Has it been a year already? Many businesses diligently made sure they did their best to hit the moving CCPA target as they welcomed 2020 and the effective date of the statute last year. A year ago, all we had were draft regulations and a statute, and businesses had to do their best to comply. So, it is not surprising many CCPA disclosures had an effective date of January 1, 2020. But if that is the last time your disclosures were reviewed, your business is signaling non-compliance with CCPA.

Section 1798.130 contains the various lists required in the CCPA online privacy policy that includes categories collected and shared “in the preceding 12 months” (see, e.g., 1798.130(a)(5)(B) “a list of the categories of personal information it has collected about consumers in the preceding 12 months…”). In view of this time frame for the disclosure, the statute includes the affirmative requirement that a business must make these disclosures and “update that information at least once every 12 months…” (see 1798.130(a)(5)).

If you have not reviewed your CCPA disclosures since January 1, 2020, your business likely needs to do an additional review of your privacy policy based on the new regulations promulgated in the last 12 months. On January 1, 2020, businesses had to choose between trying to comply with original draft regulations released on October 10, 2019 or the high-level statutory requirements. In either case, the “final regulations” and subsequent modifications to those have provided additional requirements or in some cases removed requirements set out in the original proposed regulation. Therefore, when doing the required substantive review, it is recommended that the latest version of the regulations released on August 14,2020 (the “final regulations”) are consulted. Note that there are some slight modifications to even the final regulations that have been proposed but not yet approved. Here are a few notable differences between the original draft regulations and final regulations:

  • Section 999.305(a)(3) of the original draft regulations required a business to get “explicit consent” if it intended to use the personal information for a materially different purpose than what was explicitly disclosed at collection. This language contemplating “explicit consent” has been removed entirely in the final regulations.
  • The original draft regulations gave businesses the option to use the link title “Do Not Sell My Personal Information” or “Do Not Sell My Info.” While many chose the latter, this option was removed in subsequent revisions and only “Do Not Sell My Personal Information” remains as the specified link title (see, e.g., Section 999.305(b)(3)).
  • The original draft regulations did not exempt employees from the various disclosures. The final regulations clarified that employee disclosures were limited to notice at collection, did not have to have a “Do Not Sell” link or link to the privacy policy.
  • The original draft regulations had a process whereby a business that did not directly collect information from a consumer could only sell it by obtaining a signed attestation that the source provided a “Do Not Sell” link. This option was removed entirely and replaced with an implied requirement that a business that does not directly collect information must still provide a notice at collection if they sell the consumer’s personal information (see 999.305(d)).
  • The original draft regulations required an “interactive webform” as a method of submitting verified consumer requests but this affirmative requirement has been removed (see final regulations Section 999.312(a) that requires a toll-free number and one other method).

Although CCPA makes this type of annual review a regulatory requirement, privacy is an evolving area of law and privacy reviews should be built into the organizational compliance process of any business. Staying on top of privacy laws, regulations, guidance, and requirements is becoming even more important as we move into 2021, which is likely to be another landmark year for privacy.