CCPA regulations

Final CCPA Regulations Released

June 5, 2020 by David Klein

On June 1, 2020, the California Attorney General’s Office submitted the final text of California Consumer Privacy Act (“CCPA”) regulations to the Office of Administrative Law (“OAL”) for review. Typically, OAL has thirty (30) working days to determine whether regulations under its review satisfy the procedural requirements of the Administrative Procedure Act. The California State Attorney General has requested that OAL expedite its review and make the CCPA regulations effective on the same day that they are filed with the Secretary of State. It is uncertain at this time whether OAL will comply with the California State Attorney General’s request and enact the final CCPA regulations by the July 1, 2020 enforcement date.

When will the final CCPA Regulations take effect?

[Read More]

Preparing CCPA Privacy Policies Before the July 1 Enforcement Date

May 20, 2020 by David Klein

Despite the myriad issues that businesses now face with the Covid-19 pandemic, the California State Attorney General remains committed to the California Consumer Privacy Act (“CCPA”) enforcement date of July 1, 2020. As such, businesses that have not already done so should add CCPA compliance to their immediate to-do lists. One area of compliance that requires attention is online privacy policies that include CCPA-mandated provisions (“CCPA Privacy Policies”). Since the proposed CCPA regulations were first released to the public on October 11, 2019, the California State Attorney General’s Office has released two (2) modifications thereto. Those modifications have, in turn, necessitated changes to companies’ CCPA Privacy Policies. Businesses must, among other things, update their online privacy policies to ensure that they include CCPA-required disclosures and the associated menu of consumer options.

What is required of CCPA Privacy Policies?

[Read More]

CCPA Record Keeping Requirements

April 23, 2020 by David Klein

Despite the ongoing Covid-19 pandemic, the California Consumer Privacy Act (“CCPA”) enforcement date remains set at July 1, 2020. Readers of this blog know that we have been providing frequent updates on all things CCPA. In this post, we take a deep dive into the record keeping requirements contained in the CCPA.

What are the CCPA record keeping requirements?

[Read More]

CCPA Enforcement Date Remains July 1, 2020

March 31, 2020 by David Klein

The novel coronavirus (“COVID-19”) pandemic has required businesses to adapt to unforeseen disruptions. However, one thing that has remained constant is the California Consumer Privacy Act (“CCPA”) enforcement date of July 1, 2020. Earlier this month, a coalition of approximately 60 businesses sent a letter to California Attorney General Xavier Becerra asking that the CCPA enforcement date be delayed until January 2, 2021 because of ongoing health and economic worries created by COVID-19. Civil Code Section 1798.85(c) states that “the Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” In an email to Forbes magazine, an advisor for the California Attorney General’s Office said that they are “committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” and “encourage[d] businesses to be particularly mindful of data security in this time of emergency.” Consequently, because the final regulations have not been published, July 1, 2020 remains the CCPA enforcement date. Given the foregoing, businesses working to weather the damage caused by COVID-19 also need to be mindful of their compliance obligations under the CCPA.

What are the CCPA Enforcement Measures?

[Read More]

CCPA Regulations Revised, Again

March 20, 2020 by David Klein

Recently, the California Consumer Privacy Act (“CCPA”) regulations were modified by the California Attorney General for a second time. These modifications are an attempt to address issues raised by approximately one hundred comments that followed the release of the Modified Draft Regulations on February 7, 2020. The California Attorney General is accepting written comments on the latest modifications until March 27, 2020. All of these measures are being taken to ensure that businesses have a clear understanding of what the CCPA regulations require before the enforcement date of July 1, 2020.

What are the most recent modifications to the CCPA regulations?

[Read More]

CCPA Forms: The Right to Opt-Out, Request to Know and Request to Delete

February 28, 2020 by David Klein

Readers of this blog have been following our coverage of the California Consumer Privacy Act (“CCPA”) and related regulatory developments. In today’s blog, we detail some of the compliance measures that should be taken with respect to consumer data election rights and the associated CCPA forms through which consumers can make these elections. Among other measures, the CCPA has codified California consumers’ rights to: 1) opt-out of the sale of their personal information to third parties; 2) request to know what personal information businesses have collected about them and how businesses have sold or disclosed that information to third parties; and 3) request that businesses delete personal information that has been collected from/about them. With limited exceptions, businesses should provide consumers with CCPA forms to make elections by and through their websites.

What are CCPA forms and when should they be processed?

CCPA Forms

In order to comply with the CCPA, each business is required to “provide two or more methods for submitting requests to opt-out, including, an interactive form accessible via a clear and conspicuous link titled ‘Do Not Sell My Personal Information,’ or ‘Do Not Sell My Info,’ on the business’ website or mobile application.” Businesses do not need to provide an opt-out form if they do not sell personal information and explain this fact in their privacy policies. Opt-out forms should: 1) include a description of consumers’ rights to opt-out of the sale of their personal information; 2) use plain, straightforward language and avoid technical or legal jargon; 3) provide instructions on any other method by which consumers may submit their requests to opt-out; and 4) be reasonably accessible to consumers with disabilities. The modified CCPA regulations have removed the requirements that opt-out forms include proof when consumers are using authorized agents to exercise their rights to opt-out and that opt-out forms provide links to the URLs of businesses’ privacy policies.

The most recent proposed CCPA regulation revisions have eliminated the requirement that businesses operating exclusively online that have a direct relationship with their consumers provide a web-based CCPA form to submit right to know requests. These businesses are now only required to provide an email address. All other businesses must provide two (2) methods for submitting requests to know including, but not limited to, a toll-free telephone number and, a designated email address or a form that can be submitted by U.S. Mail. When supplying consumers with the ability to delete their personal information, businesses must provide two (2) or more methods for submitting these requests. Methods include, but are not limited to, a toll-free number, a link or form available online through a business’s website, or a designated email address. If businesses create CCPA forms to satisfy right to know and deletion election requirements, they too should use plain, straight forward language, which must be reasonably accessible to consumers with disabilities. Please note that the modified CCPA regulations no longer require a two-step process to effectuate online requests to delete.

Processing CCPA Forms

Businesses must comply with requests to opt-out no later than fifteen (15) business days from the date the requests are received. If a business sells a consumer’s personal information after the request to opt-out has been received, but before that business has complied with the request, it must notify third parties that have received consumer personal information from the company in this interim period that the consumer has elected to opt-out and that these third parties may no longer sell that consumer’s personal information. Businesses must confirm receipt of right to know and deletion requests within ten (10) business days of receiving such requests and respond to these requests within forty-five (45) calendar days from the date that the subject requests were received. If necessary, businesses that are unable to respond to requests within the forty-five (45) calendar day period may take an additional forty-five (45) calendar days to respond, provided that they provide consumers with notice and explanation that an extension is required.

CCPA forms are just one regulatory implementation measure that should be taken on the path to CCPA compliance. If you are interested in learning more about this topic or require assistance with consumer data privacy compliance for your business, please email us at info@kleinmoynihan.com, or call us at (646) 713-1684.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Related Blog Posts

CCPA Law: The Private Right of Action

CCPA Service Provider Requirements Clarified by California AG

CCPA Amended to Require California Data Broker Registration

CA Attorney General Releases New CCPA Law Modifications

February 12, 2020 by David Klein

Recently, the California Consumer Privacy Act (“CCPA”) regulations were modified by the California Attorney General. The latest CCPA law modifications were released on February 7, 2020, in an attempt to address issues that were raised during the public hearing and comment period that followed the release of the proposed regulations on October 11, 2019.

The California Attorney General has announced a deadline of February 24, 2020, at 5:00 p.m. (PST) to submit written comments, in yet another attempt to clarify CCPA law.

How have the proposed regulations changed?

[Read More]

California Data Broker Registration Requirements

January 16, 2020 by David Klein

January 16th, 2020

In September 2019, the California State Legislature passed Assembly Bill No. 1202 (“A.B. 1202”), amending the California Consumer Privacy Act (“CCPA”). The amendment requires qualified businesses to register as data brokers with the California Attorney General on or before January 31, 2020. A.B. 1202 defines “Data Broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” (emphasis supplied). A.B. 1202 carves out exemptions from the data broker registration requirement for most entities subject to regulation under the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Insurance Information and Privacy Protection Act, respectively.

Who is a Data Broker and what are the data broker registration requirements?

[Read More]