United States: Attorney General Issues Proposed Regulations For California Consumer Privacy Act (CCPA)

On October 11, 2019, the California Attorney General provided notice of proposed regulations concerning the California Consumer Privacy Act (CCPA), California Civil Code §§ 1798.100-1798.198. These regulations are not final and have already been criticized by some as having created confusion rather than clarity. However, businesses with existing privacy policies and procedures should consult with counsel knowledgeable about the regulations to determine whether they need to amend their privacy policies to comply with the CCPA before it goes into effect on January 1, 2020. Because the rights conferred by the European Union’s 2018 landmark General Data Protection Regulation (“GDPR”) differ in many ways from those of the CCPA, businesses should review their privacy policies even if they recently amended them to comply with the European law.

The CCPA will require businesses subject to its terms to provide significant new rights to California consumers regarding their personal information. The “businesses” governed by the CCPA include any for-profit business that has:

  1. gross revenues in excess of $25 million; or
  2. buys, receives, or sells the personal information of 50,000 or more California consumers, households or devices; or
  3. derives 50 percent or more of its annual revenues from selling consumers’ “personal information.”

In contrast to prior laws, the CCPA broadly defines “personal information” as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA thus includes both information previously defined as “personal information,” such as name in combination with identifiers such as a social security number or driver’s license number, plus other information such as purchasing history, biometric information, internet activity, geolocation data, employment information and education information.

The rights conferred by the CCPA on California consumers are in some respects similar to those granted EU residents under the GDPR. These rights include the “right to know,” which gives consumers the ability to request that a business disclose to them certain information, including (1) specific pieces and general categories of information collected about the individual, (2) the purposes for which the information was collected and (3) categories of third parties to whom the personal information was sold. Consumers also have a qualified right to delete certain information collected by the business, a right to direct businesses not to sell their personal information, and a non-discrimination right for exercising their rights under the CCPA.

Significantly, the CCPA, like existing law (including the GDPR) requires businesses to inform consumers “at or before the point of collection” of the categories of personal information collected about them and the purposes for which it will be used. For example, Civil Code § 1798.130 requires businesses subject to the CCPA to disclose in a privacy policy a description of a consumer’s rights under the CCPA, including how the consumer can submit requests for disclosure, deletion and opting-out of the sale of personal information, and additional information regarding data collection and sharing practices.

Under AB 25, which Governor Newsom signed on October 11, 2019, employers are exempted until January 1, 2021 from certain requirements of the CCPA, including those pertaining to information collected “by a business in the course of the natural person acting as a job applicant to, an employer of, director of, officer of, medical staff member of, or contractor of that business.” A forthcoming client alert will address in detail the applicability of the CCPA to employers and employees.

The proposed regulations announced by the California Attorney General’s office provide guidance on how businesses subject to the CCPA must comply with these obligations in their public privacy policies and internal procedures. For example, businesses with online privacy policies relating to their internet sites may need to consider amending those policies to comply with sections 999.305 (notice at collection of personal information) and 999.308 (privacy policy) of the proposed regulations. These regulations include elements that are typical in existing privacy policies, such as description of the categories of information collected and the purposes for the collection. They also include new requirements for “plain, straightforward language” and avoidance of “technical or legal jargon,” as well as a requirement that the policy be available “in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers.” The regulations also contain unprecedented technical requirements for notices and policies, including announcements of consumers’ rights for deletion of information, description of a business verification process, and the methods that the business will use to validate consumer requests.

An important aspect of the CCPA and the proposed regulations is the requirement that qualifying businesses that collect personal information from consumers by methods other than through a website provide California consumers with notices that are compliant with the CCPA. Thus, professional service firms such as accountants and lawyers must provide their clients with privacy notices at the time of collection that conform to the proposed regulations.

The CCPA is a watershed in U.S. privacy laws. Although there have been proposals to implement a federal statute that will supersede such state privacy laws, the passage of such a law is by no means certain in today’s political climate. Businesses that are subject to the CCPA should therefore promptly act to modify existing policies and procedures to meet the January 1, 2020 deadline.