Two developments in the past week will likely have a significant impact on businesses subject to the California Consumer Privacy Act (“CCPA”): the long-awaited CCPA regulations have been finalized and put into immediate effect with modifications, while at the same time it seems increasingly likely that the exemptions for employees’ and business-to-business contacts’ data will be extended beyond January 2021.

CCPA Regulations Approved With Modifications, Effective Immediately

On Friday, the California Office of Administrative Law formally approved the California Attorney General’s (“AG”) CCPA regulations.  The regulations go into effect immediately and appear largely similar to the version submitted by the AG in June after an extensive rulemaking process.  However, in addition to a number of minor grammatical and stylistic edits, there are a few noteworthy changes in the final regulations:

  • Deleted sections: Five provisions were deleted from the final text, although the AG has the ability to revise and resubmit these for approval in the future:
    • Section 999.305(a)(5) would have required businesses to obtain express consent from consumers before using previously collected information for a materially different purpose. Although that provision has been removed from the final regulations, Federal Trade Commission guidance still recommends that businesses obtain consent for material retroactive changes.
    • Section 999.306(b)(2) would have required businesses substantially interacting with consumers offline to provide notice of the right to opt-out via an offline method.
    • Section 999.315(c) stated that businesses needed methods for submitting opt-out requests that were “easy for consumers to execute and . . . require minimal steps to allow the consumer to opt-out”; it also prohibited businesses from utilizing any “method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”
    • Section 999.326(c) would have permitted businesses to deny a request from an authorized agent if that agent did not “submit proof that they have been authorized by the consumer.” Although that provision has been struck, § 999.315(f) still states that: “A business may deny a request from an authorized agent if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.”  Emphasis added.
    • The entire final article on “Severability” was removed from the regulations. The addendum to the Final Statement of Reasons (“FSOR”) explains that the section was unnecessary.
  • Financial incentives: The rules relating to financial incentives have been a source of confusion and debate throughout the rulemaking process. There are two noteworthy changes in the final regulations:
    • In the definition of “financial incentive” in § 999.301(j), the word “retention” was changed back to “deletion,” which the addendum to the FSOR states is to “align with the express words of the statute.” This particular edit was contested during the rulemaking process:  the original draft regulations used the word “deletion,” which the AG replaced with “retention” in subsequent drafts, before now reverting back to deletion.
    • In the section describing notice of financial incentives, § 999.307(a)(1), the phrase “related to the collection, retention, or sale of personal information,” which previously modified “financial incentive or price or service difference” was deleted from the last sentence. It now reads: “A business that does not offer a financial incentive or price or service difference is not required to provide a notice of financial incentive.”
  • “Do Not Sell My Personal Information”: The regulations no longer permit businesses to comply with the opt-out requirement by including a link that states more informally: “Do Not Sell My Info.”

Status of Employee and Business-to-Business Exemptions

As the AG’s regulations go into effect, it appears increasingly likely that the existing time-limited exemptions in the CCPA may be further extended.  The statutory exemptions for employees and certain data collected in the context of business-to-business transactions and communications are currently set to expire on January 1, 2021.  However, the California Privacy Rights Act (“CPRA”)—which will appear on the California ballot in November and would significantly reshape the CCPA’s requirements—automatically extends those exemptions until January 1, 2023.  The purpose of the extension is to provide businesses and lawmakers with much-needed additional time to consider whether a separate law is required to address these types of personal information.  But while the ballot initiative’s fate remains undecided, the California legislature is moving an additional contingency plan along: AB 1281, which would extend the employee and business-to-business exemptions until January 1, 2022, in the event that the ballot initiative fails.  (If the ballot initiative passes, the CPRA’s longer extension until 2023 would supersede AB 1281.)

On Thursday, the Senate Judiciary Committee considered and approved AB 1281.  The bill is expected to be referred to appropriations for a final fiscal committee vote before going to the Senate floor.  Because the committee report identifies a long list of supporters for the bill and no opposition, it seems likely to pass before the legislative session ends on August 31.  Its passage would provide additional comfort for businesses while they await the outcome of the ballot initiative.

Tags: California, California Consumer Privacy Act (CCPA), Data Privacy, State Legislatures
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less
Photo of Yaron Dori Yaron Dori

Yaron Dori has over 25 years of experience advising technology, telecommunications, media, life sciences, and other types of companies on their most pressing business challenges. He is a former chair of the firm’s technology, communications and media practices and currently serves on the…

Yaron Dori has over 25 years of experience advising technology, telecommunications, media, life sciences, and other types of companies on their most pressing business challenges. He is a former chair of the firm’s technology, communications and media practices and currently serves on the firm’s eight-person Management Committee.

Yaron’s practice advises clients on strategic planning, policy development, transactions, investigations and enforcement, and regulatory compliance.

Early in his career, Yaron advised telecommunications companies and investors on regulatory policy and frameworks that led to the development of broadband networks. When those networks became bidirectional and enabled companies to collect consumer data, he advised those companies on their data privacy and consumer protection obligations. Today, as new technologies such as Artificial Intelligence (AI) are being used to enhance the applications and services offered by such companies, he advises them on associated legal and regulatory obligations and risks. It is this varied background – which tracks the evolution of the technology industry – that enables Yaron to provide clients with a holistic, 360-degree view of technology policy, regulation, compliance, and enforcement.

Yaron represents clients before federal regulatory agencies—including the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), and the Department of Commerce (DOC)—and the U.S. Congress in connection with a range of issues under the Communications Act, the Federal Trade Commission Act, and similar statutes. He also represents clients on state regulatory and enforcement matters, including those that pertain to telecommunications, data privacy, and consumer protection regulation. His deep experience in each of these areas enables him to advise clients on a wide range of technology regulations and key business issues in which these areas intersect.

With respect to technology and telecommunications matters, Yaron advises clients on a broad range of business, policy and consumer-facing issues, including:

  • Artificial Intelligence and the Internet of Things;
  • Broadband deployment and regulation;
  • IP-enabled applications, services and content;
  • Section 230 and digital safety considerations;
  • Equipment and device authorization procedures;
  • The Communications Assistance for Law Enforcement Act (CALEA);
  • Customer Proprietary Network Information (CPNI) requirements;
  • The Cable Privacy Act
  • Net Neutrality; and
  • Local competition, universal service, and intercarrier compensation.

Yaron also has extensive experience in structuring transactions and securing regulatory approvals at both the federal and state levels for mergers, asset acquisitions and similar transactions involving large and small FCC and state communication licensees.

With respect to privacy and consumer protection matters, Yaron advises clients on a range of business, strategic, policy and compliance issues, including those that pertain to:

  • The FTC Act and related agency guidance and regulations;
  • State privacy laws, such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act;
  • The Electronic Communications Privacy Act (ECPA);
  • Location-based services that use WiFi, beacons or similar technologies;
  • Digital advertising practices, including native advertising and endorsements and testimonials; and
  • The application of federal and state telemarketing, commercial fax, and other consumer protection laws, such as the Telephone Consumer Protection Act (TCPA), to voice, text, and video transmissions.

Yaron also has experience advising companies on congressional, FCC, FTC and state attorney general investigations into various consumer protection and communications matters, including those pertaining to social media influencers, digital disclosures, product discontinuance, and advertising claims.

Read more about Yaron DoriEmail
Show more Show less
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Read more about Libbie CanterEmail
Show more Show less
Photo of Alexandra Scott Alexandra Scott
Read more about Alexandra ScottEmail