After months of waiting, on June 1, 2020, the California Office of the Attorney General (“AG”) unveiled the final proposed California Consumer Privacy Act (“CCPA”) regulations, which are unchanged from the last version circulated in early March 2020 (summarized here). The AG also published extensive materials, including more than 500 pages of responses to public comments, that provide a wealth of (non-binding) guidance on tricky issues. Finally, the AG requested the Office of Administrative Law to expedite its review to make the regulations effective July 1, 2020, but it is unclear whether that will occur.
This post summarizes some of the key topics raised in the submitted materials, but organizations potentially subject to the CCPA should consider the entirety of the materials for guidance on the many topics not covered in this post.
Clarity on CCPA Thresholds
The AG clarified the following jurisdictional “triggers” for a company to qualify as a “business” subject to the CCPA:
- Annual gross revenues over $25,000,000, are not limited to revenue in California or revenue generated from California residents.
- By contrast, there must be a California resident connection to a “device” or “household” when counting whether a company handles personal information of 50,000 “consumers, households, or devices.”
Do Not Track/Global Privacy Controls
The final proposed regulations state that businesses must honor “user-enabled global privacy controls” that “clearly communicate” a consumer’s choice to opt-out of sale. Many people questioned whether this clause functionally mandated honoring browser Do Not Track (DNT) signals, thereby exceeding existing CA law that only requires companies to disclose whether they honor DNT signals (under the California Online Privacy Protection Act). The AG’s responses to comments do not definitively answer this question, but do provide some indication that DNT is not strictly required. For example:
- The AG states that businesses have “discretion” on whether to use DNT signals as a “useful proxy for communicating a consumer’s privacy choices to businesses and third parties.” The AG also says the regulations “do not prohibit” honoring DNT – a far cry from stating that DNT is now mandatory.
- In an effort to address concerns about standardization, the AG repeatedly emphasizes that global privacy controls are “forward-looking” and will need to be “developed in accordance with these regulations” (emphasis in original). This suggests the AG did not intend to mandate honoring DNT, at least not based on existing DNT signal technology.
- The AG emphasizes that the user-enabled controls must “clearly communicate” the intention to opt-out, which suggests the AG might view existing DNT technology as insufficient to meet that standard.
The AG did not provide a bright-line test for what qualifies as a “financial incentive” – which would require the business to obtain opt-in consent and disclose the value of data – but appears to interpret the term broadly. For example:
- The AG rejected numerous requests to narrow the definitions or exclude specific practices.
- The AG emphasized that that the “financial incentive” provisions are closely related to the CCPA’s non-discrimination requirements and thus the term “financial incentive” should be interpreted comparably to the term “price or service difference.” In other words, the AG suggests that a “price or service difference” is functionally a “financial incentive” if it relates to activities that implicate individual rights.
- The exchange of a product or service for data qualifies as a financial incentive as much as the exchange of money for data.
Limitations on Service Providers
The AG made clear that service providers can use personal information for only very limited “internal” purposes. According to the commentary, a service provider would be “selling” data if it uses personal information acquired from or on behalf of one business to provide services to another business, because doing so would be for the service provider’s commercial purposes. This means, for example, that if a service provider obtains a consumer’s address to provide services to one business, it cannot then reuse that information (e.g., by updating its internal databases) to provide services to another business.
The AG expressly declined to opine on whether the CCPA’s list of “business purposes” is exhaustive, stating that the issue requires further analysis. On the other hand, the AG clarified that the list of “categories of third parties” provided in the proposed regulations is not exhaustive and that businesses have discretion to determine additional categories.
The AG rejected requests to delay enforcement of the regulations given the limited timeframe companies have had to get ready and the ongoing COVID-19 pandemic. Instead, the AG suggested it would exercise prosecutorial discretion – particularly for “newer” incremental changes to the regulations where companies have had less time.
Timing and Next Steps
The AG has emphasized that it intends to enforce the CCPA on July 1, 2020, and has requested expedited review of the regulations to also make them effective on July 1, 2020. Technically, however, the Office of Administrative Law (“OAL”) has thirty working days (plus an additional sixty calendar days pursuant to an Executive Order currently in place) to review and approve the proposed regulations, then file them with the California Secretary of State. If the OAL denies the request for expedited review, that could mean the regulations might not take effect until October 1, 2020 or even January 1, 2021 (depending on the OAL’s approval date).
Two additional developments are also possible this year. First, although unlikely, the AG could issue further guidance to address the many topics the AG declined to address when responding to the CCPA proposed regulations’ public comments. Second, the California Privacy Rights Act (“CPRA”) is knocking at the door, and if it reaches and is approved by CA voters in November it will set in motion another tectonic shift in California privacy law.
What Should Companies Do?
Regardless of when the CCPA regulations become effective, businesses need to take action before July 1, 2020 to update privacy notices, implement processes to comply with individual rights requests, ensure contracts are in place with service providers, and many other items the CCPA requires. Given that it is a matter of when – not if – the regulations become effective, smart companies will take the CCPA regulations into account when doing so. Companies with questions should reach out to the authors of this post or their regular SPB contact.