On August 14, 2020, California Attorney General Xavier Becerra (AG) issued the final set of regulations regarding the California Consumer Privacy Act (CCPA).1 On August 31, 2020, a bill was also passed to extend from the end of 2020 to the end of 2021 partial CCPA exemptions for business-to-business and personnel (i.e., job applicants, employees, directors, officers, owners, medical staff members, contractors) records.

California AG Regulations

The CCPA is considered by many to be the most stringent state privacy law in the country. The law, which applies to businesses located in and outside of California, went into effect on January 1, 2020, and enforcement began on July 1, 2020, when the CCPA originally required promulgation of AG regulations. The much-anticipated regulations provide guidance on how the AG intends to interpret and enforce the CCPA. Violations of the regulations are deemed violations of the CCPA and can result in regulatory penalties as articulated in Section 1798.155(a) of the CCPA.2

Businesses can face a regulatory fine of up to $2,500 per violation or $7,500 for each “intentional” violation of the regulations, in addition to potential liability in civil actions.3 Accordingly, understanding the AG’s approach to enforcement is an important consideration when developing a compliance program. When developing or refining a CCPA compliance program, businesses should consult not only the CCPA, but also the regulations, which may impose distinct and additional requirements.

In some instances, the regulations view CCPA requirements generally as a ceiling rather than a floor. This is no more evident than in the changes that were made to an earlier draft of the regulations, which required businesses to obtain “explicit consent” to use a consumer’s personal information for a purpose that is materially different from that disclosed at collection. This would have expanded the CCPA, which only requires businesses to provide the consumer with prior notice for any “additional purpose” of their personal information.4 Moreover, the AG deleted the “Do Not Sell My Info” title option for the opt-out link, meaning that a business’s link can only read, “Do Not Sell My Personal Information.”5 This change appears to have been made to be consistent with the text of Section 1798.135(a) of the CCPA, which requires businesses to provide “a clear and conspicuous” link titled, “Do Not Sell My Personal Information.”

The regulations6 further provide, among other things, the following clarifications of CCPA provisions:

  • Detailed guidance on how to meet the CCPA’s “affirmative authorization” requirement for the sale of personal information of consumers aged 16 years and younger. That is, for consumers between 13 and 16 years old, a two-step process is required, whereby the consumer clearly opts in and then separately confirms that choice. For consumers younger than 13 years old, verifiable consent from a guardian or parent, similar to the requirements under the Children’s Online Privacy Protection Act (COPPA), is required. A notice regarding the right to later opt out is also required.
  • Explains that certain required notices must not only contain the information delineated in the CCPA, but must also be easy to read and understandable to consumers; avoid legal jargon; use a format that draws attention (including on smaller screens); and be available not only in the language primarily used to interact with the customer (as generally required by the CCPA), but also in the “languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.” The regulation further identifies industry standards that should be consulted for compliance with the CCPA’s requirement to make notices accessible to consumers with disabilities.
  • Identifies requirements for mobile applications, including a “just-in-time” notice7 to a consumer if collecting personal information from a mobile device “for a purpose that the consumer would not reasonably expect.”
  • Requires that offline notices specify where the business’s “Do Not Sell8 My Personal Information” link (to allow consumers to opt out of disclosure of their personal information under certain circumstances) and privacy policy may be found online.
  • Explains that a business that does not collect personal information directly from the consumer need not provide a notice at the point of collection if it does not “sell” the consumer’s personal information.
  • Specifies that a data broker registered with the AG need not provide a notice at the point of collection to the consumer if its registration submission includes a link to its online privacy policy with instructions on how a consumer can request to opt out.
  • Provides an outline of information that must be included in required notices for financial incentives (including consumer data value calculations), which may result in price differences for goods and services offered.
  • Provides guidance on business practices of businesses and service providers for handling consumer requests regarding their personal information.
  • Establishes rules regarding how consumers may exercise their rights through an authorized agent, and such agents’ responsibilities with respect to consumer information.
  • Identifies how consumers may opt in after opting out of the sale of their personal information.
  • Imposes personnel training and recordkeeping requirements.
  • Provides guidance regarding verification of consumer identity in connection with acting on consumer requests.
  • Provides guidance on how to recognize and avoid prohibited discriminatory practices against consumers who exercise rights under the CCPA.

Extension of Partial CCPA Exemption for Business-to-Business Communications and Personnel Records Through 2021

The CCPA broadly protects California “consumer” data, including business contact information and employee or job applicant information. A temporary reprieve from some CCPA requirements is in effect for certain business-to-business and personnel records through 2020. On August 31, 2020, the California Legislature passed Assembly Bill 1281 that extends that exemption to the end of 2021.9 Accordingly, personal information contained in business communications or reflecting transactions between businesses (i.e., personal information of business representatives obtained in the course of completing sales, providing or receiving products or services, conducting due diligence, entering into contracts or providing support to an entity) is exempt from certain CCPA requirements, such as requests for access or deletion of data, as well as information-sharing disclosures. Note that the exemption does not extend to the use of personal information for marketing communications, such as cold calling or deploying robocalls. There is also no exemption for “Do Not Sell” obligations.

Similarly, personal information collected from employees and job applicants (including emergency contact information) is temporarily excluded from the scope of the CCPA, so long as the information is collected and used only for employment or job application purposes. Personal information collected and used in connection with applications for or receiving benefits is also excluded. In other words, businesses need not comply with requests for access or deletion of data, nor information-sharing disclosures. Notwithstanding these exemptions, however, businesses must still provide the required notices at or before the collection of personal information, and impacted individuals retain their right to sue in the event of a data breach.

Based on the foregoing, it is important for businesses to review their privacy policies and business practices to ensure compliance with not only the CCPA, but the regulations as well. Such review should be done in consultation with knowledgeable legal counsel in relevant business areas.