consumers must also be informed of the categories of personal information that have been disseminated or sold to third parties in the prior twelve (12) months and for each of those categories of personal information, the third party recipients or purchases of that information, and whether the business possesses actual knowledge that it sells personal information of minors under sixteen (16) years of age
With limited exception, the CCPA also possesses “request to know” and “request to delete” requirements. The former is perhaps one of the more challenging obligations for some businesses to comply with.
Consumers are entitled to what personal information is collected about them. Compliance with this obligation is intricate and marketers should consult with an experienced FTC defense lawyer regarding applicable obligations. For example, an email address may suffice for those that operate exclusively online and possess a direct relationship with consumers, while others may be required to provide a toll-free number and at least one other method for consumers to submit such requests.
Consumers must be provided more than one method to submit deletion requests. Importantly, covered businesses may be permitted to retain consumers’ personal information for back-up or archival purposes. There are also important deletion request receipt, compliance and response time limitations.
The CCPA also contains request verification requirements and standards.
Covered businesses that sell the personal information of minors between at least thirteen (13) years of age and under sixteen (16) years of age may only do so following a two-step opt-in process. Parent consent for minors under the age of thirteen (13) is also required.
Covered businesses are also required to provide notice of any financial incentives, defined as “a program, benefit, or other offering, including payments to consumers related to the collection, retention or sale of personal information.”
Covered businesses must maintain records of consumer requests and related responses for no less than twenty four (24) months. There are new disclosure requirements for covered businesses that know, or should reasonably know, that buy, receive, sell or share for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year.
Third party service providers can also potentially be liable under the CCPA. A service provider is a for-profit legal entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.
The contract must include several prohibitions.
For example, the service provider cannot retain, use or disclose personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or otherwise specified under the law. Consequently, covered businesses should carefully review existing agreements with third party service providers that collect or process California consumer information.
A service provider that receives personal information by way of their contractual agreement and uses it in violation of the restrictions under the CCPA can be liable for those violations.
Informational purposes only. Not legal advice. May be considered attorney advertising.