The regulations, providing businesses compliance guidance under the California Consumer Privacy Act, are now in effect.
Final regulations under the California Consumer Privacy Act (CCPA) have been approved by the state’s Office of Administrative Law (OAL) and are now in effect, according to a news release from California Attorney General Xavier Becerra.
“With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy,” Becerra said in the news release. “These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”
The OAL made additional revisions to the proposed regulations during its review process that provide clarity and consistency in the final language.
According to a blog post from Nick Whisler, partner with ACA International member company Mac Murray & Shuster LLP, the final regulations also include several substantive changes:
- Removed all references to the “Do Not Sell My Info” link. This means businesses must revert to the “Do Not Sell My Personal Information” link contemplated by the statute.
- Deleted the provision requiring businesses to obtain consumers’ explicit consent before using their personal information for purposes that are materially different than those disclosed when the business collected the information. Although this may provide additional flexibility, businesses must be mindful of other CCPA provisions and general consumer protection laws, which broadly prohibit deceptive acts and practices.
- Deleted the provision requiring businesses to provide offline Do Not Sell notices in certain situations. Businesses must still provide point of collection notices; however, the regulations allow businesses to direct consumers to their online privacy policies to receive the disclosures.
- Deleted the requirement for the Do Not Sell request mechanism to be “easy for consumers to execute and…require minimal steps.”
- Deleted the provision allowing businesses to deny requests from authorized agents that do not submit proof that they have been authorized by the consumers to act on their behalf. This would be problematic if not for other CCPA provisions that limit authorized agent requests, including the ability to verify with the consumer that the agent has permission to act on his or her behalf.
The CCPA was signed into law on June 28, 2018, and was further amended through several bills on Sept. 23, 2018, and on Oct. 11, 2019. The law went into effect on Jan. 1, 2020.
As a refresher, key requirements of the CCPA include:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request that their data be deleted, although there are exceptions that should apply to the collections industry;
- Consumers have a right to request what information is collected; and
- Businesses are required to provide a privacy notice prior to collecting information from a consumer.
The regulations establish procedures for compliance and exercise of rights, as well as clarify important transparency and accountability mechanisms for businesses subject to the law, according to the attorney general’s news release.
Text of the CCPA and changes from the prior version of the proposed regulations can be viewed on the California attorney general’s website for the CCPA.
ACA is reviewing the final regulations and will provide any additional updates in ACA Daily.
Related Content from ACA International
If you are interested in sharing articles and analysis on legal cases, industry laws and regulations or other relevant topics for possible publication with ACA International, email our Communications Department at [email protected].