While the United States largely hit the brakes as of March in the wake of the COVID-19 crisis, California Attorney General Xavier Becerra made clear his intentions to begin enforcement of the Act on July 1, 2020, as originally planned. This announcement came despite many organizations’ pleas to defer enforcement in order to relieve the additional stress imposed on organizations as they respond to the COVID-19 crisis, and continue to work towards ensuring their compliance with the CCPA. While Becerra has not yet published his final regulations on the Act, there are aspects of the regulations that we expect to be largely intact in their current form once the final regulations are out as a result of reviewing the three drafts Attorney General Becerra has already produced.
Multiple Notice Requirements
The CCPA makes abundantly clear that regardless of the type of notice a business is providing, it needs to be easily understandable, noticeable, interpretable, and accessible.
Specific Content Requirements
Throughout the multiple rounds of revisions, certain aspects of the Attorney General Regulations have remained largely untouched. It is therefore reasonable to rely on the following provisions being consistently incorporated into the final version of the Regulations. Accordingly, those preparing for CCPA enforcement beginning July 1, might start by ensuring the following:
- avoids legal jargon and technical language, and is instead prepared in plain, easy-to understand language (don’t just reproduce the statutory language for categories of data collected);
- is prepared in a format that readable, taking into account the types of devices from which a reader may access (think mobile v. laptop or tablet);
- is available in the languages consistent with the contracts, disclaimers, announcements, etc. that the company provides in the ordinary course of business;
- is accessible to those with disabilities.
Specific Process Requirements
With all the notice requirements come requirements to have processes and procedures in place to actually fulfill the obligations set out in the notices. To that end, the CCPA regulations have been consistent across all three drafts with the need for the following:
- California consumer personal information is not utilized beyond the means initially disclosed at collection;
- Collection does not happen unless a consumer has been notified;
- No additional consumer information is collected or used beyond the disclosures at collection, without first notifying the consumer (and the notice has to include all those other notice provisions noted above);
- Mechanisms for handling consumer requests are in place:
- Consumers are provided with two or more methods for submitting requests to delete and opt out;
- Businesses should consider their usual forms of contact with consumers to determine the appropriate mechanism for submitting such requests;
- Businesses should develop a workflow to ensure requests are acknowledged within 10 business days, and responded to within 45 calendar days;
- Businesses should ensure that they’re able to verify consumer identity open receipt of a request to know or delete;
- Development of a two step-process for requests to opt into the sale of personal information.
- Appropriate training is performed so employees or contractors handling consumer personal information understand the requirements of the CCPA and Regulations;
- Record retention schedules and policies are updated to account for consumer records requests; and
- The business has reasonable security measures in place to transmit personal information.
What we Aren’t Sure About
While we do have some insight as to the content of the final regulations, we still have to note that a number of important elements are not yet stable. The components of notice at collection seem to be slightly in flux. Where each notice might be presented (can you combine notices?) is also unclear. The Opt-Out Right also seems to be changing. This is mostly a function of what defines a “sale” and whether there will be exceptions to the currently absolute Opt-Out Right. The same is the case with the notice requirement around financial incentives (but components of this notice haven’t changed too much). Finally, the handling of requests to know/delete seem to be changing as well.
Following two rounds of revisions, we more than ever have an understanding of what will be required of businesses under the CCPA Regulations. Various requirements and components of notice and the handling of consumer requests have remained largely unchanged, thus making those elements a reliable place to start in terms of CCPA compliance. Attorney General Becerra has no intention at this time to defer the July 1, 2020 enforcement date, so time is of the essence for currently non-compliant businesses.