With the California Consumer Privacy Act (CCPA) enforcement deadline only a month away, Chief Privacy Officers still must grapple with significant uncertainties about what exactly the law requires.
First, the final regulations issued by the California Office of the Attorney General were just released to the public on June 2, with a request for expedited 30-business-day review by the California State Office of Administrative Law (OAL). As the California Attorney General’s Final Statement of Reasons acknowledges, the regulations contain several requirements that go beyond the text of the law (see below).
Second, the California Privacy Rights Act (CPRA) initiative, which would significantly change the CCPA and make it very difficult to make adjustments to the legislation in the future, has been submitted to the California Secretary of State with more than 900,000 signatures. The CPRA is now subject to sampling of the validity of those signatures. The sampling is to determine by June 25 whether the initiative will appear on the November 2020 election ballot – in which case, it is widely expected to be approved. Sampling completed as of June 1 suggests that CPRA signature validity will be sufficient to put the initiative on the ballot.
Third, it is now clear that Congress will not rush in to preempt the CCPA with a federal privacy law this year. In 2003, Congress rushed to pass the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM Act) in order to preempt a California class action enforcement spam law before it took effect. But Republicans and Democrats on the Senate Commerce and the House Energy and Commerce Committees have not yet been able to forge consensus on a federal privacy law. They remain far apart on preemption and private class action enforcement. So, there will be no rescuing CCPA “businesses” from compliance with the CCPA. However, when a deal over federal privacy legislation is struck eventually, bills introduced by both parties make clear that privacy requirements will expand further beyond CCPA requirements.
So, what is a Chief Privacy Officer to do about CCPA compliance amidst this uncertainty – not to mention the chaos and dramatic recession brought on by COVID-19?
First, keep your eye on the statute. The CCPA regulations have not been finalized in time to take effect on July 1, the date CCPA privacy enforcement can begin. The California Attorney General’s office, which has exclusive enforcement authority of CCPA privacy requirements, will enforce the statute only until the regulations are approved by the OAL. OAL’s website shows a long backlog of regulations under review, and the proposed regulations contain a number of requirements that are not in the statute and that will require substantive review. It appears unlikely that the CCPA regulations will be approved within the expediated time frame requested by the California Attorney General’s office. And even after the final regulations are approved by OAL, Appendix E to the Final Statement of Reasons states:
To the extent that the regulations require incremental compliance, the OAG may exercise prosecutorial discretion if warranted, depending on the particular facts at issue. Prosecutorial discretion permits the OAG to choose which entities to prosecute, whether to prosecute, and when to prosecute.
Second, focus your available resources on finishing compliance with CCPA statutory privacy requirements, and equally important, on ensuring that you have adequately remediated CCPA “reasonable security” class action risk. Under Civ. Code § 1798.150(a), a business can be sued for a breach resulting from “the business’s violation of the duty to implement and maintain reasonable security procedures and practices….” and that part of the CCPA – which went into effect on January 1, 2020 – presents particular risk because notifiable data breaches of more than 500 California residents’ “breach notice personal information” require notice to the California Attorney General’s office. Further, the Attorney General’s office posts links to these notice letters online, where plaintiff class action firms can review them in search of potential cases. The optimal way to address this class action risk is to encrypt, redact or remove the name from the data elements that trigger potential litigation risk. Doing any of these things avoids the obligation even to notify of the breach, and so avoids even potential claims.
The privacy provisions of the CCPA statute are operationally very difficult for many businesses, but largely unchanged since the legislation first passed in 2018. Ideally, your organization will have made significant progress steps toward compliance before the COVID-19 crisis hit. In light of this crisis, the Attorney General’s office, which has complained that it has finite resources to enforce the law, is unlikely to devote these limited resources to pursuing marginal or technical violations, which could also be cured within the thirty-day cure period.
This list of core CCPA statutory privacy “to dos” includes:
- confirming which parts of your business and data are subject to the CCPA or exempt;
- understanding your data flows sufficiently to post accurate “at collection” and long-form privacy notices, and respond to CCPA rights requests;
- preparing accurate employee, contractor and job applicant “at collection” notices;
- figuring out what data disclosures, if any, are “sales” under the CCPA’s broad definition of this term;
- if any sales occur, making sure you have added a “Do Not Sell” link and implemented (at least) a manual notice-and-compliance mechanism (common compliance options here may include a cookie consent and preference manager tool or ad tech industry or company-specific specific tools);
- being actively in the process of updating “service provider” agreements with CCPA mandated clauses;
- implementing a front-end process to take in and begin to handle all CCPA rights requests within the deadlines (you have at least 45 days to act on all but Do Not Sell requests);
- implementing and maintaining reasonable security procedures and practices;
- reviewing your loyalty and CCPA “financial incentive” programs where consumers waive any CCPA right, documenting whether the value of the services offered is “reasonably related” to the value of the consumer data you obtain through the program and preparing required notices;
- training your personnel to recognize CCPA rights requests and comply with the CCPA; and
- distributing company-wide communications to ensure that personnel are highly attuned to complaints of non-compliance and know how to contact the privacy office.
Of course, there is far more operationally to CCPA compliance, but at least being able to document compliance steps for the core statutory CCPA rights is likely sufficient to stay “with the herd”. Be advised that the California Attorney General’s office has said that it will investigate non-compliance from the start of this year, so documenting compliance steps undertaken earlier in the year is helpful. And, over time, it will be necessary to build out the CCPA compliance processes and procedures, as well as a full compliance program that can withstand review by internal audit or due diligence reviews by acquiring companies.
What to do about CCPA regulations? The regulations’ most significant changes from the statute are:
- more specific notice requirements, including very specific information about incentive programs and the value of and valuation method for consumer data obtained through those programs;
- very prescriptive verification procedures for different types of CCPA consumer requests with potential liability for failure to follow the required procedures;
- an expanded range of consumer rights requests that “authorized agents” may make on behalf of California consumers – beyond do not sell requests;
- having to tag data that is not deleted due to a data deletion exemption so as to use it only for the exempt purpose;
- a requirement to honor webform “do not sell” requests also as an opt out of Internet advertising “sales” through cookies and other online tracking mechanisms on a business’ websites;
- additional leeway for service providers to engage in “non-sale” and non-profiling uses of personal information to improve products or services, which would change service provider contact language;
- room to provide a link to the CCPA short-form “at collection” privacy notice, instead of a pop-up notice; and
- a statement that at some point in the future businesses will need to honor “do not sell” signals, after those have been deployed.
If you have moved forward to structure your program to the an earlier draft of the regulations, it is very unlikely that the California Attorney General’s office will bring an enforcement action if you failed to update your program quickly to changes in the final version of the regulations. If you have waited to nail down more specific compliance steps until the draft rules are finalized, it would be best to post accurate CCPA notices, to have functioning CCPA request paths, to have made progress entering into service provider addenda this month to reduce the number of “sale” arrangements by July 1, and to have a sufficiently robust program and compliance resources to be able to align your program more quickly to the final rules. For any compliance requirements that you cannot fully complete, consider documenting under privilege the reasons for this and obtaining internal agreement on clear milestones to close those gaps.
What About the CPRA Initiative? At this point, this initiative appears to have enough unverified and sampled signatures to be very likely to qualify for the November 2020 ballot, as well as to be approved then. The CPRA would not take effect until 2023, so it would provide considerable ramp up time to compliance but would also spawn a significant number of further rulemakings that create some further uncertainty.
If the CPRA makes its way onto the ballot, it would again require a privacy compliance program that is robust and flexible enough to adapt to changing privacy requirements. Bear in mind, that other states, such as Washington, New York, New Jersey and Illinois, may pass somewhat different privacy laws next year, and would also require a flexible program.
The most significant additional CPRA requirements that would take effect in 2023 include:
- Direct liability for service providers for CPRA violations that they are involved in (service providers are largely exempt from direct liability under the CCPA);
- A GDPR-like right to correct personal information that is inaccurate;
- An opt-out of both uses and disclosures of a new category of sensitive data, including location data, that are not necessary for the service provided;
- Adding a mandatory choice between posting a “Do Not Sell” icon or honoring a “Do Not Sell” automatic signal, which would be a presumption of a do-not-sell direction that the consumer would be able to activate only after a website explained the consequences of exercising that right;
- Limiting data retention of personal data to retention for disclosed purposes;
- Removing the 12-month look-back limit on right-to-know and data access requests; and
- Data breach class action risk for email account credentials.
On the other hand, the CPRA contains a number of clarifications of CCPA requirements that would make Chief Privacy Officers’ jobs easier. Significant features include:
- A two-year extension to 2023 of the employee and B2B moratoria (which otherwise would expire at the end of 2020);
- Data sharing arrangements that are not actual “sales” could be called “sharing” arrangements, instead of having to call them “sales” in notices to consumers;
- An operationally helpful exception from responding to data deletion and access requests for many types of unstructured data;
- Somewhat greater flexibility for uses of non-cross site ad services, and ad metrics not to be treated as “sales”;
- A broader exemption for publicly available data, expanding the exception to include public profiles;
- A broader small business exception; and
- A broader security exception, including physical safety and a rulemaking on exempting data generated for security or integrity purposes.
The good news for you from this shifting landscape of privacy requirements? Your job function will remain essential, even in a contracting economy. Moreover, there is a compelling case that your function requires the resources to build a robust, adaptable, well-resourced program to meet your organization’s privacy challenges well into the future. So, this cloud of uncertainty has a silver lining.