On June 1, 2020, the California Attorney General submitted the final proposed regulations under the California Consumer Privacy Act of 2018 (CCPA). The California Office of Administrative Law (OAL) now has 30 days to review and approve the final proposed regulations, but like many other state procedural matters, the COVID-19 pandemic may affect this timeline. Under Governor Newson’s Executive Order N-40-20, this review window could be extended. However, in order to have the statutorily required regulations approved prior to the July 1, 2020 enforcement date (set forth in the CCPA), the California Attorney General has asked the OAL to complete its review within the 30-day period. The California Attorney General has previously indicated that the enforcement date will not be delayed.
The final proposed regulations do not provide any substantive changes as compared against the second set of modifications. Many privacy professionals closely following the development of the CCPA regulations believe that the final proposed set falls short of addressing the practical questions that businesses faced with complying with the CCPA are still asking.
Businesses implementing a CCPA compliance program should keep in mind that two key exceptions under the CCPA expire on January 1, 2021, and no bill has been proposed to extend these dates. The first exception under the CCPA covers California employee personal information, including information collected from job applicants and employees of, owners of, directors of, officers of, and contractors of the business so long as the information is used in connection with the person’s current or former role (or potential role) with the business. Today, businesses must only provide a shortened notice upon collection of personal information and are not required to provide most of the other rights under the CCPA to these individuals (provided that the exception does preserve the private right of action). Following January 1, 2021, without further extension of this exception, businesses must provide a complete CCPA-compliant notice and extend all rights under the CCPA to these California resident individuals.
The second exception under the CCPA applies to personal information collected through a business-to-business relationship. This exception applies when a California resident is an employee, owner, director, officer or contractor of the business partner (including a company, partnership, sole proprietorship, non-profit or government agency) and the disclosure of personal information by such California resident occurs in the context of the business conducting due diligence in connection with the receipt or provision of a product or service from the business partner. Today, under this exception, a business isn’t required to provide notice to any such individual, but only to provide the right to opt-out of the sale of personal information. As of January 1, 2021, without further legislation, a business attempting to comply with the CCPA will be required to provide these California resident individuals with a complete CCPA-compliant notice and to extend all rights under the CCPA to such individuals. This could have a significant impact on a business’s vendor management process and CRM database.
Businesses who have implemented or are in the process of implementing a CCPA compliance program should also be aware of the proposed California Privacy Rights Act (CPRA). While this ballot initiative has not yet been certified by the California Secretary of State, if it passes, it will alter businesses’ privacy obligations to California consumers. The CPRA would extend the above-referenced employee and business-to-business exceptions under the CCPA; however, it would also create new consumer rights (including the right to make corrections and enhanced privacy rights for children), increase liability for data breaches, create new disclosure obligations for automated decision making, and create a new category of “sensitive personal information” that would have its own subset of additional rights for consumers and obligations for businesses.
For efficiency, it is recommended that businesses wait to develop and implement policies and procedures to address the collection of employee and business-to-business personal information to avoid wasting resources in the event the CPRA passes in November. However, in the event that the CPRA should fail in November, businesses must be able to nimbly develop and implement such policies and procedures.
Have questions or comments about implementing a CCPA compliance plan? Please contact a member of McGrath North’s Privacy and Cybersecurity team.
For additional background on the CCPA visit: