On Jan. 6, 2020, the California attorney general (AG) released a CCPA advisory press release and reiterated what we already know – that “businesses subject to CCPA [are] required to begin complying with the law on January 1, 2020” and that California residents are afforded new data privacy rights under the CCPA.
Unfortunately, the advisory did not provide any details regarding when the next round of draft regulations will be released or when the regulations may be finalized. The first public comment period, during which the AG held seven public forums around the state and received more than 300 written comments (including from BakerHostetler, detailed here), ended on Dec. 6, 2019. There will be a second public comment period of either 15 or 45 days following revisions to the draft regulations , depending on the extent of changes in response to the first public comment period.
Data Broker Registration
The release also provides a link to a webpage for registration by “data brokers” as defined in California Civil Code §1798.99.80 (as passed in the legislature, AB 1202, discussed here), as required by that law. Under the law, a data broker is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship (as those terms are defined in the CCPA, as applicable).
Calif. Civ. Code §1798.99.80 requires that all data brokers, on or before Jan. 31 following each year in which a business meets the definition of a data broker, to register with the AG or face a fine in the amount of $100 per day that it fails to register, the fees that would have been due, and expenses incurred by the AG in investigating and prosecuting the failure to register. It was unclear from the text of the law whether a company could meet the definition of data broker in 2019 and therefore have to register by Jan. 31, 2020. The AG’s provision of a registration portal and discussion of the same in the Jan. 6 press release seems to indicate that the answer is yes. Therefore, companies that may fall under the definition of data broker should, before Jan. 31, explore whether they are required to register.
In order to register, an account must be created on the AG site linked above and a form must be filled out. The statute requires an undisclosed fee to be paid, and as of the date of this post, there is no information regarding the amount of the required fee on the AG site or registration portal. When registering, required information includes the data broker’s name, email address, website URL, country, street address, city, state and ZIP code.
On the registration page, the AG also solicits optional information, including “How a consumer may opt out of sale or submit requests under the CCPA,” “How a protected individual can demand deletion of information posted online under Gov. Code sections 6208.1(b) or 6254.21(c)(1)” and “Additional information about data collecting practices.” It is unclear how the second option regarding Gov. Code sections 6208.1(b) or 6254.21(c)(1) relates to a party’s status as a data broker, and those sections are not referred to or invoked in Calif. Civ. Code §1798.99.80.
There is a $360 fee for registering as a data broker. This appears to be a flat fee for all companies registering as a data broker, regardless of company size or revenue, since such information is not collected in the registration process. Rather than requiring payment during the online registration process, the AG’s office sends an email to the email account on record with an invoice for $360, which is stated to be payable on or before January 31, 2020. Interestingly, and somewhat alarmingly, there is no process in place for verifying that the person or email address submitting the registration has authority to register on behalf of the entity being registered, which seems to leave open the possibility of fraud and foul play in the registration process.
The AG’s website also now includes a Public Data Broker Listing that, as of the date of this post, does not include any registrants. Given that the definition of data broker incorporates and hinges on the definitions from the CCPA, including “business” and “sale,” and the lack of finality of the CCPA’s regulations, it seems likely that some companies will wait to register until the final regulations have been issued.
Private Right of Action and Consumer Complaints
The AG’s press release reiterates what we know regarding the private right of action for security breaches under the CCPA. Namely, that businesses are required to implement and maintain reasonable security procedures and practices to protect consumers’ personal information, and the CCPA authorizes a consumer to institute a civil action if the consumer’s personal information is subject to an unauthorized breach as a result of a business’s failure to reasonably secure the data.
Finally, the release states that consumer complaints may be reported at the AG’s general complaint website (oag.ca.gov/report) or general complaint hotline. Interestingly, as of the date of this post, the complaint form does not include any information specific to privacy or the CCPA.