CCPA Regulations Finalized and Effective Immediately

On August 14, 2020, the California Office of Administrative Law (the “OAL”) approved final regulations promulgated under the California Consumer Privacy Act of 2018 (the “CCPA”) and filed them with the California Secretary of State.  In accordance with a request from the California Attorney General’s Office when it submitted the regulations for the OAL’s review, the regulations take effect immediately. Although the final regulations filed by the OAL are substantially similar to those submitted to the OAL by the Attorney General’s Office, the final regulations contain non-substantive revisions and the removal of a few notable provisions, primarily relating to businesses that sell personal information. This alert details these removals for businesses subject to the CCPA. For more information on the CCPA regulations, see our prior alerts here, here and here.

Notable Removals

The sections identified below were removed from the final regulations. The Attorney General’s Office provided an Addendum to the Final Statement of Reasons, which notes that the Attorney General’s Office may resubmit these removed sections after further review and possible revision.

Notice of Materially Different Use: Former Section 999.305(a)(5) would have included the following obligation: “if a business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.” It is important to note that Section 1978.100(b) of the CCPA will still apply notwithstanding the omission of Section 999.305(a)(5) from the regulations.  Section 1978.100(b) states that “a business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”

Offline Opt-Out Notice: Former Section 999.306(b)(2) would have required “a business that substantially interacts with consumers offline” to provide notice to the consumer by an offline method to facilitate consumer awareness of the right to opt-out. With this removal, businesses are no longer expressly required to provide an offline opt-out notice, such as by printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, or posting signage directing consumers to where the notice can be found online.

Opt-Out Request Method Requirements: Former Section 999.315(c) would have required that a business’s methods for submitting requests to opt-out be easy for consumers to execute and require minimal steps to opt-out. It also would have required that a business not utilize a request method designed to subvert or impair a consumer’s decision to opt-out. Under Section 999.315(b), however, when determining which opt-out request methods consumers may use, a business must still consider the methods by which it interacts with consumers, the manner in which the business sells personal information to third parties, available technology, and ease of use by the consumer.

CCPA enforcement began on July 1, 2020 and consumers are already including CCPA-related claims in lawsuits. In light of the start of enforcement, an uptick in litigation, and the immediate effectiveness of the final regulations, companies should be sure to complete and maintain their CCPA compliance efforts, both with regard to the CCPA statutes and the final regulations. If you need assistance with your CCPA compliance efforts or want more information on compliance with the CCPA, including the final regulations, please contact one of our Cybersecurity & Data Privacy attorneys.