With Less Than One Month Until Enforcement Begins, CCPA Regulations Give Businesses a To-Do List
Less than one month remains until the July 1 date when California’s attorney general may begin enforcing the California Consumer Privacy Act (CCPA) which went into effect at the beginning of this year. Against this backdrop, California Attorney General Xavier Becerra filed the final proposed regulation for administrative review on Monday. Despite the statutory timetable, questions remain about the timing for administrative review and implementation of the regulations.
OAL's Timetable for Review Unclear
The regulations are substantially the same as the third draft that was released in March. California law requires that regulations be reviewed by the state’s Office of Administrative Law (OAL) to confirm that all requirements of the rulemaking process (such as notice and opportunity for the public to comment) were met. The OAL typically would be required to complete its review within 30 days, but an Executive Order related to COVID-19 has provided OAL with 60 additional days to complete any reviews—which could extend the review process until August.
Attorney General Becerra's submission to the OAL included a request that review be expedited in light of the statutory mandate that rulemaking be complete by July 1. If the OAL does not do so, the effective date of the regulations is unclear.
California law specifies quarterly dates for the implementation of regulations—submissions prior to June 1 would go into effect on July 1, and those submitted during the three months after that would become effective on October 1. However, the law does not specify what happens when the regulation is submitted on time but review is delayed.
Regulations Add New Compliance Tasks
Spanning 29 pages, the regulations contained within the submission include several hundred unique sub-requirements. Even where covered businesses have taken substantial steps to comply with the statutory text of the CCPA, the regulations will likely require additional actions. For instance, the regulations require that organizations:
- Post their privacy notices in accessible format - This may be particularly complicated for ecommerce businesses that may not previously have taken steps to comply with Web Accessibility Guidelines due to the lack of clarity over whether an organization without a brick-and-mortar store is a "public accommodation."
- Consider how to respond to "Do Not Track" Signals - Organizations must honor “user-enabled global privacy controls,” such as browser plugins or privacy settings, as requests to opt out of the sale of personal information. This likely includes the "Do Not Track" settings on browsers or devices—which many organizations currently do not honor due to the lack of standards around implementation.
- Offer a global opt-out option - Organizations must offer consumers the opportunity to take a single action to opt out of all sales of their personal information by the company. Offering granular options is permitted, but the global option must be more prominently presented than the other choices.
If personal information is collected from a mobile device for a purpose that an individual would not reasonably expect, the organization must provide a "just-in-time notice." Because the substantive requirements for this notice are duplicative of the substantive requirements for privacy policies, it is unclear how the two are supposed to interact or whether separate links in a website footer are required.
- Implement a system to maintain records regarding actions taken in response to individual requests while protecting personal information contained in those records - Organizations must maintain logs of consumer requests for access to personal information and their responses (but not necessarily the data provided in response to access requests) for at least 24 months and must not use this information for any other purpose.
Despite the length of the regulations, some interpretative questions remain unanswered. For instance, a provision in the second version of the regulations stated that an IP address that could not "reasonably" be linked with a particular consumer or household was not personal information. This was deleted in the final version, leaving questions about the application of the CCPA to IP addresses such as how an organization should respond to an individual rights request when it only tracks information by IP address.
Next Steps for Organizations Subject to the CCPA
The OAL's review is not intended to address substantive issues. Organizations must be prepared to comply with the Regulations by October 1 if not sooner—and they may face actions for violations of the CCPA as soon as July 1 if the California Attorney General's office can make the case without reference to the regulations.