Final CCPA Regulations Are Approved and Effective Immediately

In what has become a pattern for the timing of California Consumer Privacy Act (“CCPA”) developments, late last Friday afternoon the California Office of Administrative Law (“OAL”) approved final regulations implementing the CCPA . As we wrote back in June, the California Office of the Attorney General filed its proposed final regulations with the OAL on June 1 and requested that the OAL complete its review within 30 days. The  review was not completed within that time period and instead took more than two months. But now that the OAL has approved the final regulations, they are effective immediately, according to the Office of the Attorney General.

As expected, this round of revisions to the regulations does not provide any of the much-needed clarification on key CCPA provisions, such as what disclosures qualify as “sales” under the CCPA. The OAL-approved regulations make numerous syntax, grammatical, and structural changes to the version of the regulations submitted by the Office of the Attorney General. The changes were mostly characterized as “non-substantive.” There were, however, several changes of note that could have an impact for covered businesses:

• Deletion of subsection 999.305(a)(5): This subsection previously prohibited a business from using a consumer’s personal information for a purpose materially different than those purposes disclosed in the notice at collection without consent. This language would have imposed a rule similar to the Federal Trade Commission’s approach to privacy enforcement, whereby an organization must obtain affirmative consent for material, retroactive changes to privacy policies, privacy notices, and other privacy-related statements or commitments. The deletion is beneficial to covered businesses, but they should keep in mind that material omissions from notices at collection (and elsewhere) may still result in claims and enforcement under state and federal laws that prohibit unfair or deceptive trade practices.

• Deletion of subsection 999.306(b)(2): This subsection stated that “[a] business that substantially interacts with consumers offline shall also provide notice [of the right to opt out of sales of personal information] to the consumer by an offline method that facilitates consumer awareness of their right to opt-out.” It also provided examples of acceptable offline methods. This revision is beneficial to covered businesses because, in certain circumstances, the deleted text could have required an additional do-not-sell notice that was not mandated by the CCPA statute—possibly the reason why the provision was removed.
  
• Deletion of subsection 999.315(c): This subsection read as follows: “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.” This deletion is good news for covered businesses because it eliminates a potential source of violations under the CCPA based on the Attorney General’s judgment as to what is “easy for consumers to execute” and what “minimal steps” are for purposes of an opt-out mechanism—without accounting for the commercial reasonableness of the business’s approach.

• Deletion of subsection 999.326(c): This subsection permitted a business to “deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.” This language would have applied to all types of requests. It is possible that the OAL felt the proposed language was overbroad or even unnecessary in light of preexisting language in subsection 999.326(a) and new language added to subsection 999.315(f). As a result of these changes, however, there are different rules depending on the type of request. When an agent submits a request to know or delete, subsection 999.326(a) permits a business to require the consumer to provide the agent with signed permission, verify their own identify directly with the business, and directly confirm with the business that the agent is authorized. Subsection 999.315(f) now states that a business may deny an opt-out request submitted by an agent if the agent cannot provide the business with the consumer’s signed permission. Previously that section permitted a business to deny a request if the agent does not “submit proof” of authorization.

The OAL did not provide any explicit justification that was specific to each of these changes. Rather, the Attorney General’s Addendum to Final Statement of Reasons commenting on the changes states that the above subsections have been withdrawn and the Office of the Attorney General may resubmit the provision “after further review and possible revision.”

An important take-away is that the Office of the Attorney General is no longer limited to enforcing the CCPA statute. It can now bring enforcement actions premised on noncompliance with the regulations, which include additional and more detailed requirements than the statute. For example, the regulations’ requirements pertaining to the contents of business’s privacy policy are more detailed and explicit (and make somewhat more sense) than the corresponding provisions of the statute. Penalties associated with enforcement by the Office of the Attorney General can range from $2,500 to $7,500 per violation, subject to a 30-day cure period (assuming it is possible to cure the violation).

Covered businesses that have not implemented the regulations—particularly public-facing requirements, such as those associated with privacy policies and individual rights—should reach out to counsel to begin that process immediately. If your organization needs assistance addressing the CCPA, our team is available to assist.