Beginning with the European Union's General Data Protection Regulation (GDPR), we have entered the brave new world of stricter government regulation of consumer data. Absent a federal privacy rule that matches the GDPR in its breadth, some states have begun the process of creating their own state consumer data privacy and security laws. The California Consumer Privacy Act (CCPA) is California's most recent attempt to address its residents' privacy and the privacy practices of organizations that do business in the state. Governor Jerry Brown signed the CCPA into law on June 28, 2018, and several amendments were signed into law on October 11, 2019 by Governor Gavin Newsom. Almost at the same moment, on October 10, 2019, the California Attorney General introduced proposed regulations to implement the CCPA.

Generally, the CCPA became operational on January 1, 2020. Businesses conducting business in California are asking what the CCPA means for them – some for the first time considering whether they are subject to the CCPA. Threshold questions clients must assess in order to determine whether or not the CCPA applies to an entity that conducts business in California include (1) does the entity have gross revenue of $25 million; (2) does the entity annually share or disclose the personal information of at least 50,000 consumers; or (3) does the entity derive at least 50% of its annual revenues from selling consumers' personal information. There are multiple other issues to review, and counsel can assist clients with this review.

For a company that has already begun working on its CCPA compliance processes prior to the  October amendments and draft attorney general regulations, this alert highlights five of the new issues created by the amendments and the draft regulations that have largely flown under the radar.

1. Making a Privacy Policy Accessible

One issue not addressed by any text of the CCPA, including its amendments, but outlined in the draft regulations, is the requirement of the accessibility for persons with disabilities of a business's privacy policy. If the business's website has not already addressed accessibility concerns, the draft regulations may impose new obligations that businesses have not yet considered. This accessibility requirement should be examined closely – even for a business that has already finalized a privacy policy that is compliant with the text of the CCPA.

2. Identity Verification

The draft regulations also present a requirement that a business include specific information in its privacy policy about the processes it will use to verify a consumer's identity in response to a request. Under the draft regulations, a business's privacy policy may at a minimum be required to address which pieces of information the business will need (1) to verify a consumer's request and (2) to allow an agent to submit a CCPA request on the consumer's behalf. Because these requirements were not included in the text of the CCPA, it is important for clients to revisit their existing privacy policies to address identity verification.

3. Contents of Financial Incentive Notice

Where a business provides financial incentives to consumers, the draft regulations also impose additional requirements for those businesses to provide specific notices to the consumers.  Specifically, a business must explain in the notice as to why the financial incentive is legitimate under the CCPA, as well as the value of the consumer data involved. This likely will involve significant legal analysis, even for a business that was wholly compliant with the CCPA before the amendments and draft regulations were published.

4. Methods for Submitting a Consumer Request

There has been uncertainty under the CCPA regarding the methods that must be available to consumers for them to submit a request. The draft regulations attempt to provide specificity, but may have created more confusion. Currently, the number of methods a business must provide for consumer to make requests will depend on the type of request being made – in some circumstances, a business is required to provide a toll-free number, and in other circumstances an interactive web form may be required. Businesses will need to consider in depth what must be done to comply with the draft regulations and amendments, and to operationalize the various phases of consumer requests.

5. Responding to Consumer Requests

Finally, the draft regulations highlight specific issues a business must consider in developing its internal processes to respond to consumer requests. The draft regulations contain new guidance on how to treat a situation where a business cannot verify a consumer's identity, as well as the information that must (or must not) be included in response to a consumer request. Businesses should revisit internal policies and procedures to ensure the draft regulations are addressed.

The CCPA has created uncertainty for countless clients over the past year, not the least of which are fueled by new or different requirements for which there was no notice before October 2019.  The CCPA will continue to create new issues as it evolves – both with finalization of the attorney general regulation, and potentially with the recent introduction of the proposed ballot measure, the California Privacy Rights and Enforcement Act of 2020. Whether a business is just starting to evaluate whether and to what extent it is impacted by the CCPA, or whether it has already done substantial work to become compliant, we stand ready to assist in the process. 

This information is intended to inform firm clients and friends about legal developments, including recent decisions of various courts and administrative bodies. Nothing in this Practice Update should be construed as legal advice or a legal opinion, and readers should not act upon the information contained in this Practice Update without seeking the advice of legal counsel. Prior results do not guarantee a similar outcome.