CCPA compliance

Preparing for the July 1 CCPA Enforcement Deadline

June 29, 2020 by David Klein

Despite the fact that the California Consumer Privacy Act (“CCPA”) regulations have yet to be finalized, the California Attorney General is prepared to begin CCPA enforcement as of July 1, 2020. In 2018, the CCPA was enacted to create enhanced consumer privacy rights by imposing obligations on how businesses collect, use and share California State resident personal information. Over the past two years, the California State Attorney General has been tinkering with the CCPA regulations in an effort to assist businesses with navigating statutory compliance. Given that the CCPA enforcement deadline is upon us, businesses should now be familiar with the various provisions of the CCPA.

What are the key provisions of the CCPA?

Overview of CCPA Regulations

Businesses fall within the ambit of the CCPA if they: 1) do business in the State of California; 2) collect California State residents’ personal information; and 3) satisfy at least one of the following thresholds:

Have annual gross revenue of over $25 million;
Buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices for commercial purposes each year; or
Derive 50% or more of annual revenue from selling consumer personal information.

Dating back to the passage of the CCPA on June 28, 2018, we have blogged about the CCPA compliance measures that businesses need to take in order to avoid private rights of action and/or investigation by the California State Attorney General. Some key CCPA provisions worth noting include:

Notice to Consumers: Businesses that collect California consumer personal information must provide notice prior to or at the point of collection. The purpose of this notice is to inform consumers about the categories of personal information that businesses will collect and the purposes for which the information will be used. Additionally, businesses must notify consumers of their right to opt-out from having their personal information sold to third parties.
Privacy Policies: As stated in the CCPA regulations, “[t]he purpose of the privacy policy is to provide consumers with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.” In order to achieve this level of transparency, businesses must disclose: 1) the categories of personal information collected; 2) the sources from which personal information is collected; and 3) the commercial or business purpose for which the personal information was collected or sold.
CCPA Forms: The CCPA affords California consumers the right to: 1) opt-out of the sale of their personal information to third parties; 2) request to know what personal information has been collected about them and how businesses have sold or disclosed that information to third parties; and 3) request that businesses delete personal information that has been collected from/about them. The CCPA regulations provide detailed requirements on how to present, process, respond to and store these requests.
Accessibility: All of the foregoing CCPA-related notices should be accessible to consumers with disabilities and conform to standards included in the Web Content Accessibility Guidelines (“WCAG”), version 2.1, as promulgated by the World Wide Web Consortium (“W3C”).

CCPA Enforcement

Businesses that run afoul of the CCPA face both private rights of action and investigation by the California Attorney General’s Office. California consumers can bring private rights of action against businesses for data breaches (and only data breaches) that have exposed their non-encrypted and non-redacted personal information to unauthorized third parties. For private rights of action, statutory damages will amount to the greater of actual damages, or between $100 and $750 per consumer, per incident. Additionally, following the July 1, 2020 CCPA enforcement deadline, the California Attorney General is expected to begin sending notifications of alleged violation to non-compliant businesses. Please note that businesses will be afforded thirty (30) days to cure any instances of non-compliance. Civil penalties levied by the California Attorney General’s office will range from $2,500 for non-intentional violations, up to $7,500 for intentional violations. Notwithstanding the foregoing, considering the amount of time and resources that are being devoted to the COVID-19 pandemic response, it is unclear how the California Attorney General’s Office will prioritize CCPA enforcement. We expect that the Attorney General will initially focus its attention on the largest companies that have misused the most amount of consumer data.

If you require assistance in connection with CCPA compliance, please email us at info@kleinmoynihan.com, or call us at (646) 713-1684.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Related Blog Posts:

California Data Broker Registration Requirements

Preparing CCPA Privacy Policies Before the July 1 Enforcement Date

CCPA Record Keeping Requirements

Preparing CCPA Privacy Policies Before the July 1 Enforcement Date

May 20, 2020 by David Klein

Despite the myriad issues that businesses now face with the Covid-19 pandemic, the California State Attorney General remains committed to the California Consumer Privacy Act (“CCPA”) enforcement date of July 1, 2020. As such, businesses that have not already done so should add CCPA compliance to their immediate to-do lists. One area of compliance that requires attention is online privacy policies that include CCPA-mandated provisions (“CCPA Privacy Policies”). Since the proposed CCPA regulations were first released to the public on October 11, 2019, the California State Attorney General’s Office has released two (2) modifications thereto. Those modifications have, in turn, necessitated changes to companies’ CCPA Privacy Policies. Businesses must, among other things, update their online privacy policies to ensure that they include CCPA-required disclosures and the associated menu of consumer options.

What is required of CCPA Privacy Policies?

[Read More]

CCPA Record Keeping Requirements

April 23, 2020 by David Klein

Despite the ongoing Covid-19 pandemic, the California Consumer Privacy Act (“CCPA”) enforcement date remains set at July 1, 2020. Readers of this blog know that we have been providing frequent updates on all things CCPA. In this post, we take a deep dive into the record keeping requirements contained in the CCPA.

What are the CCPA record keeping requirements?

[Read More]

CCPA Enforcement Date Remains July 1, 2020

March 31, 2020 by David Klein

The novel coronavirus (“COVID-19”) pandemic has required businesses to adapt to unforeseen disruptions. However, one thing that has remained constant is the California Consumer Privacy Act (“CCPA”) enforcement date of July 1, 2020. Earlier this month, a coalition of approximately 60 businesses sent a letter to California Attorney General Xavier Becerra asking that the CCPA enforcement date be delayed until January 2, 2021 because of ongoing health and economic worries created by COVID-19. Civil Code Section 1798.85(c) states that “the Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” In an email to Forbes magazine, an advisor for the California Attorney General’s Office said that they are “committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” and “encourage[d] businesses to be particularly mindful of data security in this time of emergency.” Consequently, because the final regulations have not been published, July 1, 2020 remains the CCPA enforcement date. Given the foregoing, businesses working to weather the damage caused by COVID-19 also need to be mindful of their compliance obligations under the CCPA.

What are the CCPA Enforcement Measures?

[Read More]

CCPA Regulations Revised, Again

March 20, 2020 by David Klein

Recently, the California Consumer Privacy Act (“CCPA”) regulations were modified by the California Attorney General for a second time. These modifications are an attempt to address issues raised by approximately one hundred comments that followed the release of the Modified Draft Regulations on February 7, 2020. The California Attorney General is accepting written comments on the latest modifications until March 27, 2020. All of these measures are being taken to ensure that businesses have a clear understanding of what the CCPA regulations require before the enforcement date of July 1, 2020.

What are the most recent modifications to the CCPA regulations?

[Read More]

CCPA Forms: The Right to Opt-Out, Request to Know and Request to Delete

February 28, 2020 by David Klein

Readers of this blog have been following our coverage of the California Consumer Privacy Act (“CCPA”) and related regulatory developments. In today’s blog, we detail some of the compliance measures that should be taken with respect to consumer data election rights and the associated CCPA forms through which consumers can make these elections. Among other measures, the CCPA has codified California consumers’ rights to: 1) opt-out of the sale of their personal information to third parties; 2) request to know what personal information businesses have collected about them and how businesses have sold or disclosed that information to third parties; and 3) request that businesses delete personal information that has been collected from/about them. With limited exceptions, businesses should provide consumers with CCPA forms to make elections by and through their websites.

What are CCPA forms and when should they be processed?

CCPA Forms

In order to comply with the CCPA, each business is required to “provide two or more methods for submitting requests to opt-out, including, an interactive form accessible via a clear and conspicuous link titled ‘Do Not Sell My Personal Information,’ or ‘Do Not Sell My Info,’ on the business’ website or mobile application.” Businesses do not need to provide an opt-out form if they do not sell personal information and explain this fact in their privacy policies. Opt-out forms should: 1) include a description of consumers’ rights to opt-out of the sale of their personal information; 2) use plain, straightforward language and avoid technical or legal jargon; 3) provide instructions on any other method by which consumers may submit their requests to opt-out; and 4) be reasonably accessible to consumers with disabilities. The modified CCPA regulations have removed the requirements that opt-out forms include proof when consumers are using authorized agents to exercise their rights to opt-out and that opt-out forms provide links to the URLs of businesses’ privacy policies.

The most recent proposed CCPA regulation revisions have eliminated the requirement that businesses operating exclusively online that have a direct relationship with their consumers provide a web-based CCPA form to submit right to know requests. These businesses are now only required to provide an email address. All other businesses must provide two (2) methods for submitting requests to know including, but not limited to, a toll-free telephone number and, a designated email address or a form that can be submitted by U.S. Mail. When supplying consumers with the ability to delete their personal information, businesses must provide two (2) or more methods for submitting these requests. Methods include, but are not limited to, a toll-free number, a link or form available online through a business’s website, or a designated email address. If businesses create CCPA forms to satisfy right to know and deletion election requirements, they too should use plain, straight forward language, which must be reasonably accessible to consumers with disabilities. Please note that the modified CCPA regulations no longer require a two-step process to effectuate online requests to delete.

Processing CCPA Forms

Businesses must comply with requests to opt-out no later than fifteen (15) business days from the date the requests are received. If a business sells a consumer’s personal information after the request to opt-out has been received, but before that business has complied with the request, it must notify third parties that have received consumer personal information from the company in this interim period that the consumer has elected to opt-out and that these third parties may no longer sell that consumer’s personal information. Businesses must confirm receipt of right to know and deletion requests within ten (10) business days of receiving such requests and respond to these requests within forty-five (45) calendar days from the date that the subject requests were received. If necessary, businesses that are unable to respond to requests within the forty-five (45) calendar day period may take an additional forty-five (45) calendar days to respond, provided that they provide consumers with notice and explanation that an extension is required.

CCPA forms are just one regulatory implementation measure that should be taken on the path to CCPA compliance. If you are interested in learning more about this topic or require assistance with consumer data privacy compliance for your business, please email us at info@kleinmoynihan.com, or call us at (646) 713-1684.

Attorney Advertising

Related Blog Posts

CCPA Law: The Private Right of Action

CCPA Service Provider Requirements Clarified by California AG

CCPA Amended to Require California Data Broker Registration

CA Attorney General Releases New CCPA Law Modifications

February 12, 2020 by David Klein

Recently, the California Consumer Privacy Act (“CCPA”) regulations were modified by the California Attorney General. The latest CCPA law modifications were released on February 7, 2020, in an attempt to address issues that were raised during the public hearing and comment period that followed the release of the proposed regulations on October 11, 2019.

The California Attorney General has announced a deadline of February 24, 2020, at 5:00 p.m. (PST) to submit written comments, in yet another attempt to clarify CCPA law.

How have the proposed regulations changed?

[Read More]

California Data Broker Registration Requirements

January 16, 2020 by David Klein

January 16th, 2020

In September 2019, the California State Legislature passed Assembly Bill No. 1202 (“A.B. 1202”), amending the California Consumer Privacy Act (“CCPA”). The amendment requires qualified businesses to register as data brokers with the California Attorney General on or before January 31, 2020. A.B. 1202 defines “Data Broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” (emphasis supplied). A.B. 1202 carves out exemptions from the data broker registration requirement for most entities subject to regulation under the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Insurance Information and Privacy Protection Act, respectively.

Who is a Data Broker and what are the data broker registration requirements?

[Read More]