Last week was a busy week for the California Consumer Privacy Act (CCPA), as Attorney General Xavier Becerra released draft regulations on October 10 and Governor Newsom signed several pending CCPA amendments into law on October 11. The CCPA amendments clarified several important issues, including:

  • employee information and business-to-business (B2B) communications are exempt from the CCPA until January 1, 2021
  • the definition of personal information includes information that is “reasonably” capable of being associated with a particular consumer or household, as opposed to “capable” of being associated with a consumer or household
  • elimination of the requirement of a toll-free number for customer contact if a business operates exclusively online and has a direct relationship with a consumer.

The draft regulations focus on consumer notices, business processes, verification requests and financial incentives. Specifically, the regulations address four notices required under the CCPA: (1) notice to consumers at or before the collection of personal information; (2) notice of the right to opt-out of sale of personal information; (3) notice relating to financial incentives; and (4) notice through a website privacy policy.

One theme regarding consumer notices that is obvious throughout the draft regulations is that consumer notices must be designed and presented to consumers so that they are easy to read and understandable to an average consumer. The draft regulations require the use of plain, straightforward language, a format that draws the consumer’s attention to the notice, and requires that the notice be in the languages in which the business provides consumer contracts. It requires businesses to create a button on their website or apps for California users to be able to opt out of the collection of their personal information.

With respect to business processes, the draft regulations establish processes for the following:

  • details regarding the content of a website privacy policy
  • methods for businesses to provide for consumers to submit requests
  • the process for businesses to respond to consumer requests
  • rules regarding how businesses can seek additional time to respond to consumer requests, including deletion requests
  • training requirements
  • record-keeping guidance so businesses can demonstrate compliance with the CCPA
  • procedures regarding verifiable consumer requests and deletion requests
  • rules regarding password-protected accounts so consumers may use their existing password authentication processes if the business implements reasonable security measures to detect fraud
  • processes for businesses to comply with the opt-in requirements regarding the sale of the personal information of minors under 13 years of age, and minors between the ages of 13 and 16
  • processes regarding discriminatory practices and financial incentive offerings
  • guidance regarding how to calculate the value of consumers’ data in designing financial incentives and to require the business to publicly disclose the estimated value of the consumer’s data and the method by which the amount was calculated.

The Attorney General stated that the law is designed to protect over $12 billion worth of personal information used for advertising every year and that the projected cost of compliance with the regulations will range from $467 million to $16.4 million over the next decade, including legal, operational, technical and business costs. He has indicated that he’ll be amending the draft regulations to conform with the recent amendments to the law. The deadline for the public to submit comments on the draft regulations is December 6 at 5 p.m. Four public hearings are scheduled in Sacramento, Los Angeles, San Francisco, and Fresno, California between December 2 and December 5. Final Regulations will be issued after the comment period.

Enforcement of the Regulations by the Attorney General will begin on July 1, 2020, which includes civil penalties of up to $7,500 per violation.

The CCPA also provides California residents the right to sue companies for data breaches of their personal information if the company fails to use reasonable security measures to protect it. Residents can seek damages of between $100 and $750 per consumer per incident under the law. This limited private right of action for a data breach is the first of its kind in the nation. The law allows consumers to sue following a data breach without having to prove they suffered actual harm or damages.