By Procopio Senior Counsel Elaine F. Harwell, CIPP/US, CIPM

They say life is fast and can change in an instant. The same thing can be said about privacy law, especially in California. The past few years have seen a number of significant privacy law developments globally and unlike many other things in the world right now, the COVID-19 pandemic has not significantly slowed this trend. Indeed, in the last couple of months, California has seen Attorney General (AG) Xavier Becerra begin enforcement of the California Consumer Privacy Act (CCPA); the final CCPA regulations submitted, approved, and made law; the qualification of a new more stringent privacy bill for the November 3 ballot (see our article offering more detailed review of the proposed California Privacy Rights Act, or CPRA); and, most recently, the AG unexpectedly submit a third set of proposed changes to the CCPA regulations. What are some of the more significant changes and why do they matter to companies doing business in California?

CCPA’s Regulations Are Now Law and Enforceable

The CCPA came into effect on January 1, 2020 and enforcement on the four corners of the law began on July 1. The CCPA’s second set of regulations became enforceable and final on August 14, when the version of the regulations was approved by the Office of Administrative Law (OAL). The “final” regulations were substantially similar to the second set of modified regulations published on March 11, 2020, as any changes would have required another public comment period under California law.

The regulations adopt a series of significant new obligations that were not part of the original text of the law. The scope of the AG’s rulemaking authority in this area is likely to be tested in courts at some point. Until then, companies should assess their own privacy practices to ensure compliance with the CCPA and its final regulations.

Some of the regulation’s more notable obligations on businesses include:

• Acknowledgment of consumer deletion and right to know requests within 10 days of receipt and disclosures of additional information about how the business will process the request;
• Ensuring online privacy notices and statements (like other parts of the businesses’ website) are accessible to consumers with disabilities; and
• Disclosure of both online and offline privacy practices in required notices.

Status of Enforcement of the CCPA

Since the passage of the CCPA, the AG made it pretty clear there would be no delay in enforcement, even during a global pandemic. The AG kept its word and on July 1—the first day under state law he was allowed to begin enforcement—the first wave of enforcement notices were sent out. California’s Supervising Deputy Attorney General Stacey Schesser, appearing in a webinar led by the International Association of Privacy Professionals (though not in an official capacity), confirmed several key details about the initial notices:

• Due to the fact the final regulations were still under review at the time enforcement began, the initial notices focused solely on the enforcement of the four corners of law.
• The initial deficiency letters focused on online businesses rather that retail or other “brick and mortar” establishments that collect data in-person.
• Particular scrutiny appears to have been paid to alleged violations of the CCPA’s “do not sell” provisions, including alleged failures to include “clear and conspicuous” links entitled “Do Not Sell My Information.”
• Businesses were targeted for investigation and notices based on consumer complaints. The source of consumer complaints, however, were not limited to traditional avenues. The AG is actively reviewing online forums, including Twitter, to identify consumer complaints.

The early take-aways from the AG’s current enforcement efforts of the CCPA:

• Under the CCPA, companies have a thirty-day period to “cure” violations and come into compliance. To the extent a deficiency letter is received from the attorney general, companies should focus on engaging with the attorney general to the extent it is helpful in order to avoid a full-blown investigation or filing of a complaint.
• Once the attorney general begins investigating, it is clear the investigation does not have to be limited to those items initially identified in any CCPA deficiency letter. The investigation may broaden depending upon initial findings and the company may find itself being scrutinized for compliance with other privacy laws.
• Review and listen to your business intelligence. If a consumer is complaining about your company’s data privacy practices, take immediate steps to resolve the issue.
• Now that the final regulations are effective, companies can expect any deficiency notices sent out at this point will include requirements made law under the regulations as well.

In a surprising twist, the AG recently announced a third set of proposed modifications to the CCPA regulations. The latest proposed changes provide several examples of how to comply with various provisions of the CCPA and include:

• The requirement that businesses that collect personal information offline must provide consumers offline notice of their right to opt-out of the sale of their personal information.
• The requirement that businesses provide a simple method for consumers to opt-out of the sale of their personal information, including limiting the number of steps required to exercise the right to opt-out, not requiring consumers to provide more personal information than is necessary to fulfill the request, and not requiring a consumer to scroll through a privacy policy to initiate a request.
• Clarification that a business may require a consumer’s authorized agent to provide proof that the consumer has permitted the agent to submit a request on their behalf.
• Clarification that if a business has actual knowledge that they sell the personal information of consumers under 16 years of age, the business must ensure their privacy policy includes the requirements listed in sections 999.330 and/or 999.331.

The AG solicited public comments for the third set of proposed modifications and we will be monitoring any further proposed changes or actions by the AG.

CPRA Ballot Initiative

Despite all the activity the CCPA has generated in the last year, the California Privacy Rights Act (CPRA) has qualified for the November 2020 ballot. The CPRA, appearing as Proposition 24 on the ballot, is another comprehensive data privacy law that, if passed, would modify the CCPA and go into effect in 2023 (with a look back to January 2022). The CPRA would provide additional consumer rights, including enabling new data correction rights, and create significant new obligations for businesses processing “sensitive data.” Under the CPRA, “sensitive data” would be broadly defined to include, among other things, social security numbers and other government-issued identifiers, financial account information, genetic data, precise geolocation, racial or ethnic origin, religious beliefs, and the contents of mail, email, and text messages. Notably, the CPRA would allow consumers the right to limit the sale, sharing, and use of sensitive personal information.

The CPRA would also provide clarifications on the consumer right to opt out of all sale or sharing of data for purposes of online behavioral advertising. This new clarification, however, may present a challenge for marketers, especially those that have generally taken the position that the CCPA’s restrictions on selling data once a consumer opted out did not apply to their practices of sharing data with third parties for cross-context behavioral advertising. The CPRA clarifies how the law applies to this practice by explicitly allowing consumers to opt out of these sharing activities. (Please read our detailed review of provisions of the CPRA.)

The new ballot initiative is being led by Californians for Consumer Privacy, the same advocacy group behind the initial push that eventually led to the passage of the CCPA. The group has been optimistic about the prospects for the initiative, which they claim is intended to deliver privacy protections to Californians that are more in line with the European Union’s General Data Protection Regulation (GDPR).

The CPRA would also establish a new governmental entity, the California Privacy Protection Agency (CPPA). This new agency, dedicated solely to privacy and the enforcement of the privacy rights of Californians, would be the first of its kind in the United States. The agency would assume the role and responsibility currently held by the AG’s office and have the ability to levy administrative fines of up to $2,500 per violation or up to $7,500 per intentional violation or violation involving minors. To the extent there is a new California regulator on the block with more funding available, business can likely expect to see more guidance for compliance and more enforcement than under the current set up.

Since the initial passage of the CCPA, businesses have dedicated significant resources into addressing the new legal requirements. If the CPRA were to pass, there will be a heightened need for companies to get a good grip on their data collection and sharing practices. Businesses will again need to review their policies and ensure their practices are compliant with the new changes. Even if the ballot measure does not pass, companies will still be busy with privacy compliance as the CCPA will continue to be the law of the land.

If you have questions about your whether your data privacy practices are compliant with current law or how the passage of the CPRA may affect your business moving forward, reach out to a member of Procopio’s Privacy and Cybersecurity Practice Group.