Two developments in the past week will likely have a significant impact on businesses subject to the California Consumer Privacy Act (“CCPA”): the long-awaited CCPA regulations have been finalized and put into immediate effect with modifications, while at the same time it seems increasingly likely that the exemptions for employees’ and business-to-business contacts’ data will be extended beyond January 2021.
CCPA Regulations Approved With Modifications, Effective Immediately
On Friday, the California Office of Administrative Law formally approved the California Attorney General’s (“AG”) CCPA regulations. The regulations go into effect immediately and appear largely similar to the version submitted by the AG in June after an extensive rulemaking process. However, in addition to a number of minor grammatical and stylistic edits, there are a few noteworthy changes in the final regulations:
- Deleted sections: Five provisions were deleted from the final text, although the AG has the ability to revise and resubmit these for approval in the future:
- Section 999.305(a)(5) would have required businesses to obtain express consent from consumers before using previously collected information for a materially different purpose. Although that provision has been removed from the final regulations, Federal Trade Commission guidance still recommends that businesses obtain consent for material retroactive changes.
- Section 999.306(b)(2) would have required businesses substantially interacting with consumers offline to provide notice of the right to opt-out via an offline method.
- Section 999.315(c) stated that businesses needed methods for submitting opt-out requests that were “easy for consumers to execute and . . . require minimal steps to allow the consumer to opt-out”; it also prohibited businesses from utilizing any “method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”
- Section 999.326(c) would have permitted businesses to deny a request from an authorized agent if that agent did not “submit proof that they have been authorized by the consumer.” Although that provision has been struck, § 999.315(f) still states that: “A business may deny a request from an authorized agent if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.” Emphasis added.
- The entire final article on “Severability” was removed from the regulations. The addendum to the Final Statement of Reasons (“FSOR”) explains that the section was unnecessary.
- Financial incentives: The rules relating to financial incentives have been a source of confusion and debate throughout the rulemaking process. There are two noteworthy changes in the final regulations:
- In the definition of “financial incentive” in § 999.301(j), the word “retention” was changed back to “deletion,” which the addendum to the FSOR states is to “align with the express words of the statute.” This particular edit was contested during the rulemaking process: the original draft regulations used the word “deletion,” which the AG replaced with “retention” in subsequent drafts, before now reverting back to deletion.
- In the section describing notice of financial incentives, § 999.307(a)(1), the phrase “related to the collection, retention, or sale of personal information,” which previously modified “financial incentive or price or service difference” was deleted from the last sentence. It now reads: “A business that does not offer a financial incentive or price or service difference is not required to provide a notice of financial incentive.”
- “Do Not Sell My Personal Information”: The regulations no longer permit businesses to comply with the opt-out requirement by including a link that states more informally: “Do Not Sell My Info.”
Status of Employee and Business-to-Business Exemptions
As the AG’s regulations go into effect, it appears increasingly likely that the existing time-limited exemptions in the CCPA may be further extended. The statutory exemptions for employees and certain data collected in the context of business-to-business transactions and communications are currently set to expire on January 1, 2021. However, the California Privacy Rights Act (“CPRA”)—which will appear on the California ballot in November and would significantly reshape the CCPA’s requirements—automatically extends those exemptions until January 1, 2023. The purpose of the extension is to provide businesses and lawmakers with much-needed additional time to consider whether a separate law is required to address these types of personal information. But while the ballot initiative’s fate remains undecided, the California legislature is moving an additional contingency plan along: AB 1281, which would extend the employee and business-to-business exemptions until January 1, 2022, in the event that the ballot initiative fails. (If the ballot initiative passes, the CPRA’s longer extension until 2023 would supersede AB 1281.)
On Thursday, the Senate Judiciary Committee considered and approved AB 1281. The bill is expected to be referred to appropriations for a final fiscal committee vote before going to the Senate floor. Because the committee report identifies a long list of supporters for the bill and no opposition, it seems likely to pass before the legislative session ends on August 31. Its passage would provide additional comfort for businesses while they await the outcome of the ballot initiative.