State Attorney General Proposes Final Regulations In Connection With California Consumer Protection Act

• Published date: 08 July 2020
• Subject Matter: Consumer Protection, Privacy, Technology, Privacy Protection, Dodd-Frank, Consumer Protection Act, Security
• Law Firm: Dechert
• Author: Mr Kevin Cahill, Logan Dalton, Kristen Thompson, Hilary Bonaccorsi and Jesse Lambert

The California Attorney General's Office (California AG) submitted final proposed regulations (Regulations) under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (CA OAL) on June 1, 2020. The submission marks the culmination of a lengthy process that began in October 2019, during which the California AG issued multiple draft versions of proposed regulations for public notice and comment. The package submitted to the CA OAL also contained a Final Statement of Reasons that explains changes from the prior drafts of the regulations (Submission Package). The CA OAL typically has 30 working days during which to review a Submission Package for consistency with the California Administrative Procedure Act; however, due to an Executive Order issued by California Governor Gavin Newsom on March 30, 2020 related to the COVID-19 pandemic, the CA OAL will have an additional 60 calendar days, beyond the initial 30 working-day period, to review the Submission Package. The California AG nonetheless has requested that the CA OAL engage in an expedited review of the Regulations during the traditional 30 working-day period. Once approved by the CA OAL, the Regulations will be filed with the California Secretary of State and become enforceable by law. It is unclear whether the Regulations will be approved before the July 1, 2020 CCPA enforcement date.

This Dechert OnPoint summarizes the key aspects of the Regulations and provides a list of next-steps that firms should consider in light of the Regulations.¹

Notices to Consumers

Overview of Required Notices

The Regulations make clear that, depending on a business's specific circumstances, there are four notices that a business may be required to deliver to consumers. All businesses subject to the CCPA must provide a privacy policy (Privacy Policy). Businesses that collect personal information from a consumer must provide a notice at the time of collection (Notice at Collection). Businesses that sell a consumer's personal information must provide a notice of the right to opt-out (Notice of the Right to Opt-Out), and businesses that offer financial incentives or price or service differences based on their collection of personal information must provide consumers with a notice of financial incentive.

In general, all notices are required to:

• "Use plain, straightforward language and avoid technical or legal jargon;"
• "Use a format that draws the consumer's attention to the notice and makes it 'readable,' including on smaller screens;"
• Be available in the languages that the businesses ordinarily uses to provide information to California consumers; and
• Be "reasonably accessible to consumers with disabilities" which, for notices provided online, involves the use of "generally recognized industry standards, such as the Web Content Accessibility Guidelines."

The following are the three types of notices that are most relevant to firms: Notice at Collection; Privacy Policy; and Notice of the Right to Opt Out.

Notice at Collection

The Notice at Collection is meant to "provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which [it] will be used."

The Notice at Collection must be "readily available at or before the point of collection" of personal information. For example, for personal information collected online, a business could make the notice accessible via a "conspicuous link" at the bottom of the "introductory page of its website" and on the other pages where the business collects a consumer's personal information. In such cases, the Notice at Collection could also be provided via "a link to the section of the business's privacy policy" that discloses the information required by the Notice at Collection. Firms may find that it's easiest to address the Notice at Collection in the body of their California Privacy Policy and by adding a single link to the bottom of their website homepage entitled "CA Notice at Collection and Privacy Policy" to meet the naming and posting requirements set forth in the Regulations.

The Regulations make clear that the Notice at Collection must include the following information:

• A list of the categories of personal information a business collects and the purposes for which it is used;
• A link to the business's privacy policy; and
• The business's "Do Not Sell My Personal Information" link, if it sells personal information.

The Regulations state that businesses are not permitted to use personal information in ways that are materially different from those disclosed in the Notice at Collection, without first notifying the consumer and obtaining his or her "explicit consent" to that new use. Similarly, if a business wants to collect new categories of personal information other than those already disclosed in the Notice at Collection, the business must deliver an updated Notice at Collection. Businesses that do not deliver a Notice at Collection to consumers generally are not permitted to collect personal information from those consumers, although businesses that do not collect personal information directly from consumers are not required to deliver a Notice at Collection.

Further, when businesses deliver a Notice at Collection that governs "employment-related information," the notice does not need to contain a Do Not Sell link or link to the business's privacy policy. This exception sunsets on January 1, 2021.

Privacy Policy

The Regulations build off of the statutory CCPA requirements and set forth the disclosures that a business must provide to California consumers in its Privacy Policy.

Disclosure of Prior Collection, Use and Sharing

Pursuant to the Regulations, businesses are required to use the Privacy Policy to provide consumers with the following information about the businesses' practices over the last 12 months:

• The "categories of personal information the business has collected about consumers";
• The "categories of sources from which the personal information is collected";
• The "business or commercial purpose" for collecting or selling personal information;
• The "categories of personal information" that the business has disclosed or sold to third parties, if any, and for each category of personal information, the "categories of third parties" to whom it was sold or disclosed; and
• Whether the business sells personal information and whether it "has actual knowledge that it sells the personal information of minors under 16 years of age."

If a business sells personal information, the Privacy Policy must include the contents of the Notice of the Right to Opt-Out, as described below, or provide a link to such notice. Generally, it is most transparent for firms to provide a link to the Notice of Right to Opt-Out, which should be included on the landing page to which the "Do Not Sell My Info" link directs.

Disclosure of CCPA Privacy Rights and How to Submit Requests

A business's Privacy Policy also must disclose the rights that are available to consumers under the CCPA, which are the consumer's right:

• "to request that the business disclose what personal information it collects, uses, discloses and sells" (Request to Know);
• "to request the deletion of their personal information collected by the business" (Request to Delete);
• "to opt-out of the sale of their personal information by a business" (Request to Opt-Out) and
• "not to receive discriminatory treatment by...