Contact us

Trending

CCPA Today : A Summary of Key Updates

Article

The California Consumer Privacy Act (“CCPA”), which is the most groundbreaking data security legislation in the United States, is now enforceable. Because the roadmap to enforceability has not been entirely linear, it would be useful to briefly review recent events and the concomitant changes to CCPA they engendered. The CCPA became effective on Jan. 1, 2020. Subsequently, the Office of the Attorney General (“AG”) made a number of non-substantive changes for accuracy, consistency and clarity. The AG did not submit the final version of these regulations to the California Office of Administrative Law (“OAL”) until June 1, 2020. OAL approval was required before the regulations could take effect. On Friday, August 14, 2020, the OAL approved the OAG’s final CCPA regulations and filed them with the California Secretary of State.  The regulations were immediately effective. OAL, however, made changes to the regulations prior to approving them by removing certain requirements. The OAG has indicated, however, that these provisions may be resubmitted “after further review and possible revision”.
 

These provisions or requirements removed by the OAG are as follows:

  • The requirement, formerly in Section 999.305(a)(4), that the business notify and obtain explicit consent from a consumer to use the consumer’s personal information for a purpose materially different than what was disclosed at or before the collection of information. At first blush, this appears to be a significant relief for businesses. The California Code § 1798.100(b)), however, still dictates that a “business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent” with the CCPA.
     
  • The requirement, formerly in Section 999.306(b)(2), that a business that substantially interacts with consumers offline must provide a notice to the consumer offline to facilitate their awareness of the right to opt-out.
     
  • The requirement in Section 999.315(c) that the business’s methods for submitting the request to opt-out must “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out”. Although this particular provision was removed, another provision, § 999.315(b), still encourages businesses to consider the “ease of use by the consumer when determining which methods consumers may use to submit requests to opt-out.”
     
  • The provision, formerly in Section 999.326(c), permitting a business to deny a request from an authorized agent if the agent fails to submit proof of authorization from the consumer.  A different provision, § 999.315(f), however, still provides that “[a] business may deny a request from an authorized agent if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf."

Extension of CCPA Employee and Business-Business (“B2B”) Exemptions

Separately, on August 30, 2020, the California Legislature passed a bill, AB 1281, that amends the CCPA to extend the employee and B2B exemptions to January 1, 2022, unless Californians vote in favor of passing California Privacy Rights Act (“CPRA “) on November 3rd.  If CPRA passes, CCPA’s employee and B2B exemptions will be extended until January 1, 2023. Practically speaking, businesses will have at least another year to address employee and B2B information.

If CPRA passes, Sia Partners will distribute an analysis of it in November.

Sia Partners is available to assist in addressing any questions you may have regarding these developments.