News & Resources

Publications & Media

The CCPA Regulations Are Effective NOW. What’s Next?

Data Privacy & Security Alert Linda C. Emery

California State Flag

The regulations implementing the California Consumer Privacy Act (CCPA) were approved and became effective on August 14, 2020. The Regulations provide more detailed and explicit requirements with respect to implementing the CCPA.

In this Alert, we review key requirements under the Regulations and suggest concrete actions to meet them.

The CCPA empowers the California Attorney General (AG) to adopt regulations to further the law's purposes. The AG initially issued proposed regulations in October 2019 and, after several rounds of comments, issued revised regulations in March 2020. In June 2020 the AG submitted "Final Proposed Regulations" to the California Office of Administrative Law (OAL) for approval and submitted additional modifications to those proposed regulations on July 29, 2020.

On August 14, 2020, the OAL approved the regulations as modified by the AG (the Regulations), and ordered them effective immediately. The key updates from the prior version include:

  • Withdrawing the requirement to obtain explicit consent prior to using a consumer's personal information for materially different purposes than disclosed in the original notice at collection.
  • Making voluntary rather than mandatory the obligation of brick and mortar businesses to provide notice of the right to opt out in paper form and through in-store signage.
  • Eliminating the provision explicitly allowing businesses to deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf. Other provisions relating to proof of authorization remain.
  • Requiring the link to opt out of the sale of personal information to state in full "Do Not Sell My Personal Information" and not be abbreviated.

Key Considerations

The Regulations include more detailed requirements relating to (1) privacy policies, (2) notices at collection, and (3) the methods for submitting and responding to consumer requests to know, delete and opt out. As a result, even businesses that have already updated their privacy practices to meet the CCPA statutory requirements may still have additional work to do to comply with the Regulations. Here are some key considerations and recommended action steps:

Privacy Policies
The CCPA requires businesses to have a privacy policy that includes, among other things, disclosures about the personal information collected, used, disclosed and sold, and a description of consumers' rights under the CCPA together with one or more designated methods for exercising those rights.

The Regulations require that the privacy policy also include a comprehensive description of the business's online and offline privacy practices as well as instructions regarding how a consumer can exercise those rights, and the process the business will use to verify requests, including any information the consumer must provide.

Action item: Review and update your privacy policy to include the more detailed disclosures required by the Regulations. Don’t forget that reviewing and updating your privacy policy must happen on an annual basis. It is not a one and done exercise.

Notice at Collection
The CCPA requires that a business provide notice at or before the point of collection of the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.

The Regulations further require that the notice at collection include a link to the business's privacy policy, or in the case of offline notices, tell the consumer where the policy can be found. Additionally, if the business sells personal information, the notice at collection must also include the Do Not Sell Link.

The Regulations provide that businesses that collect employment-related information are only required to include a list of the categories of personal information to be collected and the purposes in the notice.

Action Item: Review your online and offline data collection points and implement notices at collection that meet the requirements of the Regulations. There are a number of ways in which businesses can meet these requirements, including providing:

  • notifications at the bottom of each page of their site, on the download page of a mobile application or within the application through the settings menu;
  • individual notices in each place on their site where data is being collected; or
  • a link back to the section of the Privacy Policy that contains the required information.

Sale of Personal Information
The CCPA grants consumers the right to opt out of the "sale" of their personal information (as defined in the CCPA) and requires businesses that "sell" personal information to give consumers notice of the right to opt out and provide a mechanism for opting out of any sale, including a Do Not Sell Link.

The Regulations include more detailed requirements with respect to the notice of the right to opt out. Among other things, the Regulations provide guidance about the placement of the notice on websites and mobile apps and the contents of the notice. The Regulations require businesses that don't operate a website to establish an offline method for informing consumers about the right to opt out that includes information about how to exercise that right.

Additionally, the Regulations flesh out the requirements for opt out mechanisms, requiring two or more designated methods for submitting requests, including an interactive form accessible by the Do Not Sell Link, as well as other mechanisms such as a toll-free number, an email address or through the mail. The Regulations further provide that at least one method should reflect the manner in which the business primarily interacts with the consumer.

Action Item: If you have not already done so, analyze whether you "sell" personal information and, if you do, provide the required notice and opt-out mechanisms and implement processes for complying with requests to opt out. This analysis should include a review of contracts with vendors, suppliers or other entities with which you share personal information.

Requests to Know and Delete
The CCPA grants California consumers the right to request information about the personal information a business collects about them and the right to request deletion of personal information. It also includes requirements with respect to the mechanisms businesses must provide to enable consumers to exercise those rights, as well as the processes they must follow for verifying and responding to requests.

The Regulations include more detailed requirements with respect to the methods for submitting and responding to these requests, including additional guidance relating to how to verify the consumer's identity and how to handle requests from authorized agents.

Action items: Ensure that you (1) have appropriate methods in place for consumers to submit requests, (2) know what personal information you have and where it is located, (3) have internal processes in place to respond to requests, and (4) implement a process for documenting the requests you receive and how they were processed.

The Regulations require that notices, including privacy policies, notices at collection, and the notice of the right to opt out, must be reasonably accessible to consumers with disabilities.

Action Item: Make sure your notices are accessible. For notices provided online, the Regulations require businesses to follow generally recognized industry standards such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018 from the World Wide Web Consortium. For other notices, businesses should provide information about how a consumer with a disability may access the notice in an alternative format.

We Can Help

To learn more about how the CCPA and the Regulations may affect your business, please contact your Quarles & Brady attorney or: