What to Expect from CCPA Regulations
Although COVID-19 has put majority of the country on hold, California Attorney General, Xavier Becerra, made clear his intentions to begin enforcement of the CCPA on July 1, as originally planned.
The announcement came despite the pleas of many businesses and organizations to get the deadline extended. While the attorney general has not yet published his final regulations on the CCPA, there are certain regulations we can expect to see in the final draft.
Here’s a recap of what to expect:
Multiple Notice Requirements
Finally, a business must also notify a consumer if it is offering a financial incentive or a price differential for the disclosure of personal information.
The CCPA makes it abundantly clear that regardless of the type of notice a business is providing, it needs to be easily understandable, noticeable, interpretable and accessible.
Specific Content Requirements
Throughout the multiple rounds of revisions, certain aspects of the Attorney General regulations have remained largely untouched. Therefore, it’s reasonable to rely on the following provisions being consistently incorporated into the final revision of the CCPA. Those preparing for the CCPA enforcement on July 1 should start ensuring the following:
o Avoids legal jargon and technical language, and is instead prepared in plain, easy-to-understand language (don’t just reproduce the statutory language for categories of data collected)
o Is prepared in a format that is easily readable, considering the types of devices from which a reader may access. (mobile, tablet, desktop)
o Is available in the languages consistent with the contracts, disclaimers, announcements, etc., that the company provides in the ordinary course of business
o Is accessible to those with disabilities
With all the notice requirements come requirements to have certain processes and procedures in place. CCPA regulations have been consistent across all three drafts regarding the following:
o California consumer personal information is not used beyond the means initially disclosed at collection
o Collection does not happen unless a consumer has been notified
o No additional consumer information is collected or used beyond the disclosures at collection, without first notifying the consumer (and the notice must include all those other notice provisions listed above)
o Procedures are in place to handle consumer requests
o Consumers are provided with two or more methods for submitting requests to delete and opt out
o Businesses should consider their usual forms of contact with consumers to determine the appropriate mechanism for submitting these requests
o Businesses should develop a workflow to ensure requests are acknowledged within 10 business days, and responded to within 45 calendar days
o Businesses should ensure they are able to verify consumer identity open receipt of a request to know or delete
o Development of a two-person process for requests to opt into the sale of their personal information
o Appropriate training is performed so employees or contractors handling consumer personal information understand the requirements of the CCPA and regulations
o Record retention schedules and policies are updated to account for consumer records requests
o The business has reasonable security measures in place to transmit personal information
What’s Still Uncertain
While there is some insight into the content of the final regulations, there are certain important elements that aren’t stable yet. The components of notice at collection seem to be slightly unclear. The opt out right seems to also be changing.
The same is the case with notice requirement around financial incentives (but components of this notice haven’t changed too much). Finally, the handling of requests to know/delete seem to be changing as well.
Following two rounds of revisions, we have a good understanding of what will be required of businesses under the CCPA. Various requirements and components of notice and the handling of consumer requests have remained largely unchanged, making those elements a reliable place to start in terms of CCPA compliance.